better-auth 1.7.0-beta.0 → 1.7.0-beta.1

package/dist/api/index.d.mts

@@ -216,6 +216,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -224,6 +225,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];
@@ -2205,6 +2207,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       query: zod.ZodOptional<zod.ZodObject<{
         code: zod.ZodOptional<zod.ZodString>;
@@ -2213,6 +2216,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         error_description: zod.ZodOptional<zod.ZodString>;
         state: zod.ZodOptional<zod.ZodString>;
         user: zod.ZodOptional<zod.ZodString>;
+        iss: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
       metadata: {
         allowedMediaTypes: string[];

package/dist/api/routes/account.mjs

@@ -1,6 +1,6 @@
 import { parseAccountOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";

package/dist/api/routes/callback.d.mts

@@ -12,6 +12,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   query: z.ZodOptional<z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -20,6 +21,7 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     error_description: z.ZodOptional<z.ZodString>;
     state: z.ZodOptional<z.ZodString>;
     user: z.ZodOptional<z.ZodString>;
+    iss: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
   metadata: {
     allowedMediaTypes: string[];

package/dist/api/routes/callback.mjs

@@ -1,7 +1,8 @@
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
@@ -14,7 +15,8 @@ const schema = z.object({
 	device_id: z.string().optional(),
 	error_description: z.string().optional(),
 	state: z.string().optional(),
-	user: z.string().optional()
+	user: z.string().optional(),
+	iss: z.string().optional()
 });
 const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	method: ["GET", "POST"],
@@ -48,7 +50,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
 		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
 	}
-	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
+	const { code, error, state, error_description, device_id, user: userData, iss } = queryOrBody;
 	if (!state) {
 		c.context.logger.error("State not found", error);
 		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
@@ -65,12 +67,19 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	if (error) redirectOnError(error, error_description);
 	if (!code) {
 		c.context.logger.error("Code not found");
-		throw redirectOnError("no_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CODE);
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
 		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
-		throw redirectOnError("oauth_provider_not_found");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.PROVIDER_NOT_FOUND);
+	}
+	if (iss && provider.issuer && iss !== provider.issuer) {
+		c.context.logger.error("OAuth issuer mismatch", {
+			expected: provider.issuer,
+			received: iss
+		});
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ISSUER_MISMATCH);
 	}
 	let tokens;
 	try {
@@ -82,9 +91,9 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 	} catch (e) {
 		c.context.logger.error("", e);
-		throw redirectOnError("invalid_code");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	}
-	if (!tokens) throw redirectOnError("invalid_code");
+	if (!tokens) throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.INVALID_CODE);
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const userInfo = await provider.getUserInfo({
 		...tokens,
@@ -92,21 +101,21 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}).then((res) => res?.user);
 	if (!userInfo) {
 		c.context.logger.error("Unable to get user info");
-		return redirectOnError("unable_to_get_user_info");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_GET_USER_INFO);
 	}
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
-		throw redirectOnError("no_callback_url");
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NO_CALLBACK_URL);
 	}
 	if (link) {
 		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
 			c.context.logger.error("Unable to link account - untrusted provider");
-			return redirectOnError("unable_to_link_account");
+			return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		}
-		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_DOES_NOT_MATCH);
 		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
 		if (existingAccount) {
-			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ACCOUNT_ALREADY_LINKED_TO_DIFFERENT_USER);
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, c.context),
 				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -124,7 +133,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
-		})) return redirectOnError("unable_to_link_account");
+		})) return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.UNABLE_TO_LINK_ACCOUNT);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -135,7 +144,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (!userInfo.email) {
 		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
-		return redirectOnError("email_not_found");
+		return redirectOnError(OAUTH_CALLBACK_ERROR_CODES.EMAIL_NOT_FOUND);
 	}
 	const accountData = {
 		providerId: provider.id,

package/dist/api/routes/email-verification.mjs

@@ -1,6 +1,6 @@
 import { originCheck } from "../middlewares/origin-check.mjs";
-import { parseUserOutput } from "../../db/schema.mjs";
 import { signJWT } from "../../crypto/jwt.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";

