better-auth 1.6.3 → 1.7.0-beta.1

package/dist/api/index.d.mts

@@ -216,6 +216,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -224,6 +225,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];
@@ -2205,6 +2207,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -2213,6 +2216,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];

package/dist/api/routes/callback.d.mts

@@ -12,6 +12,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   query: z.ZodOptional<z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -20,6 +21,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   metadata: {
     allowedMediaTypes: string[];

package/dist/api/routes/callback.mjs

@@ -2,6 +2,7 @@ import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
@@ -14,7 +15,8 @@ const schema = z.object({
 	device_id: z.string().optional(),
 	error_description: z.string().optional(),
 	state: z.string().optional(),
-	user: z.string().optional()
+	user: z.string().optional(),
+	iss: z.string().optional()
 });
 const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	method: ["GET", "POST"],
@@ -48,7 +50,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
 		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
 	}
-	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
+	const { code, error, state, error_description, device_id, user: userData, iss } = queryOrBody;
 	if (!state) {
 		c.context.logger.error("State not found", error);
 		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
@@ -65,12 +67,19 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	if (error) redirectOnError(error, error_description);
 	if (!code) {
 		c.context.logger.error("Code not found");
-		throw redirectOnError("no_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CODE);
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
 		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
-		throw redirectOnError("oauth_provider_not_found");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.PROVIDER_NOT_FOUND);
+	}
+	if (iss && provider.issuer && iss !== provider.issuer) {
+		c.context.logger.error("OAuth issuer mismatch", {
+			expected: provider.issuer,
+			received: iss
+		});
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ISSUER_MISMATCH);
 	}
 	let tokens;
 	try {
@@ -82,9 +91,9 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 	} catch (e) {
 		c.context.logger.error("", e);
-		throw redirectOnError("invalid_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	}
-	if (!tokens) throw redirectOnError("invalid_code");
+	if (!tokens) throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const userInfo = await provider.getUserInfo({
 		...tokens,
@@ -92,21 +101,21 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}).then((res) => res?.user);
 	if (!userInfo) {
 		c.context.logger.error("Unable to get user info");
-		return redirectOnError("unable_to_get_user_info");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_GET_USER_INFO);
 	}
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
-		throw redirectOnError("no_callback_url");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CALLBACK_URL);
 	}
 	if (link) {
 		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
 			c.context.logger.error("Unable to link account - untrusted provider");
-			return redirectOnError("unable_to_link_account");
+			return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		}
-		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_DOES_NOT_MATCH);
 		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
 		if (existingAccount) {
-			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER);
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, c.context),
 				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -124,7 +133,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
-		})) return redirectOnError("unable_to_link_account");
+		})) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -135,7 +144,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (!userInfo.email) {
 		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
-		return redirectOnError("email_not_found");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_NOT_FOUND);
 	}
 	const accountData = {
 		providerId: provider.id,

package/dist/client/path-to-object.d.mts

@@ -1,10 +1,41 @@
 import { HasRequiredKeys, IsAny, Prettify as Prettify$1, UnionToIntersection } from "../types/helper.mjs";
 import { InferAdditionalFromClient, InferSessionFromClient, InferUserFromClient } from "./types.mjs";
 import { BetterAuthClientOptions, ClientFetchOption } from "@better-auth/core";
+import { SocialProviderList } from "@better-auth/core/social-providers";
 import { Endpoint, InputContext, StandardSchemaV1 } from "better-call";
 import { BetterFetchResponse } from "@better-fetch/fetch";
 
