better-auth 1.6.2 → 1.6.4

package/dist/api/index.d.mts

@@ -249,7 +249,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;
@@ -2239,7 +2238,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;

package/dist/api/routes/account.mjs

@@ -1,6 +1,6 @@
 import { parseAccountOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";

package/dist/api/routes/callback.mjs

@@ -1,5 +1,5 @@
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";

package/dist/api/routes/email-verification.mjs

@@ -1,6 +1,6 @@
 import { originCheck } from "../middlewares/origin-check.mjs";
-import { parseUserOutput } from "../../db/schema.mjs";
 import { signJWT } from "../../crypto/jwt.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";

package/dist/api/routes/password.mjs

@@ -82,7 +82,7 @@ const requestPasswordReset = createAuthEndpoint("/request-password-reset", {
 });
 const requestPasswordResetCallback = createAuthEndpoint("/reset-password/:token", {
 	method: "GET",
-	operationId: "forgetPasswordCallback",
+	operationId: "resetPasswordCallback",
 	query: z.object({ callbackURL: z.string().meta({ description: "The URL to redirect the user to reset their password" }) }),
 	use: [originCheck((ctx) => ctx.query.callbackURL)],
 	metadata: { openapi: {

package/dist/api/routes/session.d.mts

@@ -25,7 +25,6 @@ declare const getSession: <Option extends BetterAuthOptions>() => better_call0.S
             "application/json": {
               schema: {
                 type: "object";
-                nullable: boolean;
                 properties: {
                   session: {
                     $ref: string;

package/dist/api/routes/session.mjs

@@ -1,7 +1,7 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
-import { getDate } from "../../utils/date.mjs";
-import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
 import { symmetricDecodeJWT, verifyJWT } from "../../crypto/jwt.mjs";
+import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { getChunkedCookie, getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { deleteSessionCookie, expireCookie, setCookieCache, setSessionCookie } from "../../cookies/index.mjs";
 import { getShouldSkipSessionRefresh } from "../state/should-session-refresh.mjs";
@@ -24,8 +24,7 @@ const getSession = () => createAuthEndpoint("/get-session", {
 		responses: { "200": {
 			description: "Success",
 			content: { "application/json": { schema: {
-				type: "object",
-				nullable: true,
+				type: ["object", "null"],
 				properties: {
 					session: { $ref: "#/components/schemas/Session" },
 					user: { $ref: "#/components/schemas/User" }

package/dist/api/routes/sign-in.mjs

@@ -1,7 +1,7 @@
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
 import { parseUserOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";

package/dist/api/to-auth-endpoints.mjs

@@ -1,7 +1,9 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
+import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
 import { shouldPublishLog } from "@better-auth/core/env";
-import { APIError } from "@better-auth/core/error";
+import { APIError, BetterAuthError } from "@better-auth/core/error";
 import { createDefu } from "defu";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
 import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
@@ -18,6 +20,27 @@ function getOperationId(endpoint, key) {
 	const opts = endpoint.options;
 	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
 }
+/**
+* Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
+*
+* - `rawCtx.baseURL` already set: HTTP handler rehydrated upstream; return as-is.
+* - Direct `auth.api` call with a source or a configured `fallback`: resolve here.
+* - Neither: throw `APIError` with a helpful message. Leaving `baseURL = ""`
+*   would let plugins build `new URL("")` and crash cryptically downstream.
+*/
+async function resolveDynamicContext(rawCtx, input) {
+	if (rawCtx.baseURL) return rawCtx;
+	const source = pickSource(input);
+	const config = rawCtx.options.baseURL;
+	const hasFallback = isDynamicBaseURLConfig(config) && Boolean(config.fallback);
+	if (source === void 0 && !hasFallback) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Dynamic baseURL could not be resolved for this direct auth.api call. Pass `headers: request.headers` (or `request`) to the call, or add `fallback` to your baseURL config." });
+	try {
+		return await resolveRequestContext(rawCtx, source, resolveDynamicTrustedProxyHeaders(rawCtx.options));
+	} catch (err) {
+		if (err instanceof BetterAuthError) throw new APIError("INTERNAL_SERVER_ERROR", { message: err.message });
+		throw err;
+	}
+}
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
@@ -26,9 +49,10 @@ function toAuthEndpoints(endpoints, ctx) {
 			const endpointMethod = endpoint?.options?.method;
 			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
-				const authContext = await ctx;
+				const rawContext = await ctx;
 				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
 				const route = endpoint.path ?? "/:virtual";
+				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
 				let internalContext = {
 					...context,
 					context: {
@@ -40,7 +64,7 @@ function toAuthEndpoints(endpoints, ctx) {
 					path: endpoint.path,
 					headers: context?.headers ? new Headers(context?.headers) : void 0
 				};
-				const hasRequest = context?.request instanceof Request;
+				const hasRequest = isRequestLike(context?.request);
 				const shouldReturnResponse = context?.asResponse ?? hasRequest;
 				return withSpan(`${methodName} ${route}`, {
 					[ATTR_HTTP_ROUTE]: route,