package/dist/api/routes/session.mjs

@@ -1,7 +1,7 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
-import { getDate } from "../../utils/date.mjs";
-import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
 import { symmetricDecodeJWT, verifyJWT } from "../../crypto/jwt.mjs";
+import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { getChunkedCookie, getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { deleteSessionCookie, expireCookie, setCookieCache, setSessionCookie } from "../../cookies/index.mjs";
 import { getShouldSkipSessionRefresh } from "../state/should-session-refresh.mjs";

package/dist/api/routes/sign-in.mjs

@@ -1,7 +1,7 @@
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
 import { parseUserOutput } from "../../db/schema.mjs";
-import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
 import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";

package/dist/api/to-auth-endpoints.mjs

@@ -1,7 +1,9 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
+import { isDynamicBaseURLConfig, isRequestLike } from "../utils/url.mjs";
+import { pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { hasRequestState, runWithEndpointContext, runWithRequestState } from "@better-auth/core/context";
 import { shouldPublishLog } from "@better-auth/core/env";
-import { APIError } from "@better-auth/core/error";
+import { APIError, BetterAuthError } from "@better-auth/core/error";
 import { createDefu } from "defu";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan } from "@better-auth/core/instrumentation";
 import { kAPIErrorHeaderSymbol, toResponse } from "better-call";
@@ -18,6 +20,27 @@ function getOperationId(endpoint, key) {
 	const opts = endpoint.options;
 	return opts.operationId ?? opts.metadata?.openapi?.operationId ?? key;
 }
+/**
+* Resolves the per-call `AuthContext` for endpoints with a dynamic `baseURL`.
+*
+* - `rawCtx.baseURL` already set: HTTP handler rehydrated upstream; return as-is.
+* - Direct `auth.api` call with a source or a configured `fallback`: resolve here.
+* - Neither: throw `APIError` with a helpful message. Leaving `baseURL = ""`
+*   would let plugins build `new URL("")` and crash cryptically downstream.
+*/
+async function resolveDynamicContext(rawCtx, input) {
+	if (rawCtx.baseURL) return rawCtx;
+	const source = pickSource(input);
+	const config = rawCtx.options.baseURL;
+	const hasFallback = isDynamicBaseURLConfig(config) && Boolean(config.fallback);
+	if (source === void 0 && !hasFallback) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Dynamic baseURL could not be resolved for this direct auth.api call. Pass `headers: request.headers` (or `request`) to the call, or add `fallback` to your baseURL config." });
+	try {
+		return await resolveRequestContext(rawCtx, source, resolveDynamicTrustedProxyHeaders(rawCtx.options));
+	} catch (err) {
+		if (err instanceof BetterAuthError) throw new APIError("INTERNAL_SERVER_ERROR", { message: err.message });
+		throw err;
+	}
+}
 function toAuthEndpoints(endpoints, ctx) {
 	const api = {};
 	for (const [key, endpoint] of Object.entries(endpoints)) {
@@ -26,9 +49,10 @@ function toAuthEndpoints(endpoints, ctx) {
 			const endpointMethod = endpoint?.options?.method;
 			const defaultMethod = Array.isArray(endpointMethod) ? endpointMethod[0] : endpointMethod;
 			const run = async () => {
-				const authContext = await ctx;
+				const rawContext = await ctx;
 				const methodName = context?.method ?? context?.request?.method ?? defaultMethod ?? "?";
 				const route = endpoint.path ?? "/:virtual";
+				const authContext = isDynamicBaseURLConfig(rawContext.options.baseURL) ? await resolveDynamicContext(rawContext, context) : rawContext;
 				let internalContext = {
 					...context,
 					context: {
@@ -40,7 +64,7 @@ function toAuthEndpoints(endpoints, ctx) {
 					path: endpoint.path,
 					headers: context?.headers ? new Headers(context?.headers) : void 0
 				};
-				const hasRequest = context?.request instanceof Request;
+				const hasRequest = isRequestLike(context?.request);
 				const shouldReturnResponse = context?.asResponse ?? hasRequest;
 				return withSpan(`${methodName} ${route}`, {
 					[ATTR_HTTP_ROUTE]: route,

