@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.2

package/dist/{oauth-C8aTlaAC.d.mts → oauth-CU79t-eG.d.mts}

@@ -315,6 +315,46 @@ type InternallySupportedScopes = "openid" | "profile" | "email" | "offline_acces
 type Scope = LiteralString | InternallySupportedScopes;
 type Prompt = "none" | "consent" | "login" | "create" | "select_account";
 type AuthorizePrompt = Prompt | "login consent" | "select_account consent";
+/**
+ * Describes how to resolve a `client_id` from an external source (a URL-based
+ * metadata document, a federated registry, an attestation header, etc.) and
+ * what fields that source contributes to discovery metadata.
+ *
+ * Plugins install one of these onto {@link OAuthOptions.clientDiscovery}.
+ * The host walks the configured entries in order and returns the first
+ * non-null `resolve()` result.
+ */
+interface ClientDiscovery<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
+  /**
+   * Stable identifier used in error messages and diagnostics. Convention
+   * is to match the plugin id (for example `"cimd"`).
+   */
+  readonly id: string;
+  /**
+   * Return `true` if this discovery handles the given `client_id`. Called
+   * on every `getClient()` lookup for every configured discovery, so keep
+   * it cheap and synchronous.
+   */
+  matches: (clientId: string) => boolean;
+  /**
+   * Resolve a client when this discovery matches. Receives the existing DB
+   * record (or `null`) so an implementation can decide between creating,
+   * refreshing, or passing through to the database result.
+   *
+   * Return:
+   * - a client record: `getClient()` returns it (creation / refresh / takeover).
+   * - `null`: `getClient()` falls through to the next matching discovery
+   *   or to the database record (if any).
+   */
+  resolve: (ctx: GenericEndpointContext, clientId: string, existing: SchemaClient<Scopes> | null) => Awaitable<SchemaClient<Scopes> | null>;
+  /**
+   * Fields merged into `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses. Useful for advertising
+   * RFC-registered discovery flags like
+   * `client_id_metadata_document_supported`.
+   */
+  discoveryMetadata?: Record<string, unknown>;
+}
 interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   /**
    * Custom schema definitions
@@ -412,10 +452,13 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
   /**
    * Allow unauthenticated dynamic client registration.
    *
-   * Support for `allowUnauthenticatedClientRegistration` **will be deprecated**
-   * when the MCP protocol standardizes unauthenticated dynamic client registration.
-   * As of writing, both [Client ID Metadata Documents](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/991)
-   * and [`software_statement` and `jwks_uri`](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1032) are under debate.
+   * When enabled, the `/oauth2/register` endpoint accepts requests
+   * without a session, but only for public clients
+   * (`token_endpoint_auth_method: "none"`).
+   *
+   * For verified client discovery (MCP), consider installing the
+   * `@better-auth/cimd` plugin, which verifies client identity through
+   * domain ownership via Client ID Metadata Documents.
    *
    * @default false
    */
@@ -426,6 +469,21 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @default false
    */
   allowDynamicClientRegistration?: boolean;
+  /**
+   * Discovery implementations consulted by `getClient()` when resolving
+   * a `client_id`. Each entry decides whether it handles the `client_id`
+   * via {@link ClientDiscovery.matches}, then creates, refreshes, or
+   * passes on a client record. Entries run in order; the first one to
+   * return a client wins.
+   *
+   * Each entry also contributes {@link ClientDiscovery.discoveryMetadata}
+   * into the `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses.
+   *
+   * Plugins such as `@better-auth/cimd` install an entry here at init
+   * time; users can also pass discovery implementations directly.
+   */
+  clientDiscovery?: ClientDiscovery<Scopes> | ClientDiscovery<Scopes>[];
   /**
    * List of scopes for newly registered clients
    * if not requested.
@@ -768,6 +826,34 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
     resource?: string; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
+  /**
+   * Custom fields to include in the token response body.
+   *
+   * Unlike `customAccessTokenClaims` (which adds claims inside the JWT payload),
+   * this adds fields to the JSON response envelope alongside `access_token`,
+   * `token_type`, etc. Standard OAuth fields (`access_token`, `token_type`,
+   * `expires_in`, `expires_at`, `refresh_token`, `scope`, `id_token`) cannot
+   * be overridden.
+   *
+   * @param info - context that may be useful when creating custom fields
+   */
+  customTokenResponseFields?: (info: {
+    /** The grant type being processed */grantType: GrantType;
+    /**
+     * The user, if applicable.
+     * Undefined for `client_credentials` (M2M, no user).
+     * Always present for `authorization_code` and `refresh_token`.
+     */
+    user?: (User & Record<string, unknown>) | null; /** Scopes granted for this token */
+    scopes: Scopes; /** oAuthClient metadata */
+    metadata?: Record<string, any>;
+    /**
+     * The authorization code verification value.
+     * Only present for `authorization_code` grant. Contains the original
+     * authorization request parameters (`query`), `referenceId`, `sessionId`, etc.
+     */
+    verificationValue?: VerificationValue;
+  }) => Awaitable<Record<string, unknown>>;
   /**
    * Overwrite specific /.well-known/openid-configuration
    * values so they are not available publically.
@@ -1476,6 +1562,17 @@ interface AuthServerMetadata {
    * @default true
    */
   authorization_response_iss_parameter_supported?: boolean;
+  /**
+   * Whether the authorization server supports discovering clients via
+   * [Client ID Metadata Documents](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
+   * (an HTTPS URL as `client_id`).
+   *
+   * Set at runtime by the `@better-auth/cimd` plugin (or any other
+   * `ClientDiscovery` that contributes this field via
+   * {@link ClientDiscovery.discoveryMetadata}). oauth-provider never sets
+   * it on its own.
+   */
+  client_id_metadata_document_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1642,4 +1739,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Scope as _, OIDCMetadata as a, Awaitable as b, AuthorizePrompt as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, OAuthClient as i, ClientDiscovery as l, OAuthRefreshToken as m, AuthServerMetadata as n, ResourceServerMetadata as o, OAuthOptions as p, GrantType as r, TokenEndpointAuthMethod as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };

package/dist/{oauth-Dh4YXCXY.d.mts → oauth-DJcZ8MMZ.d.mts}

@@ -1,10 +1,40 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
+import { _ as Scope, d as OAuthConsent, h as Prompt, i as OAuthClient, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod } from "./oauth-CU79t-eG.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
 import * as jose from "jose";
 import * as better_auth0 from "better-auth";
 
+//#region src/oauth-endpoint.d.ts
+/**
+ * Canonical OAuth 2.0 / OpenID Connect error codes. The union is the single
+ * vocabulary for every error-emitting surface in this plugin: token, authorize,
+ * revoke, introspect, register, userinfo, logout, consent, and the redirect
+ * error channel. Entries are grouped by source RFC so the declaration doubles
+ * as a specification map.
+ *
+ * The trailing `(string & {})` keeps the type open for product-specific codes
+ * (e.g. `"invalid_verification"`, `"invalid_user"`) while preserving editor
+ * autocomplete for the listed standard codes. Prefer a standard code whenever
+ * one applies; fall back to a custom string only for states no RFC covers.
+ */
+type OAuthErrorCode = "invalid_request" | "invalid_client" | "invalid_grant" | "unauthorized_client" | "unsupported_grant_type" | "unsupported_response_type" | "invalid_scope" | "access_denied" | "server_error" | "temporarily_unavailable" | "invalid_token" | "unsupported_token_type" | "invalid_redirect_uri" | "invalid_client_metadata" | "invalid_software_statement" | "unapproved_software_statement" | "invalid_target" | "invalid_request_object" | "login_required" | "consent_required" | "interaction_required" | "account_selection_required" | "invalid_request_uri" | "request_not_supported" | "request_uri_not_supported" | "registration_not_supported" | (string & {});
+type OAuthFieldErrorCodeMap = {
+  missing?: OAuthErrorCode;
+  invalid?: OAuthErrorCode;
+};
+type OAuthFieldErrorCode = OAuthErrorCode | OAuthFieldErrorCodeMap;
+interface OAuthEndpointErrorResult {
+  error: OAuthErrorCode;
+  error_description: string;
+}
+interface OAuthEndpointRedirectContext<Ctx = unknown> {
+  error: OAuthErrorCode;
+  error_description: string;
+  ctx: Ctx;
+}
+type OAuthRedirectOnError<Ctx = any> = (result: OAuthEndpointRedirectContext<Ctx>) => unknown;
+//#endregion
 //#region src/oauth.d.ts
 declare module "@better-auth/core" {
   interface BetterAuthPluginRegistry<AuthOptions, Options> {
@@ -54,7 +84,64 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, AuthServerMetadata>;
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
+      id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
+    } | {
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      jwks_uri?: string;
+      registration_endpoint: string;
+      scopes_supported?: string[];
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      service_documentation?: string;
+      ui_locales_supported?: string[];
+      op_policy_uri?: string;
+      op_tos_uri?: string;
+      revocation_endpoint?: string;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[];
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      introspection_endpoint?: string;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[];
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean;
+      client_id_metadata_document_supported?: boolean;
+    }>;
     /**
      * A server-only endpoint that helps provide the
      * OpenId configuration at the well-known endpoint.
@@ -67,26 +154,56 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     }>;
     oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
       method: "GET";
       query: z.ZodObject<{
-        response_type: z.ZodOptional<z.ZodEnum<{
+        response_type: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           code: "code";
-        }>>;
+        }>>>;
         client_id: z.ZodString;
         redirect_uri: z.ZodOptional<z.ZodURL>;
         scope: z.ZodOptional<z.ZodString>;
         state: z.ZodOptional<z.ZodString>;
         request_uri: z.ZodOptional<z.ZodString>;
         code_challenge: z.ZodOptional<z.ZodString>;
-        code_challenge_method: z.ZodOptional<z.ZodEnum<{
+        code_challenge_method: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           S256: "S256";
-        }>>;
+        }>>>;
         nonce: z.ZodOptional<z.ZodString>;
-        prompt: z.ZodOptional<z.ZodEnum<{