 //#region src/client/path-to-object.d.ts
+/**
+ * Extract generic OAuth provider IDs from the client options.
+ * Supports both `$InferAuth` (server type bridge) and client plugins
+ * with `$InferServerPlugin`.
+ */
+type InferGenericOAuthProviderIds<O extends BetterAuthClientOptions> = (O extends {
+  $InferAuth: {
+    options: {
+      plugins: Array<infer P>;
+    };
+  };
+} ? P extends {
+  id: "generic-oauth";
+  options: {
+    config: Array<{
+      providerId: infer ID;
+    }>;
+  };
+} ? ID & string : never : never) | (O extends {
+  plugins: Array<infer P>;
+} ? P extends {
+  $InferServerPlugin: {
+    id: "generic-oauth";
+    options: {
+      config: Array<{
+        providerId: infer ID;
+      }>;
+    };
+  };
+} ? ID & string : never : never);
 type KeepNullishFromOriginal<Original, Replaced> = Replaced | (undefined extends Original ? undefined : never) | (null extends Original ? null : never);
 type ReplaceTopLevelField<Data, Field extends "user" | "session", Replaced> = Data extends object ? Field extends keyof Data ? Omit<Data, Field> & { [K in Field]: KeepNullishFromOriginal<Data[K], Replaced> } : Data : Data;
 type ReplaceAuthUserAndSession<Data, ClientOpts extends BetterAuthClientOptions> = ReplaceTopLevelField<ReplaceTopLevelField<Data, "user", InferUserFromClient<ClientOpts>>, "session", InferSessionFromClient<ClientOpts>>;
@@ -51,7 +82,10 @@ type InferRoute<API, COpts extends BetterAuthClientOptions> = API extends Record
   scope: "http";
 } | {
   scope: "server";
-} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
+} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : T["path"] extends `/sign-in/social` ? Omit<InferCtx<C, FetchOptions>, "provider"> & {
+  provider: SocialProviderList[number] | InferGenericOAuthProviderIds<COpts> | (string & {});
+  fetchOptions?: FetchOptions | undefined;
+} : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
   CUSTOM_SESSION: boolean;
 } ? MergeCustomSessionWithInferred<NonNullable<Awaited<R>>, COpts> : T["path"] extends "/get-session" ? {
   user: InferUserFromClient<COpts>;

package/dist/client/plugins/index.d.mts

@@ -14,7 +14,7 @@ import { OktaOptions, okta } from "../../plugins/generic-oauth/providers/okta.mj
 import { PatreonOptions, patreon } from "../../plugins/generic-oauth/providers/patreon.mjs";
 import { SlackOptions, slack } from "../../plugins/generic-oauth/providers/slack.mjs";
 import { BaseOAuthProviderOptions } from "../../plugins/generic-oauth/index.mjs";
-import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "../../plugins/jwt/types.mjs";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, ResolvedSigningKey } from "../../plugins/jwt/types.mjs";
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
@@ -37,6 +37,7 @@ import { customSessionClient } from "../../plugins/custom-session/client.mjs";
 import { deviceAuthorizationClient } from "../../plugins/device-authorization/client.mjs";
 import { EMAIL_OTP_ERROR_CODES } from "../../plugins/email-otp/error-codes.mjs";
 import { emailOTPClient } from "../../plugins/email-otp/client.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "../../plugins/generic-oauth/error-codes.mjs";
 import { genericOAuthClient } from "../../plugins/generic-oauth/client.mjs";
 import { jwtClient } from "../../plugins/jwt/client.mjs";
@@ -52,4 +53,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_CALLBACK_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, ResolvedSigningKey, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs

@@ -1,3 +1,4 @@
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
 import { adminClient } from "../../plugins/admin/client.mjs";
@@ -27,4 +28,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_CALLBACK_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };

package/dist/oauth2/error-codes.d.mts

@@ -0,0 +1,20 @@
+//#region src/oauth2/error-codes.d.ts
+/**
+ * Error codes used in OAuth callback redirects (`?error=<code>`).
+ * These are URL-safe strings, not API error objects.
+ */
+declare const OAUTH_CALLBACK_ERROR_CODES: {
+  readonly NO_CODE: "no_code";
+  readonly PROVIDER_NOT_FOUND: "oauth_provider_not_found";
+  readonly ISSUER_MISSING: "issuer_missing";
+  readonly ISSUER_MISMATCH: "issuer_mismatch";
+  readonly INVALID_CODE: "invalid_code";
+  readonly UNABLE_TO_GET_USER_INFO: "unable_to_get_user_info";
+  readonly NO_CALLBACK_URL: "no_callback_url";
+  readonly UNABLE_TO_LINK_ACCOUNT: "unable_to_link_account";
+  readonly EMAIL_DOES_NOT_MATCH: "email_does_not_match";
+  readonly ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER: "account_already_linked_to_different_user";
+  readonly EMAIL_NOT_FOUND: "email_not_found";
+};
+//#endregion
+export { OAUTH_CALLBACK_ERROR_CODES };