package/dist/auth/base.mjs

@@ -1,6 +1,5 @@
-import { getBaseURL, getOrigin, isDynamicBaseURLConfig, resolveBaseURL } from "../utils/url.mjs";
-import { getTrustedOrigins, getTrustedProviders } from "../context/helpers.mjs";
-import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig } from "../utils/url.mjs";
+import { getTrustedOrigins, getTrustedProviders, resolveDynamicTrustedProxyHeaders, resolveRequestContext } from "../context/helpers.mjs";
 import { getEndpoints, router } from "../api/index.mjs";
 import { runWithAdapter } from "@better-auth/core/context";
 import { BASE_ERROR_CODES, BetterAuthError } from "@better-auth/core/error";
@@ -13,26 +12,8 @@ const createBetterAuth = (options, initFn) => {
 			const ctx = await authContext;
 			const basePath = ctx.options.basePath || "/api/auth";
 			let handlerCtx;
-			if (isDynamicBaseURLConfig(options.baseURL)) {
-				handlerCtx = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
-				const baseURL = resolveBaseURL(options.baseURL, basePath, request);
-				if (baseURL) {
-					handlerCtx.baseURL = baseURL;
-					handlerCtx.options = {
-						...ctx.options,
-						baseURL: getOrigin(baseURL) || void 0
-					};
-				} else throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
-				const trustedOriginOptions = {
-					...handlerCtx.options,
-					baseURL: options.baseURL
-				};
-				handlerCtx.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, request);
-				if (options.advanced?.crossSubDomainCookies?.enabled) {
-					handlerCtx.authCookies = getCookies(handlerCtx.options);
-					handlerCtx.createAuthCookie = createCookieGetter(handlerCtx.options);
-				}
-			} else {
+			if (isDynamicBaseURLConfig(options.baseURL)) handlerCtx = await resolveRequestContext(ctx, request, resolveDynamicTrustedProxyHeaders(ctx.options));
+			else {
 				handlerCtx = ctx;
 				if (!ctx.options.baseURL) {
 					const baseURL = getBaseURL(void 0, basePath, request, void 0, ctx.options.advanced?.trustedProxyHeaders);
@@ -42,8 +23,8 @@ const createBetterAuth = (options, initFn) => {
 					} else throw new BetterAuthError("Could not get base URL from request. Please provide a valid base URL.");
 				}
 				handlerCtx.trustedOrigins = await getTrustedOrigins(ctx.options, request);
+				handlerCtx.trustedProviders = await getTrustedProviders(ctx.options, request);
 			}
-			handlerCtx.trustedProviders = await getTrustedProviders(handlerCtx.options, request);
 			const { handler } = router(handlerCtx, options);
 			return runWithAdapter(handlerCtx.adapter, () => handler(request));
 		},

package/dist/client/path-to-object.d.mts

@@ -1,10 +1,41 @@
 import { HasRequiredKeys, IsAny, Prettify as Prettify$1, UnionToIntersection } from "../types/helper.mjs";
 import { InferAdditionalFromClient, InferSessionFromClient, InferUserFromClient } from "./types.mjs";
 import { BetterAuthClientOptions, ClientFetchOption } from "@better-auth/core";
+import { SocialProviderList } from "@better-auth/core/social-providers";
 import { Endpoint, InputContext, StandardSchemaV1 } from "better-call";
 import { BetterFetchResponse } from "@better-fetch/fetch";
 