+        prompt: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           none: "none";
           consent: "consent";
           login: "login";
@@ -94,8 +211,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           select_account: "select_account";
           "login consent": "login consent";
           "select_account consent": "select_account consent";
-        }>>;
+        }>>>;
       }, z.core.$strip>;
+      redirectOnError: OAuthRedirectOnError<better_auth0.GenericEndpointContext>;
+      errorCodesByField: {
+        response_type: {
+          invalid: "unsupported_response_type";
+        };
+      };
       metadata: {
         openapi: {
           description: string;
@@ -291,11 +414,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
       method: "POST";
       body: z.ZodObject<{
-        grant_type: z.ZodEnum<{
+        grant_type: z.ZodPipe<z.ZodString, z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
           refresh_token: "refresh_token";
-        }>;
+        }>>;
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
         client_assertion: z.ZodOptional<z.ZodString>;
@@ -307,6 +430,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         resource: z.ZodOptional<z.ZodString>;
         scope: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
+      errorCodesByField: {
+        grant_type: {
+          missing: "invalid_request";
+          invalid: "unsupported_grant_type";
+        };
+      };
       metadata: {
         allowedMediaTypes: string[];
         openapi: {
@@ -430,8 +559,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       access_token: string;
       expires_in: number;
       expires_at: number;
-      token_type: string;
+      token_type: "Bearer";
+      refresh_token: string | undefined;
       scope: string;
+      id_token: string | undefined;
     }>;
     oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
       method: "POST";
@@ -441,10 +572,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         client_assertion: z.ZodOptional<z.ZodString>;
         client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
-        token_type_hint: z.ZodOptional<z.ZodEnum<{
-          refresh_token: "refresh_token";
-          access_token: "access_token";
-        }>>;
+        token_type_hint: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       metadata: {
         allowedMediaTypes: string[];
@@ -471,7 +599,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                     };
                     token_type_hint: {
                       type: string;
-                      enum: string[];
                       description: string;
                     };
                     resource: {
@@ -580,10 +707,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         client_assertion: z.ZodOptional<z.ZodString>;
         client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
-        token_type_hint: z.ZodOptional<z.ZodEnum<{
-          refresh_token: "refresh_token";
-          access_token: "access_token";
-        }>>;
+        token_type_hint: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       metadata: {
         allowedMediaTypes: string[];
@@ -610,7 +734,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                     };
                     token_type_hint: {
                       type: string;
-                      enum: string[];
                       description: string;
                     };
                   };
@@ -862,6 +985,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         }>>;
         skip_consent: z.ZodOptional<z.ZodNever>;
       }, z.core.$strip>;
+      errorCodesByField: {
+        redirect_uris: "invalid_redirect_uri";
+        post_logout_redirect_uris: "invalid_redirect_uri";
+        software_statement: "invalid_software_statement";
+      };
+      defaultError: "invalid_client_metadata";
       metadata: {
         openapi: {
           description: string;
@@ -2107,4 +2236,4 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   })[];
 };
 //#endregion
-export { oauthProvider as n, getOAuthProviderState as t };
+export { OAuthErrorCode as a, OAuthRedirectOnError as c, OAuthEndpointRedirectContext as i, oauthProvider as n, OAuthFieldErrorCode as o, OAuthEndpointErrorResult as r, OAuthFieldErrorCodeMap as s, getOAuthProviderState as t };