package/dist/auth/base.mjs

@@ -1,6 +1,5 @@
-import { getBaseURL, getOrigin, isDynamicBaseURLConfig, resolveBaseURL } from "../utils/url.mjs";
-import { getTrustedOrigins, getTrustedProviders } from "../context/helpers.mjs";
-import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig } from "../utils/url.mjs";
+import { getTrustedOrigins, getTrustedProviders, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { getEndpoints, router } from "../api/index.mjs";
 import { runWithAdapter } from "@better-auth/core/context";
 import { BASE_ERROR_CODES, BetterAuthError } from "@better-auth/core/error";
@@ -13,26 +12,8 @@ const createBetterAuth = (options, initFn) => {
 			const ctx = await authContext;
 			const basePath = ctx.options.basePath || "/api/auth";
 			let handlerCtx;
-			if (isDynamicBaseURLConfig(options.baseURL)) {
-				handlerCtx = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
-				const baseURL = resolveBaseURL(options.baseURL, basePath, request);
-				if (baseURL) {
-					handlerCtx.baseURL = baseURL;
-					handlerCtx.options = {
-						...ctx.options,
-						baseURL: getOrigin(baseURL) || void 0
-					};
-				} else throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
-				const trustedOriginOptions = {
-					...handlerCtx.options,
-					baseURL: options.baseURL
-				};
-				handlerCtx.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, request);
-				if (options.advanced?.crossSubDomainCookies?.enabled) {
-					handlerCtx.authCookies = getCookies(handlerCtx.options);
-					handlerCtx.createAuthCookie = createCookieGetter(handlerCtx.options);
-				}
-			} else {
+			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
+			else {
 				handlerCtx = ctx;
 				if (!ctx.options.baseURL) {
 					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
@@ -42,8 +23,8 @@ const createBetterAuth = (options, initFn) => {
 					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
 				}
 				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
+				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
 			}
-			handlerCtx.trustedProviders = await getTrustedProviders(handlerCtx.options, request);
 			const { handler } = router(handlerCtx, options);
 			return runWithAdapter(handlerCtx.adapter, () => handler(request));
 		},

package/dist/client/plugins/index.d.mts

@@ -20,7 +20,7 @@ import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-cod
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
 import { OneTimeTokenOptions } from "../../plugins/one-time-token/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "../../plugins/phone-number/types.mjs";
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "../../plugins/two-factor/otp/index.mjs";
 import { TOTPOptions, totp2fa } from "../../plugins/two-factor/totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "../../plugins/two-factor/types.mjs";
@@ -52,4 +52,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/query.mjs

@@ -72,15 +72,15 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 		});
 	};
 	initializedAtom = Array.isArray(initializedAtom) ? initializedAtom : [initializedAtom];
-	let isMounted = false;
+	let isInitialized = false;
 	for (const initAtom of initializedAtom) initAtom.subscribe(async () => {
 		if (isServer()) return;
-		if (isMounted) await fn();
+		if (isInitialized) await fn();
 		else onMount(value, () => {
 			const timeoutId = setTimeout(async () => {
-				if (!isMounted) {
+				if (!isInitialized) {
+					isInitialized = true;
 					await fn();
-					isMounted = true;
 				}
 			}, 0);
 			return () => {

package/dist/context/create-context.mjs

@@ -1,10 +1,10 @@
 import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
 import { matchesOriginPattern } from "../auth/trusted-origins.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
-import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { hashPassword, verifyPassword } from "../crypto/password.mjs";
 import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { checkPassword } from "../utils/password.mjs";
 import { checkEndpointConflicts } from "../api/index.mjs";
 import { DEFAULT_SECRET } from "../utils/constants.mjs";