 //#region src/client/path-to-object.d.ts
+/**
+ * Extract generic OAuth provider IDs from the client options.
+ * Supports both `$InferAuth` (server type bridge) and client plugins
+ * with `$InferServerPlugin`.
+ */
+type InferGenericOAuthProviderIds<O extends BetterAuthClientOptions> = (O extends {
+  $InferAuth: {
+    options: {
+      plugins: Array<infer P>;
+    };
+  };
+} ? P extends {
+  id: "generic-oauth";
+  options: {
+    config: Array<{
+      providerId: infer ID;
+    }>;
+  };
+} ? ID & string : never : never) | (O extends {
+  plugins: Array<infer P>;
+} ? P extends {
+  $InferServerPlugin: {
+    id: "generic-oauth";
+    options: {
+      config: Array<{
+        providerId: infer ID;
+      }>;
+    };
+  };
+} ? ID & string : never : never);
 type KeepNullishFromOriginal<Original, Replaced> = Replaced | (undefined extends Original ? undefined : never) | (null extends Original ? null : never);
 type ReplaceTopLevelField<Data, Field extends "user" | "session", Replaced> = Data extends object ? Field extends keyof Data ? Omit<Data, Field> & { [K in Field]: KeepNullishFromOriginal<Data[K], Replaced> } : Data : Data;
 type ReplaceAuthUserAndSession<Data, ClientOpts extends BetterAuthClientOptions> = ReplaceTopLevelField<ReplaceTopLevelField<Data, "user", InferUserFromClient<ClientOpts>>, "session", InferSessionFromClient<ClientOpts>>;
@@ -51,7 +82,10 @@ type InferRoute<API, COpts extends BetterAuthClientOptions> = API extends Record
   scope: "http";
 } | {
   scope: "server";
-} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
+} ? {} : PathToObject<T["path"], T extends ((ctx: infer C) => infer R) ? C extends InputContext<any, any> ? <FetchOptions extends ClientFetchOption<Partial<C["body"]> & Record<string, any>, Partial<C["query"]> & Record<string, any>, C["params"]>>(...data: HasRequiredKeys<InferCtx<C, FetchOptions>> extends true ? [Prettify$1<T["path"] extends `/sign-up/email` ? InferSignUpEmailCtx<COpts, FetchOptions> : T["path"] extends `/sign-in/social` ? Omit<InferCtx<C, FetchOptions>, "provider"> & {
+  provider: SocialProviderList[number] | InferGenericOAuthProviderIds<COpts> | (string & {});
+  fetchOptions?: FetchOptions | undefined;
+} : InferCtx<C, FetchOptions>>, FetchOptions?] : [Prettify$1<T["path"] extends `/update-user` ? InferUserUpdateCtx<COpts, FetchOptions> : InferCtx<C, FetchOptions>>?, FetchOptions?]) => Promise<BetterFetchResponse<T["options"]["metadata"] extends {
   CUSTOM_SESSION: boolean;
 } ? MergeCustomSessionWithInferred<NonNullable<Awaited<R>>, COpts> : T["path"] extends "/get-session" ? {
   user: InferUserFromClient<COpts>;

package/dist/client/plugins/index.d.mts

@@ -14,13 +14,13 @@ import { OktaOptions, okta } from "../../plugins/generic-oauth/providers/okta.mj
 import { PatreonOptions, patreon } from "../../plugins/generic-oauth/providers/patreon.mjs";
 import { SlackOptions, slack } from "../../plugins/generic-oauth/providers/slack.mjs";
 import { BaseOAuthProviderOptions } from "../../plugins/generic-oauth/index.mjs";
-import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "../../plugins/jwt/types.mjs";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, ResolvedSigningKey } from "../../plugins/jwt/types.mjs";
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "../../plugins/oidc-provider/types.mjs";
 import { MULTI_SESSION_ERROR_CODES } from "../../plugins/multi-session/error-codes.mjs";
 import { MultiSessionConfig } from "../../plugins/multi-session/index.mjs";
 import { OneTimeTokenOptions } from "../../plugins/one-time-token/index.mjs";
 import { PhoneNumberOptions, UserWithPhoneNumber } from "../../plugins/phone-number/types.mjs";
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "../../plugins/two-factor/backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "../../plugins/two-factor/otp/index.mjs";
 import { TOTPOptions, totp2fa } from "../../plugins/two-factor/totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "../../plugins/two-factor/types.mjs";
@@ -37,6 +37,7 @@ import { customSessionClient } from "../../plugins/custom-session/client.mjs";
 import { deviceAuthorizationClient } from "../../plugins/device-authorization/client.mjs";
 import { EMAIL_OTP_ERROR_CODES } from "../../plugins/email-otp/error-codes.mjs";
 import { emailOTPClient } from "../../plugins/email-otp/client.mjs";
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "../../plugins/generic-oauth/error-codes.mjs";
 import { genericOAuthClient } from "../../plugins/generic-oauth/client.mjs";
 import { jwtClient } from "../../plugins/jwt/client.mjs";
@@ -52,4 +53,4 @@ import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAUTH_CALLBACK_ERROR_CODES, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, RequiredKeysOf, ResolvedSigningKey, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/plugins/index.mjs