package/dist/{utils-CIbcUsZ5.mjs → utils-Cx_XnD9i.mjs}

@@ -89,17 +89,49 @@ async function verifyOAuthQueryParams(oauth_query, secret) {
 async function getClient(ctx, options, clientId) {
 	const trustedClient = cachedTrustedClients.get(clientId);
 	if (trustedClient) return Object.assign({}, trustedClient);
-	const dbClient = await ctx.context.adapter.findOne({
+	let dbClient = await ctx.context.adapter.findOne({
 		model: options.schema?.oauthClient?.modelName ?? "oauthClient",
 		where: [{
 			field: "clientId",
 			value: clientId
 		}]
 	});
+	const discoveries = toClientDiscoveryArray(options.clientDiscovery);
+	for (const discovery of discoveries) {
+		if (!discovery.matches(clientId)) continue;
+		const resolved = await discovery.resolve(ctx, clientId, dbClient);
+		if (resolved) {
+			dbClient = resolved;
+			break;
+		}
+	}
 	if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
 	return dbClient;
 }
 /**
+* Normalize the `clientDiscovery` option into an array. Accepts a single
+* {@link ClientDiscovery}, an array of them, or `undefined`.
+*
+* @internal
+*/
+function toClientDiscoveryArray(discovery) {
+	if (!discovery) return [];
+	return Array.isArray(discovery) ? discovery : [discovery];
+}
+/**
+* Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
+* into a single object. Entries are spread in order; later entries override
+* earlier ones on key collisions.
+*
+* @internal
+*/
+function mergeDiscoveryMetadata(discovery) {
+	return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
+		...acc,
+		...d.discoveryMetadata ?? {}
+	}), {});
+}
+/**
 * Default client secret hasher using SHA-256
 *
 * @internal
@@ -292,7 +324,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-DZqo-L5j.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-CderPEmR.mjs").then((n) => n.t);
 		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
 		return {
 			method: "private_key_jwt",
@@ -414,4 +446,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { storeToken as _, getClient as a, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, storeClientSecret as g, searchParamsToQuery as h, extractClientCredentials as i, isPKCERequired as l, resolveSubjectIdentifier as m, deleteFromPrompt as n, getJwtPlugin as o, resolveSessionAuthTime as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, normalizeTimestampValue as u, validateClientCredentials as v, verifyOAuthQueryParams as y };
+export { storeClientSecret as _, getClient as a, validateClientCredentials as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, extractClientCredentials as i, isPKCERequired as l, resolveSessionAuthTime as m, deleteFromPrompt as n, getJwtPlugin as o, parsePrompt as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, storeToken as v, verifyOAuthQueryParams as x, toClientDiscoveryArray as y };

package/dist/{version-BGWhjYBb.mjs → version-CZxZ64qJ.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.0";
+const PACKAGE_VERSION = "1.7.0-beta.2";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.0",
+  "version": "1.7.0-beta.2",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.0",
-    "better-auth": "1.7.0-beta.0"
+    "@better-auth/core": "1.7.0-beta.2",
+    "better-auth": "1.7.0-beta.2"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.0",
-    "better-auth": "^1.7.0-beta.0"
+    "@better-auth/core": "^1.7.0-beta.2",
+    "better-auth": "^1.7.0-beta.2"
   },
   "scripts": {
     "build": "tsdown",