package/dist/oauth2/error-codes.mjs

@@ -0,0 +1,20 @@
+//#region src/oauth2/error-codes.ts
+/**
+* Error codes used in OAuth callback redirects (`?error=<code>`).
+* These are URL-safe strings, not API error objects.
+*/
+const OAUTH_CALLBACK_ERROR_CODES = {
+	NO_CODE: "no_code",
+	PROVIDER_NOT_FOUND: "oauth_provider_not_found",
+	ISSUER_MISSING: "issuer_missing",
+	ISSUER_MISMATCH: "issuer_mismatch",
+	INVALID_CODE: "invalid_code",
+	UNABLE_TO_GET_USER_INFO: "unable_to_get_user_info",
+	NO_CALLBACK_URL: "no_callback_url",
+	UNABLE_TO_LINK_ACCOUNT: "unable_to_link_account",
+	EMAIL_DOES_NOT_MATCH: "email_does_not_match",
+	ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER: "account_already_linked_to_different_user",
+	EMAIL_NOT_FOUND: "email_not_found"
+};
+//#endregion
+export { OAUTH_CALLBACK_ERROR_CODES };

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.3";
+var version = "1.7.0-beta.1";
 //#endregion
 export { version };

package/dist/plugins/admin/admin.mjs

@@ -42,7 +42,7 @@ const admin = (options) => {
 							});
 							return;
 						}
-						if (ctx && (ctx.path.startsWith("/callback") || ctx.path.startsWith("/oauth2/callback"))) {
+						if (ctx.path.startsWith("/callback")) {
 							const redirectURI = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 							throw ctx.redirect(`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`);
 						}

package/dist/plugins/anonymous/index.mjs

@@ -113,7 +113,7 @@ const anonymous = (options) => {
 		},
 		hooks: { after: [{
 			matcher(ctx) {
-				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/oauth2/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || false;
+				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || false;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const setCookie = ctx.context.responseHeaders?.get("set-cookie");

package/dist/plugins/generic-oauth/client.d.mts

@@ -9,10 +9,16 @@ import { OktaOptions, okta } from "./providers/okta.mjs";
 import { PatreonOptions, patreon } from "./providers/patreon.mjs";
 import { SlackOptions, slack } from "./providers/slack.mjs";
 import { BaseOAuthProviderOptions, genericOAuth } from "./index.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
 import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
 
 //#region src/plugins/generic-oauth/client.d.ts
+/**
+ * @deprecated No longer needed. Generic OAuth providers now use the standard
+ * `signIn.social` flow and require no client plugin. Remove this from your
+ * client plugin list.
+ */
 declare const genericOAuthClient: () => {
   id: "generic-oauth-client";
   version: string;
@@ -20,12 +26,6 @@ declare const genericOAuthClient: () => {
   $ERROR_CODES: {
     INVALID_OAUTH_CONFIGURATION: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIGURATION">;
     TOKEN_URL_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"TOKEN_URL_NOT_FOUND">;
-    PROVIDER_CONFIG_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_CONFIG_NOT_FOUND">;
-    PROVIDER_ID_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_ID_REQUIRED">;
-    INVALID_OAUTH_CONFIG: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIG">;
-    SESSION_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"SESSION_REQUIRED">;
-    ISSUER_MISMATCH: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISMATCH">;
-    ISSUER_MISSING: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISSING">;
   };
 };
 //#endregion