@@ -1,3 +1,4 @@
+import { OAUTH_CALLBACK_ERROR_CODES } from "../../oauth2/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
 import { adminClient } from "../../plugins/admin/client.mjs";
@@ -27,4 +28,4 @@ import { twoFactorClient } from "../../plugins/two-factor/client.mjs";
 import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, EMAIL_OTP_ERROR_CODES, GENERIC_OAUTH_ERROR_CODES, InferServerPlugin, MULTI_SESSION_ERROR_CODES, OAUTH_CALLBACK_ERROR_CODES, ORGANIZATION_ERROR_CODES, PHONE_NUMBER_ERROR_CODES, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, adminClient, anonymousClient, clientSideHasPermission, customSessionClient, deviceAuthorizationClient, emailOTPClient, genericOAuthClient, inferAdditionalFields, inferOrgAdditionalFields, jwtClient, lastLoginMethodClient, magicLinkClient, multiSessionClient, oidcClient, oneTapClient, oneTimeTokenClient, organizationClient, phoneNumberClient, siweClient, twoFactorClient, usernameClient };

package/dist/client/query.mjs

@@ -72,15 +72,15 @@ const useAuthQuery = (initializedAtom, path, $fetch, options) => {
 		});
 	};
 	initializedAtom = Array.isArray(initializedAtom) ? initializedAtom : [initializedAtom];
-	let isMounted = false;
+	let isInitialized = false;
 	for (const initAtom of initializedAtom) initAtom.subscribe(async () => {
 		if (isServer()) return;
-		if (isMounted) await fn();
+		if (isInitialized) await fn();
 		else onMount(value, () => {
 			const timeoutId = setTimeout(async () => {
-				if (!isMounted) {
+				if (!isInitialized) {
+					isInitialized = true;
 					await fn();
-					isMounted = true;
 				}
 			}, 0);
 			return () => {

package/dist/context/create-context.mjs

@@ -1,10 +1,10 @@
 import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
 import { matchesOriginPattern } from "../auth/trusted-origins.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
-import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { hashPassword, verifyPassword } from "../crypto/password.mjs";
 import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit } from "./helpers.mjs";
 import { checkPassword } from "../utils/password.mjs";
 import { checkEndpointConflicts } from "../api/index.mjs";
 import { DEFAULT_SECRET } from "../utils/constants.mjs";