package/dist/context/helpers.mjs

@@ -1,7 +1,9 @@
-import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig, isRequestLike, resolveBaseURL } from "../utils/url.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
+import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
@@ -80,6 +82,62 @@ async function getTrustedOrigins(options, request) {
 	if (envTrustedOrigins) trustedOrigins.push(...envTrustedOrigins.split(","));
 	return trustedOrigins.filter((v) => Boolean(v));
 }
+/**
+* Picks a `Request`-like or `Headers` value from a direct `auth.api` call.
+* Headers are only accepted when they carry a host: without one, host
+* resolution would fall back to `null` and the caller should use `fallback`
+* or pass a `Request` instead.
+*/
+function pickSource(input) {
+	if (isRequestLike(input?.request)) return input.request;
+	if (!input?.headers) return void 0;
+	const headers = input.headers instanceof Headers ? input.headers : new Headers(input.headers);
+	if (!headers.has("host") && !headers.has("x-forwarded-host")) return;
+	return headers;
+}
+/**
+* Returns the effective `trustedProxyHeaders` value for dynamic `baseURL`
+* resolution. When the user hasn't set `advanced.trustedProxyHeaders`,
+* proxy headers (`x-forwarded-host` / `x-forwarded-proto`) are trusted by
+* default so deployments behind a reverse proxy work without extra config.
+*/
+function resolveDynamicTrustedProxyHeaders(options) {
+	return options.advanced?.trustedProxyHeaders ?? true;
+}
+/**
+* Per-request clone with `baseURL`, `trustedOrigins`, `trustedProviders`
+* and cookies rehydrated for the resolved host. Throws `BetterAuthError`
+* when the URL cannot be resolved; callers on the direct-API path convert
+* this to `APIError`.
+*/
+async function resolveRequestContext(ctx, source, trustedProxyHeaders) {
+	const dynamicBaseURLConfig = ctx.options.baseURL;
+	const baseURL = resolveBaseURL(dynamicBaseURLConfig, ctx.options.basePath || "/api/auth", source, void 0, trustedProxyHeaders);
+	if (!baseURL) throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
+	const resolved = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
+	resolved.baseURL = baseURL;
+	resolved.options = {
+		...ctx.options,
+		baseURL: getOrigin(baseURL) || void 0
+	};
+	const trustedOriginOptions = {
+		...resolved.options,
+		baseURL: dynamicBaseURLConfig
+	};
+	const needsRequest = typeof ctx.options.trustedOrigins === "function" || typeof ctx.options.account?.accountLinking?.trustedProviders === "function";
+	let callbackRequest;
+	if (needsRequest) if (isRequestLike(source)) callbackRequest = source;
+	else if (source) callbackRequest = new Request(baseURL, { headers: source });
+	else callbackRequest = void 0;
+	else callbackRequest = void 0;
+	resolved.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, callbackRequest);
+	resolved.trustedProviders = await getTrustedProviders(resolved.options, callbackRequest);
+	if (ctx.options.advanced?.crossSubDomainCookies?.enabled) {
+		resolved.authCookies = getCookies(resolved.options);
+		resolved.createAuthCookie = createCookieGetter(resolved.options);
+	}
+	return resolved;
+}
 async function getAwaitableValue(arr, item) {
 	if (!arr) return void 0;
 	for (const val of arr) {
@@ -94,4 +152,4 @@ async function getTrustedProviders(options, request) {
 	return (await trustedProviders(request) ?? []).filter((v) => Boolean(v));
 }
 //#endregion
-export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit };
+export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext, runPluginInit };

package/dist/cookies/index.mjs

@@ -1,11 +1,11 @@
 import { isDynamicBaseURLConfig } from "../utils/url.mjs";
-import { getDate } from "../utils/date.mjs";
+import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
 import { parseUserOutput } from "../db/schema.mjs";
+import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
-import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
-import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { sec } from "../utils/time.mjs";
 import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { safeJSONParse } from "@better-auth/core/utils/json";

package/dist/crypto/index.mjs

@@ -1,9 +1,9 @@
-import { constantTimeEqual } from "./buffer.mjs";
 import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "./jwt.mjs";
+import { constantTimeEqual } from "./buffer.mjs";
 import { hashPassword, verifyPassword } from "./password.mjs";
 import { generateRandomString } from "./random.mjs";
-import { createHash } from "@better-auth/utils/hash";
 import { getWebcryptoSubtle } from "@better-auth/utils";
+import { createHash } from "@better-auth/utils/hash";
 import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
 import { bytesToHex, hexToBytes, managedNonce, utf8ToBytes } from "@noble/ciphers/utils.js";
 //#region src/crypto/index.ts

package/dist/db/index.mjs

@@ -1,7 +1,7 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
 import { toZodSchema } from "./to-zod.mjs";

package/dist/db/internal-adapter.mjs

@@ -1,6 +1,6 @@
 import { getIp } from "../utils/get-request-ip.mjs";
-import { getDate } from "../utils/date.mjs";
 import { getSessionDefaultFields, parseSessionOutput, parseUserOutput } from "./schema.mjs";
+import { getDate } from "../utils/date.mjs";
 import { getStorageOption, processIdentifier } from "./verification-token-storage.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { getCurrentAdapter, getCurrentAuthContext, runWithTransaction } from "@better-auth/core/context";

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, getTelemetryAuthConfig, isDynamicBaseURLConfig, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, getTelemetryAuthConfig, isDynamicBaseURLConfig, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.2";
+var version = "1.6.4";
 //#endregion
 export { version };

package/dist/plugins/admin/admin.d.mts

@@ -775,11 +775,9 @@ declare const admin: <O extends AdminOptions>(options?: O | undefined) => {
       body: zod.ZodIntersection<zod.ZodObject<{
         userId: zod.ZodOptional<zod.ZodCoercedString<unknown>>;
         role: zod.ZodOptional<zod.ZodString>;
-      }, zod_v4_core0.$strip>, zod.ZodUnion<readonly [zod.ZodObject<{
+      }, zod_v4_core0.$strip>, zod.ZodXor<readonly [zod.ZodObject<{
         permission: zod.ZodRecord<zod.ZodString, zod.ZodArray<zod.ZodString>>;
-        permissions: zod.ZodUndefined;
       }, zod_v4_core0.$strip>, zod.ZodObject<{
-        permission: zod.ZodUndefined;
         permissions: zod.ZodRecord<zod.ZodString, zod.ZodArray<zod.ZodString>>;
       }, zod_v4_core0.$strip>]>>;
       metadata: {

package/dist/plugins/admin/routes.mjs

@@ -1,5 +1,5 @@
-import { getDate } from "../../utils/date.mjs";
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { deleteSessionCookie, expireCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";
 import { ADMIN_ERROR_CODES } from "./error-codes.mjs";
@@ -766,13 +766,7 @@ const setUserPassword = (opts) => createAuthEndpoint("/admin/set-user-password",
 const userHasPermissionBodySchema = z.object({
 	userId: z.coerce.string().optional().meta({ description: `The user id. Eg: "user-id"` }),
 	role: z.string().optional().meta({ description: `The role to check permission for. Eg: "admin"` })
-}).and(z.union([z.object({
-	permission: z.record(z.string(), z.array(z.string())),
-	permissions: z.undefined()
-}), z.object({
-	permission: z.undefined(),
-	permissions: z.record(z.string(), z.array(z.string()))
-})]));
+}).and(z.xor([z.object({ permission: z.record(z.string(), z.array(z.string())) }), z.object({ permissions: z.record(z.string(), z.array(z.string())) })]));
 /**
 * ### Endpoint
 *

package/dist/plugins/device-authorization/routes.mjs

@@ -1,5 +1,5 @@
-import { generateRandomString } from "../../crypto/random.mjs";
 import { ms } from "../../utils/time.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";
 import { DEVICE_AUTHORIZATION_ERROR_CODES } from "./error-codes.mjs";
 import { APIError } from "@better-auth/core/error";

package/dist/plugins/email-otp/routes.mjs

@@ -1,5 +1,5 @@
-import { getDate } from "../../utils/date.mjs";
 import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricDecrypt } from "../../crypto/index.mjs";
 import { setCookieCache, setSessionCookie } from "../../cookies/index.mjs";

package/dist/plugins/index.d.mts

@@ -51,7 +51,7 @@ import { phoneNumber } from "./phone-number/index.mjs";
 import { SIWEPluginOptions, siwe } from "./siwe/index.mjs";
 import { LoginResult, TestCookie, TestHelpers, TestUtilsOptions } from "./test-utils/types.mjs";
 import { testUtils } from "./test-utils/index.mjs";
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./two-factor/backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./two-factor/backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "./two-factor/otp/index.mjs";
 import { TOTPOptions, totp2fa } from "./two-factor/totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./two-factor/types.mjs";
@@ -62,4 +62,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
 import { UsernameOptions, username } from "./username/index.mjs";
 import { hasPermission } from "./organization/has-permission.mjs";
 import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
-export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
+export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/utils.mjs

@@ -1,5 +1,5 @@
-import { symmetricEncrypt } from "../../crypto/index.mjs";
 import { sec } from "../../utils/time.mjs";
+import { symmetricEncrypt } from "../../crypto/index.mjs";
 import { getJwksAdapter } from "./adapter.mjs";
 import { exportJWK, generateKeyPair } from "jose";
 //#region src/plugins/jwt/utils.ts

package/dist/plugins/mcp/index.mjs

@@ -1,7 +1,8 @@
 import { getBaseURL, isDynamicBaseURLConfig, resolveBaseURL } from "../../utils/url.mjs";
-import { generateRandomString } from "../../crypto/random.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
+import { resolveDynamicTrustedProxyHeaders } from "../../context/helpers.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError } from "../../api/index.mjs";
@@ -15,9 +16,9 @@ import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
-import { createHash } from "@better-auth/utils/hash";
-import { getWebcryptoSubtle } from "@better-auth/utils";
 import { SignJWT } from "jose";
+import { getWebcryptoSubtle } from "@better-auth/utils";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/plugins/mcp/index.ts
 const getMCPProviderMetadata = (ctx, options) => {
 	const issuer = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : "";
@@ -662,10 +663,15 @@ const mcp = (options) => {
 const withMcpAuth = (auth, handler) => {
 	return async (req) => {
 		const basePath = auth.options.basePath || "/api/auth";
-		const baseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? resolveBaseURL(auth.options.baseURL, basePath, req) : getBaseURL(typeof auth.options.baseURL === "string" ? auth.options.baseURL : void 0, basePath);
+		const trustedProxyHeaders = resolveDynamicTrustedProxyHeaders(auth.options);
+		const baseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? resolveBaseURL(auth.options.baseURL, basePath, req, void 0, trustedProxyHeaders) : getBaseURL(typeof auth.options.baseURL === "string" ? auth.options.baseURL : void 0, basePath);
 		if (!baseURL && !isProduction) logger.warn("Unable to get the baseURL, please check your config!");
-		const session = await auth.api.getMcpSession({ headers: req.headers });
-		const wwwAuthenticateValue = `Bearer resource_metadata="${baseURL}/.well-known/oauth-protected-resource"`;
+		const session = await auth.api.getMcpSession({
+			request: req,
+			headers: req.headers,
+			asResponse: false
+		});
+		const wwwAuthenticateValue = baseURL ? `Bearer resource_metadata="${baseURL}/.well-known/oauth-protected-resource"` : "Bearer";
 		if (!session) return Response.json({
 			jsonrpc: "2.0",
 			error: {
@@ -686,7 +692,10 @@ const withMcpAuth = (auth, handler) => {
 };
 const oAuthDiscoveryMetadata = (auth) => {
 	return async (request) => {
-		const res = await auth.api.getMcpOAuthConfig();
+		const res = await auth.api.getMcpOAuthConfig({
+			request,
+			asResponse: false
+		});
 		return new Response(JSON.stringify(res), {
 			status: 200,
 			headers: {
@@ -701,7 +710,10 @@ const oAuthDiscoveryMetadata = (auth) => {
 };
 const oAuthProtectedResourceMetadata = (auth) => {
 	return async (request) => {
-		const res = await auth.api.getMCPProtectedResource();
+		const res = await auth.api.getMCPProtectedResource({
+			request,
+			asResponse: false
+		});
 		return new Response(JSON.stringify(res), {
 			status: 200,
 			headers: {

package/dist/plugins/oauth-proxy/index.mjs

@@ -1,7 +1,7 @@
 import { getOrigin } from "../../utils/url.mjs";
 import { originCheck } from "../../api/middlewares/origin-check.mjs";
-import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";

package/dist/plugins/oidc-provider/index.mjs

@@ -1,7 +1,7 @@
 import { mergeSchema } from "../../db/schema.mjs";
+import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx, sessionMiddleware } from "../../api/routes/session.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
@@ -18,8 +18,8 @@ import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api"
 import { deprecate } from "@better-auth/core/utils/deprecate";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
-import { createHash } from "@better-auth/utils/hash";
 import { SignJWT, jwtVerify } from "jose";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/plugins/oidc-provider/index.ts
 /**
 * Get a client by ID, checking trusted clients first, then database

package/dist/plugins/organization/organization.d.mts

@@ -99,11 +99,9 @@ declare const createHasPermission: <O extends OrganizationOptions>(options: O) =
   requireHeaders: true;
   body: z.ZodIntersection<z.ZodObject<{
     organizationId: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>, z.ZodUnion<readonly [z.ZodObject<{
+  }, z.core.$strip>, z.ZodXor<readonly [z.ZodObject<{
     permission: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
-    permissions: z.ZodUndefined;
   }, z.core.$strip>, z.ZodObject<{
-    permission: z.ZodUndefined;
     permissions: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
   }, z.core.$strip>]>>;
   use: ((inputContext: better_call0.MiddlewareInputContext<{

package/dist/plugins/organization/organization.mjs

@@ -18,13 +18,7 @@ import * as z from "zod";
 function parseRoles(roles) {
 	return Array.isArray(roles) ? roles.join(",") : roles;
 }
-const createHasPermissionBodySchema = z.object({ organizationId: z.string().optional() }).and(z.union([z.object({
-	permission: z.record(z.string(), z.array(z.string())),
-	permissions: z.undefined()
-}), z.object({
-	permission: z.undefined(),
-	permissions: z.record(z.string(), z.array(z.string()))
-})]));
+const createHasPermissionBodySchema = z.object({ organizationId: z.string().optional() }).and(z.xor([z.object({ permission: z.record(z.string(), z.array(z.string())) }), z.object({ permissions: z.record(z.string(), z.array(z.string())) })]));
 const createHasPermission = (options) => {
 	return createAuthEndpoint("/organization/has-permission", {
 		method: "POST",

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -1,6 +1,6 @@
 import { getDate } from "../../../utils/date.mjs";
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";

package/dist/plugins/organization/routes/crud-org.mjs

@@ -1,5 +1,5 @@
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx, requestOnlySessionMiddleware } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
 import { getOrgAdapter } from "../adapter.mjs";

package/dist/plugins/organization/routes/crud-team.mjs

@@ -1,5 +1,5 @@
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
 import { getOrgAdapter } from "../adapter.mjs";

package/dist/plugins/phone-number/routes.mjs

@@ -1,5 +1,5 @@
-import { getDate } from "../../utils/date.mjs";
 import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";

package/dist/plugins/two-factor/backup-codes/index.d.mts

@@ -36,6 +36,7 @@ interface BackupCodeOptions {
    */
   allowPasswordless?: boolean | undefined;
 }
+declare function encodeBackupCodes(codes: string[], secret: string | SecretConfig, options?: BackupCodeOptions | undefined): Promise<string>;
 declare function generateBackupCodes(secret: string | SecretConfig, options?: BackupCodeOptions | undefined): Promise<{
   backupCodes: string[];
   encryptedBackupCodes: string;
@@ -286,4 +287,4 @@ declare const backupCode2fa: (opts: BackupCodeOptions) => {
   };
 };
 //#endregion
-export { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode };
+export { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode };

package/dist/plugins/two-factor/backup-codes/index.mjs

@@ -14,22 +14,20 @@ import * as z from "zod";
 function generateBackupCodesFn(options) {
 	return Array.from({ length: options?.amount ?? 10 }).fill(null).map(() => generateRandomString(options?.length ?? 10, "a-z", "0-9", "A-Z")).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
 }
+async function encodeBackupCodes(codes, secret, options) {
+	const json = JSON.stringify(codes);
+	if (options?.storeBackupCodes === "encrypted") return symmetricEncrypt({
+		data: json,
+		key: secret
+	});
+	if (typeof options?.storeBackupCodes === "object" && "encrypt" in options?.storeBackupCodes) return options.storeBackupCodes.encrypt(json);
+	return json;
+}
 async function generateBackupCodes(secret, options) {
 	const backupCodes = options?.customBackupCodesGenerate ? options.customBackupCodesGenerate() : generateBackupCodesFn(options);
-	if (options?.storeBackupCodes === "encrypted") return {
-		backupCodes,
-		encryptedBackupCodes: await symmetricEncrypt({
-			data: JSON.stringify(backupCodes),
-			key: secret
-		})
-	};
-	if (typeof options?.storeBackupCodes === "object" && "encrypt" in options?.storeBackupCodes) return {
-		backupCodes,
-		encryptedBackupCodes: await options?.storeBackupCodes.encrypt(JSON.stringify(backupCodes))
-	};
 	return {
 		backupCodes,
-		encryptedBackupCodes: JSON.stringify(backupCodes)
+		encryptedBackupCodes: await encodeBackupCodes(backupCodes, secret, options)
 	};
 }
 async function verifyBackupCode(data, key, options) {
@@ -177,11 +175,8 @@ const backupCode2fa = (opts) => {
 					backupCodes: twoFactor.backupCodes,
 					code: ctx.body.code
 				}, ctx.context.secretConfig, opts);
-				if (!validate.status) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
-				const updatedBackupCodes = await symmetricEncrypt({
-					key: ctx.context.secretConfig,
-					data: JSON.stringify(validate.updated)
-				});
+				if (!validate.status || !validate.updated) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
+				const updatedBackupCodes = await encodeBackupCodes(validate.updated, ctx.context.secretConfig, opts);
 				if (!await ctx.context.adapter.update({
 					model: twoFactorTable,
 					update: { backupCodes: updatedBackupCodes },

package/dist/plugins/two-factor/client.d.mts

@@ -1,4 +1,4 @@
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "./otp/index.mjs";
 import { TOTPOptions, totp2fa } from "./totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./types.mjs";

package/dist/plugins/two-factor/index.d.mts

@@ -1,4 +1,4 @@
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "./otp/index.mjs";
 import { TOTPOptions, totp2fa } from "./totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./types.mjs";
@@ -683,4 +683,4 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
   };
 };
 //#endregion
-export { BackupCodeOptions, OTPOptions, TOTPOptions, TWO_FACTOR_ERROR_CODES, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor, backupCode2fa, generateBackupCodes, getBackupCodes, otp2fa, totp2fa, twoFactor, twoFactorClient, verifyBackupCode };
+export { BackupCodeOptions, OTPOptions, TOTPOptions, TWO_FACTOR_ERROR_CODES, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, otp2fa, totp2fa, twoFactor, twoFactorClient, verifyBackupCode };

package/dist/test-utils/test-instance.d.mts

@@ -261,7 +261,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;
@@ -2265,7 +2264,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;
@@ -4272,7 +4270,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -6276,7 +6273,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -8354,7 +8350,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -10358,7 +10353,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;

package/dist/test-utils/test-instance.mjs

@@ -80,7 +80,13 @@ async function getTestInstance(options, config) {
 	};
 	async function createTestUser() {
 		if (config?.disableTestUser) return;
-		await auth.api.signUpEmail({ body: testUser });
+		const dynamicBaseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? auth.options.baseURL : void 0;
+		const host = (dynamicBaseURL?.allowedHosts.find((h) => !h.includes("*") && !h.includes("?")) ?? dynamicBaseURL?.allowedHosts[0])?.replace(/^https?:\/\//, "").split(/[/#]/)[0]?.replace(/\*/g, "test").replace(/\?/g, "x");
+		const headers = host ? new Headers({ host }) : void 0;
+		await auth.api.signUpEmail({
+			body: testUser,
+			headers
+		});
 	}
 	if (testWith !== "mongodb") {
 		const { runMigrations } = await getMigrations({

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
 import { generateState, parseState } from "../oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "../state.mjs";
 import { HIDE_METADATA } from "./hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./url.mjs";

package/dist/utils/url.d.mts

@@ -10,22 +10,29 @@ declare function getHost(url: string): string | null;
  */
 declare function isDynamicBaseURLConfig(config: BaseURLConfig | undefined): config is DynamicBaseURLConfig;
 /**
- * Extracts the host from the request headers.
- * Tries x-forwarded-host first (for proxy setups), then falls back to host header.
+ * Check if a value is a `Request`
+ * - `instanceof`: works for native Request instances
+ * - `toString`: handles where instanceof check fails but the object is still a
+ *   valid Request (e.g. cross-realm, polyfills). Paired with a shape check so
+ *   an object that only spoofs `Symbol.toStringTag` without the real shape is
+ *   rejected before downstream code tries to read `.headers` / `.url`.
  *
- * @param request The incoming request
- * @returns The host string or null if not found
+ * @param value The value to check
+ * @returns `true` if the value is a Request instance
  */
-declare function getHostFromRequest(request: Request): string | null;
+declare function isRequestLike(value: unknown): value is Request;
 /**
- * Extracts the protocol from the request headers.
- * Tries x-forwarded-proto first (for proxy setups), then infers from request URL.
- *
- * @param request The incoming request
- * @param configProtocol Protocol override from config
- * @returns The protocol ("http" or "https")
+ * Extracts the host from a `Request` or `Headers`.
+ * Honors `x-forwarded-host` only when `trustedProxyHeaders` is enabled,
+ * then falls back to the `host` header and finally the request URL.
+ */
+declare function getHostFromSource(source: Request | Headers, trustedProxyHeaders?: boolean): string | null;
+/**
+ * Extracts the protocol from a `Request` or `Headers`.
+ * Honors `x-forwarded-proto` only when `trustedProxyHeaders` is enabled,
+ * then falls back to the request URL, then to "https".
  */
-declare function getProtocolFromRequest(request: Request, configProtocol?: "http" | "https" | "auto" | undefined): "http" | "https";
+declare function getProtocolFromSource(source: Request | Headers, configProtocol?: "http" | "https" | "auto" | undefined, trustedProxyHeaders?: boolean): "http" | "https";
 /**
  * Matches a hostname against a host pattern.
  * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.
@@ -53,7 +60,7 @@ declare const matchesHostPattern: (host: string, pattern: string) => boolean;
  * @returns The resolved base URL with path
  * @throws BetterAuthError if host is not in allowedHosts and no fallback is set
  */
-declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, request: Request, basePath: string): string;
+declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, source: Request | Headers, basePath: string, trustedProxyHeaders?: boolean): string;
 /**
  * Resolves the base URL from any config type (static string or dynamic object).
  * This is the main entry point for base URL resolution.
@@ -65,6 +72,6 @@ declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, request: Re
  * @param trustedProxyHeaders Whether to trust proxy headers (for legacy behavior)
  * @returns The resolved base URL with path
  */
-declare function resolveBaseURL(config: BaseURLConfig | undefined, basePath: string, request?: Request, loadEnv?: boolean, trustedProxyHeaders?: boolean): string | undefined;
+declare function resolveBaseURL(config: BaseURLConfig | undefined, basePath: string, source?: Request | Headers, loadEnv?: boolean, trustedProxyHeaders?: boolean): string | undefined;
 //#endregion
-export { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };

package/dist/utils/url.mjs

@@ -93,41 +93,66 @@ function isDynamicBaseURLConfig(config) {
 	return typeof config === "object" && config !== null && "allowedHosts" in config && Array.isArray(config.allowedHosts);
 }
 /**
-* Extracts the host from the request headers.
-* Tries x-forwarded-host first (for proxy setups), then falls back to host header.
+* Check if a value is a `Request`
+* - `instanceof`: works for native Request instances
+* - `toString`: handles where instanceof check fails but the object is still a
+*   valid Request (e.g. cross-realm, polyfills). Paired with a shape check so
+*   an object that only spoofs `Symbol.toStringTag` without the real shape is
+*   rejected before downstream code tries to read `.headers` / `.url`.
 *
-* @param request The incoming request
-* @returns The host string or null if not found
+* @param value The value to check
+* @returns `true` if the value is a Request instance
+*/
+function isRequestLike(value) {
+	if (value instanceof Request) return true;
+	if (typeof value !== "object" || value === null || Object.prototype.toString.call(value) !== "[object Request]") return false;
+	const v = value;
+	return typeof v.url === "string" && typeof v.headers === "object" && v.headers !== null && typeof v.headers.get === "function";
+}
+/**
+* Extracts the host from a `Request` or `Headers`.
+* Honors `x-forwarded-host` only when `trustedProxyHeaders` is enabled,
+* then falls back to the `host` header and finally the request URL.
 */
-function getHostFromRequest(request) {
-	const forwardedHost = request.headers.get("x-forwarded-host");
-	if (forwardedHost && validateProxyHeader(forwardedHost, "host")) return forwardedHost;
-	const host = request.headers.get("host");
+function getHostFromSource(source, trustedProxyHeaders) {
+	const headers = isRequestLike(source) ? source.headers : source;
+	if (trustedProxyHeaders) {
+		const forwardedHost = headers.get("x-forwarded-host");
+		if (forwardedHost && validateProxyHeader(forwardedHost, "host")) return forwardedHost;
+	}
+	const host = headers.get("host");
 	if (host && validateProxyHeader(host, "host")) return host;
-	try {
-		return new URL(request.url).host;
+	if (isRequestLike(source)) try {
+		return new URL(source.url).host;
 	} catch {
 		return null;
 	}
+	return null;
 }
 /**
-* Extracts the protocol from the request headers.
-* Tries x-forwarded-proto first (for proxy setups), then infers from request URL.
-*
-* @param request The incoming request
-* @param configProtocol Protocol override from config
-* @returns The protocol ("http" or "https")
+* Extracts the protocol from a `Request` or `Headers`.
+* Honors `x-forwarded-proto` only when `trustedProxyHeaders` is enabled,
+* then falls back to the request URL, then to "https".
 */
-function getProtocolFromRequest(request, configProtocol) {
+function getProtocolFromSource(source, configProtocol, trustedProxyHeaders) {
 	if (configProtocol === "http" || configProtocol === "https") return configProtocol;
-	const forwardedProto = request.headers.get("x-forwarded-proto");
-	if (forwardedProto && validateProxyHeader(forwardedProto, "proto")) return forwardedProto;
-	try {
-		const url = new URL(request.url);
+	const headers = isRequestLike(source) ? source.headers : source;
+	if (trustedProxyHeaders) {
+		const forwardedProto = headers.get("x-forwarded-proto");
+		if (forwardedProto && validateProxyHeader(forwardedProto, "proto")) return forwardedProto;
+	}
+	if (isRequestLike(source)) try {
+		const url = new URL(source.url);
 		if (url.protocol === "http:" || url.protocol === "https:") return url.protocol.slice(0, -1);
 	} catch {}
+	const host = getHostFromSource(source, trustedProxyHeaders);
+	if (host && isLoopbackHost(host)) return "http";
 	return "https";
 }
+function isLoopbackHost(host) {
+	const h = host.toLowerCase();
+	return h === "localhost" || h.startsWith("localhost:") || h === "127.0.0.1" || h.startsWith("127.0.0.1:") || h === "[::1]" || h.startsWith("[::1]:") || h === "0.0.0.0" || h.startsWith("0.0.0.0:");
+}
 /**
 * Matches a hostname against a host pattern.
 * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.
@@ -161,13 +186,13 @@ const matchesHostPattern = (host, pattern) => {
 * @returns The resolved base URL with path
 * @throws BetterAuthError if host is not in allowedHosts and no fallback is set
 */
-function resolveDynamicBaseURL(config, request, basePath) {
-	const host = getHostFromRequest(request);
+function resolveDynamicBaseURL(config, source, basePath, trustedProxyHeaders) {
+	const host = getHostFromSource(source, trustedProxyHeaders);
 	if (!host) {
 		if (config.fallback) return withPath(config.fallback, basePath);
 		throw new BetterAuthError("Could not determine host from request headers. Please provide a fallback URL in your baseURL config.");
 	}
-	if (config.allowedHosts.some((pattern) => matchesHostPattern(host, pattern))) return withPath(`${getProtocolFromRequest(request, config.protocol)}://${host}`, basePath);
+	if (config.allowedHosts.some((pattern) => matchesHostPattern(host, pattern))) return withPath(`${getProtocolFromSource(source, config.protocol, trustedProxyHeaders)}://${host}`, basePath);
 	if (config.fallback) return withPath(config.fallback, basePath);
 	throw new BetterAuthError(`Host "${host}" is not in the allowed hosts list. Allowed hosts: ${config.allowedHosts.join(", ")}. Add this host to your allowedHosts config or provide a fallback URL.`);
 }
@@ -182,14 +207,15 @@ function resolveDynamicBaseURL(config, request, basePath) {
 * @param trustedProxyHeaders Whether to trust proxy headers (for legacy behavior)
 * @returns The resolved base URL with path
 */
-function resolveBaseURL(config, basePath, request, loadEnv, trustedProxyHeaders) {
+function resolveBaseURL(config, basePath, source, loadEnv, trustedProxyHeaders) {
 	if (isDynamicBaseURLConfig(config)) {
-		if (request) return resolveDynamicBaseURL(config, request, basePath);
+		if (source) return resolveDynamicBaseURL(config, source, basePath, trustedProxyHeaders);
 		if (config.fallback) return withPath(config.fallback, basePath);
-		return getBaseURL(void 0, basePath, request, loadEnv, trustedProxyHeaders);
+		return getBaseURL(void 0, basePath, void 0, loadEnv, trustedProxyHeaders);
 	}
+	const request = isRequestLike(source) ? source : void 0;
 	if (typeof config === "string") return getBaseURL(config, basePath, request, loadEnv, trustedProxyHeaders);
 	return getBaseURL(void 0, basePath, request, loadEnv, trustedProxyHeaders);
 }
 //#endregion
-export { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.2",
+  "version": "1.6.4",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,17 +489,17 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.2",
-    "@better-auth/drizzle-adapter": "1.6.2",
-    "@better-auth/kysely-adapter": "1.6.2",
-    "@better-auth/memory-adapter": "1.6.2",
-    "@better-auth/mongo-adapter": "1.6.2",
-    "@better-auth/prisma-adapter": "1.6.2",
-    "@better-auth/telemetry": "1.6.2"
+    "@better-auth/core": "1.6.4",
+    "@better-auth/drizzle-adapter": "1.6.4",
+    "@better-auth/kysely-adapter": "1.6.4",
+    "@better-auth/memory-adapter": "1.6.4",
+    "@better-auth/mongo-adapter": "1.6.4",
+    "@better-auth/prisma-adapter": "1.6.4",
+    "@better-auth/telemetry": "1.6.4"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",
-    "@sveltejs/kit": "^2.53.3",
+    "@sveltejs/kit": "^2.57.1",
     "@tanstack/react-start": "^1.163.2",
     "@tanstack/solid-start": "^1.163.2",
     "@types/bun": "^1.3.9",
@@ -512,7 +512,7 @@
     "happy-dom": "^20.8.9",
     "listhen": "^1.9.0",
     "msw": "^2.12.10",
-    "next": "^16.2.0",
+    "next": "^16.2.3",
     "oauth2-mock-server": "^8.2.2",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
@@ -531,7 +531,7 @@
     "@tanstack/solid-start": "^1.0.0",
     "better-sqlite3": "^12.0.0",
     "drizzle-kit": ">=0.31.4",
-    "drizzle-orm": ">=0.41.0",
+    "drizzle-orm": "^0.45.2",
     "mongodb": "^6.0.0 || ^7.0.0",
     "mysql2": "^3.0.0",
     "next": "^14.0.0 || ^15.0.0 || ^16.0.0",