package/dist/plugins/generic-oauth/client.mjs

@@ -1,6 +1,12 @@
+import "../../oauth2/error-codes.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
 //#region src/plugins/generic-oauth/client.ts
+/**
+* @deprecated No longer needed. Generic OAuth providers now use the standard
+* `signIn.social` flow and require no client plugin. Remove this from your
+* client plugin list.
+*/
 const genericOAuthClient = () => {
 	return {
 		id: "generic-oauth-client",

package/dist/plugins/generic-oauth/error-codes.d.mts

@@ -1,15 +1,10 @@
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
 
 //#region src/plugins/generic-oauth/error-codes.d.ts
 declare const GENERIC_OAUTH_ERROR_CODES: {
   INVALID_OAUTH_CONFIGURATION: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIGURATION">;
   TOKEN_URL_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"TOKEN_URL_NOT_FOUND">;
-  PROVIDER_CONFIG_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_CONFIG_NOT_FOUND">;
-  PROVIDER_ID_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_ID_REQUIRED">;
-  INVALID_OAUTH_CONFIG: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIG">;
-  SESSION_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"SESSION_REQUIRED">;
-  ISSUER_MISMATCH: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISMATCH">;
-  ISSUER_MISSING: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISSING">;
 };
 //#endregion
 export { GENERIC_OAUTH_ERROR_CODES };

package/dist/plugins/generic-oauth/error-codes.mjs

@@ -1,14 +1,9 @@
+import "../../oauth2/error-codes.mjs";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 //#region src/plugins/generic-oauth/error-codes.ts
 const GENERIC_OAUTH_ERROR_CODES = defineErrorCodes({
 	INVALID_OAUTH_CONFIGURATION: "Invalid OAuth configuration",
-	TOKEN_URL_NOT_FOUND: "Invalid OAuth configuration. Token URL not found.",
-	PROVIDER_CONFIG_NOT_FOUND: "No config found for provider",
-	PROVIDER_ID_REQUIRED: "Provider ID is required",
-	INVALID_OAUTH_CONFIG: "Invalid OAuth configuration.",
-	SESSION_REQUIRED: "Session is required",
-	ISSUER_MISMATCH: "OAuth issuer mismatch. The authorization server issuer does not match the expected value (RFC 9207).",
-	ISSUER_MISSING: "OAuth issuer parameter missing. The authorization server did not include the required iss parameter (RFC 9207)."
+	TOKEN_URL_NOT_FOUND: "Invalid OAuth configuration. Token URL not found."
 });
 //#endregion
 export { GENERIC_OAUTH_ERROR_CODES };

package/dist/plugins/generic-oauth/index.d.mts

@@ -12,9 +12,6 @@ import { AuthContext } from "@better-auth/core";
 import * as _better_auth_core_oauth20 from "@better-auth/core/oauth2";
 import { OAuthProvider } from "@better-auth/core/oauth2";
 import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
-import * as better_call0 from "better-call";
-import * as zod from "zod";
-import * as zod_v4_core0 from "zod/v4/core";
 
 //#region src/plugins/generic-oauth/index.d.ts
 declare module "@better-auth/core" {
@@ -32,168 +29,24 @@ type BaseOAuthProviderOptions = Omit<Pick<GenericOAuthConfig, "clientId" | "clie
   /** OAuth client secret (required for provider options) */clientSecret: string;
 };
 /**
- * A generic OAuth plugin that can be used to add OAuth support to any provider
+ * A generic OAuth plugin that registers any OAuth/OIDC provider
+ * as a first-class social provider.
+ *
+ * Providers are used through the standard `signIn.social` and
+ * `callback/:id` core endpoints — no plugin-specific endpoints needed.
  */
-declare const genericOAuth: (options: GenericOAuthOptions) => {
+declare const genericOAuth: <const ID extends string>(options: GenericOAuthOptions<ID>) => {
   id: "generic-oauth";
   version: string;
-  init: (ctx: AuthContext) => {
+  init: (ctx: AuthContext) => Promise<{
     context: {
       socialProviders: OAuthProvider<Record<string, any>, Partial<_better_auth_core_oauth20.ProviderOptions<any>>>[];
     };
-  };
-  endpoints: {
-    signInWithOAuth2: better_call0.StrictEndpoint<"/sign-in/oauth2", {
-      method: "POST";
-      body: zod.ZodObject<{
-        providerId: zod.ZodString;
-        callbackURL: zod.ZodOptional<zod.ZodString>;
-        errorCallbackURL: zod.ZodOptional<zod.ZodString>;
-        newUserCallbackURL: zod.ZodOptional<zod.ZodString>;
-        disableRedirect: zod.ZodOptional<zod.ZodBoolean>;
-        scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
-        requestSignUp: zod.ZodOptional<zod.ZodBoolean>;
-        additionalData: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
-      }, zod_v4_core0.$strip>;
-      metadata: {
-        openapi: {
-          description: string;
-          responses: {
-            200: {
-              description: string;
-              content: {
-                "application/json": {
-                  schema: {
-                    type: "object";
-                    properties: {
-                      url: {
-                        type: string;
-                      };
-                      redirect: {
-                        type: string;
-                      };
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    }, {
-      url: string;
-      redirect: boolean;
-    }>;
-    oAuth2Callback: better_call0.StrictEndpoint<"/oauth2/callback/:providerId", {
-      method: "GET";
-      query: zod.ZodObject<{
-        code: zod.ZodOptional<zod.ZodString>;
-        error: zod.ZodOptional<zod.ZodString>;
-        error_description: zod.ZodOptional<zod.ZodString>;
-        state: zod.ZodOptional<zod.ZodString>;
-        iss: zod.ZodOptional<zod.ZodString>;
-      }, zod_v4_core0.$strip>;
-      metadata: {
-        allowedMediaTypes: string[];
-        openapi: {
-          description: string;
-          responses: {
-            200: {
-              description: string;
-              content: {
-                "application/json": {
-                  schema: {
-                    type: "object";
-                    properties: {
-                      url: {
-                        type: string;
-                      };
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-        scope: "server";
-      };
-    }, void>;
-    oAuth2LinkAccount: better_call0.StrictEndpoint<"/oauth2/link", {
-      method: "POST";
-      body: zod.ZodObject<{
-        providerId: zod.ZodString;
-        callbackURL: zod.ZodString;
-        scopes: zod.ZodOptional<zod.ZodArray<zod.ZodString>>;
-        errorCallbackURL: zod.ZodOptional<zod.ZodString>;
-      }, zod_v4_core0.$strip>;
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
-      metadata: {
-        openapi: {
-          description: string;
-          responses: {
-            "200": {
-              description: string;
-              content: {
-                "application/json": {
-                  schema: {
-                    type: "object";
-                    properties: {
-                      url: {
-                        type: string;
-                        format: string;
-                        description: string;
-                      };
-                      redirect: {
-                        type: string;
-                        description: string;
-                        enum: boolean[];
-                      };
-                    };
-                    required: string[];
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    }, {
-      url: string;
-      redirect: boolean;
-    }>;
-  };
-  options: GenericOAuthOptions;
+  }>;
+  options: GenericOAuthOptions<ID>;
   $ERROR_CODES: {
     INVALID_OAUTH_CONFIGURATION: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIGURATION">;
     TOKEN_URL_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"TOKEN_URL_NOT_FOUND">;
-    PROVIDER_CONFIG_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_CONFIG_NOT_FOUND">;
-    PROVIDER_ID_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"PROVIDER_ID_REQUIRED">;
-    INVALID_OAUTH_CONFIG: _better_auth_core_utils_error_codes0.RawError<"INVALID_OAUTH_CONFIG">;
-    SESSION_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"SESSION_REQUIRED">;
-    ISSUER_MISMATCH: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISMATCH">;
-    ISSUER_MISSING: _better_auth_core_utils_error_codes0.RawError<"ISSUER_MISSING">;
   };
 };
 //#endregion