package/dist/context/helpers.mjs

@@ -1,7 +1,9 @@
-import { getBaseURL, isDynamicBaseURLConfig } from "../utils/url.mjs";
-import { createInternalAdapter } from "../db/internal-adapter.mjs";
+import { getBaseURL, getOrigin, isDynamicBaseURLConfig, isRequestLike, resolveBaseURL } from "../utils/url.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
+import { createCookieGetter, getCookies } from "../cookies/index.mjs";
+import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
@@ -80,6 +82,62 @@ async function getTrustedOrigins(options, request) {
 	if (envTrustedOrigins) trustedOrigins.push(...envTrustedOrigins.split(","));
 	return trustedOrigins.filter((v) => Boolean(v));
 }
+/**
+* Picks a `Request`-like or `Headers` value from a direct `auth.api` call.
+* Headers are only accepted when they carry a host: without one, host
+* resolution would fall back to `null` and the caller should use `fallback`
+* or pass a `Request` instead.
+*/
+function pickSource(input) {
+	if (isRequestLike(input?.request)) return input.request;
+	if (!input?.headers) return void 0;
+	const headers = input.headers instanceof Headers ? input.headers : new Headers(input.headers);
+	if (!headers.has("host") && !headers.has("x-forwarded-host")) return;
+	return headers;
+}
+/**
+* Returns the effective `trustedProxyHeaders` value for dynamic `baseURL`
+* resolution. When the user hasn't set `advanced.trustedProxyHeaders`,
+* proxy headers (`x-forwarded-host` / `x-forwarded-proto`) are trusted by
+* default so deployments behind a reverse proxy work without extra config.
+*/
+function resolveDynamicTrustedProxyHeaders(options) {
+	return options.advanced?.trustedProxyHeaders ?? true;
+}
+/**
+* Per-request clone with `baseURL`, `trustedOrigins`, `trustedProviders`
+* and cookies rehydrated for the resolved host. Throws `BetterAuthError`
+* when the URL cannot be resolved; callers on the direct-API path convert
+* this to `APIError`.
+*/
+async function resolveRequestContext(ctx, source, trustedProxyHeaders) {
+	const dynamicBaseURLConfig = ctx.options.baseURL;
+	const baseURL = resolveBaseURL(dynamicBaseURLConfig, ctx.options.basePath || "/api/auth", source, void 0, trustedProxyHeaders);
+	if (!baseURL) throw new BetterAuthError("Could not resolve base URL from request. Check your allowedHosts config.");
+	const resolved = Object.create(Object.getPrototypeOf(ctx), Object.getOwnPropertyDescriptors(ctx));
+	resolved.baseURL = baseURL;
+	resolved.options = {
+		...ctx.options,
+		baseURL: getOrigin(baseURL) || void 0
+	};
+	const trustedOriginOptions = {
+		...resolved.options,
+		baseURL: dynamicBaseURLConfig
+	};
+	const needsRequest = typeof ctx.options.trustedOrigins === "function" || typeof ctx.options.account?.accountLinking?.trustedProviders === "function";
+	let callbackRequest;
+	if (needsRequest) if (isRequestLike(source)) callbackRequest = source;
+	else if (source) callbackRequest = new Request(baseURL, { headers: source });
+	else callbackRequest = void 0;
+	else callbackRequest = void 0;
+	resolved.trustedOrigins = await getTrustedOrigins(trustedOriginOptions, callbackRequest);
+	resolved.trustedProviders = await getTrustedProviders(resolved.options, callbackRequest);
+	if (ctx.options.advanced?.crossSubDomainCookies?.enabled) {
+		resolved.authCookies = getCookies(resolved.options);
+		resolved.createAuthCookie = createCookieGetter(resolved.options);
+	}
+	return resolved;
+}
 async function getAwaitableValue(arr, item) {
 	if (!arr) return void 0;
 	for (const val of arr) {
@@ -94,4 +152,4 @@ async function getTrustedProviders(options, request) {
 	return (await trustedProviders(request) ?? []).filter((v) => Boolean(v));
 }
 //#endregion
-export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, runPluginInit };
+export { getAwaitableValue, getInternalPlugins, getTrustedOrigins, getTrustedProviders, pickSource, resolveDynamicTrustedProxyHeaders, resolveRequestContext, runPluginInit };

package/dist/cookies/index.mjs

@@ -1,11 +1,11 @@
 import { isDynamicBaseURLConfig } from "../utils/url.mjs";
-import { getDate } from "../utils/date.mjs";
+import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
 import { parseUserOutput } from "../db/schema.mjs";
+import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
-import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
-import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { sec } from "../utils/time.mjs";
 import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { safeJSONParse } from "@better-auth/core/utils/json";

package/dist/crypto/index.mjs

@@ -1,9 +1,9 @@
-import { constantTimeEqual } from "./buffer.mjs";
 import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "./jwt.mjs";
+import { constantTimeEqual } from "./buffer.mjs";
 import { hashPassword, verifyPassword } from "./password.mjs";
 import { generateRandomString } from "./random.mjs";
-import { createHash } from "@better-auth/utils/hash";
 import { getWebcryptoSubtle } from "@better-auth/utils";
+import { createHash } from "@better-auth/utils/hash";
 import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
 import { bytesToHex, hexToBytes, managedNonce, utf8ToBytes } from "@noble/ciphers/utils.js";
 //#region src/crypto/index.ts

package/dist/db/index.mjs

@@ -1,7 +1,7 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
 import { toZodSchema } from "./to-zod.mjs";

package/dist/db/internal-adapter.mjs

@@ -1,6 +1,6 @@
 import { getIp } from "../utils/get-request-ip.mjs";
-import { getDate } from "../utils/date.mjs";
 import { getSessionDefaultFields, parseSessionOutput, parseUserOutput } from "./schema.mjs";
+import { getDate } from "../utils/date.mjs";
 import { getStorageOption, processIdentifier } from "./verification-token-storage.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { getCurrentAdapter, getCurrentAuthContext, runWithTransaction } from "@better-auth/core/context";

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, getTelemetryAuthConfig, isDynamicBaseURLConfig, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, getTelemetryAuthConfig, isDynamicBaseURLConfig, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };