Supported Features

Supported

Implemented with local Ruby tests for the documented server behavior.

Core auth object is a Rack app and can be mounted directly in Rack-compatible servers.

Mount helpers, ActiveRecord adapter, controller helpers, migrations, generators, plugin schema coverage, and cookie/CSRF compatibility are implemented and tested.

Sinatra extension, Rack mounting, request helpers, and SQL migration Rake tasks are implemented.

Hanami 2.3+ integration includes route mounting, action helpers, Sequel adapter, ROM::SQL migrations, relations, repos, and generators.

BetterAuth.auth, Rack calls, direct server API access, plugin initialization, runtime context, and error-code merging are implemented.

Rack routing, route params, hooks, plugin middleware, redirects, cookies, server-scoped endpoints, origin checks, and rate-limit hooks are implemented.

Sign-up, sign-in, password hashing, verification requirements, reset password, set/change password, password utilities, and user updates are implemented.

Authorization URLs, callbacks, sessions, token storage, account linking, unlinking, refresh, access-token routes, and server-side provider factories are implemented.

Signed cookies, cache cookies, stateless defaults, chunking, deletion, revocation routes, secondary storage, dynamic domains, and Redis-backed session storage are implemented.

Origin checks, trusted origins, dynamic trusted origins, baseURL allowed hosts, proxy-aware IP handling, and callback validation are implemented.

Base schema, plugin schema merge, SQL and Rails migration generation, adapter hooks, and Better Auth logical field names are implemented.

OpenAPI 3.1.1 generation, upstream base-route inventory, rich request/response schemas, security schemes, servers, plugin endpoint coverage, Scalar reference HTML, theme, and nonce support are implemented and tested.

Development and test adapter. Not intended for production persistence.

PostgreSQL, MySQL, SQLite, and MSSQL adapters support the core adapter contract, schema DDL, schema-driven joins, logical field mapping, and auth-route persistence.

ActiveRecord persistence, schema-driven associations, migrations, mounting helpers, controller helpers, generators, and auth-route persistence are implemented.

External package with document storage, ObjectId and UUID conversion, joins, transactions, schema field mapping, and auth-route persistence.

External package for sessions, active-session indexes, verification-like state, rate limits, prefixed key isolation, and real Redis round trips.

Roles, statements, permissions, and resource/action checks.

Schema extension and route integration.

User management, sessions, roles, bans, impersonation, destructive endpoints, and permissions.

Anonymous sign-in/delete and link cleanup.

Creation, verification, hashing, expiration, quotas, metadata, permissions, storage modes, and API-key sessions.

Bearer session resolution, signed/unsigned token modes, and cookie fallback.

reCAPTCHA, hCaptcha, Turnstile, CaptchaFox, protected routes, and score checks.

Custom get-session shaping and optional multi-session list mutation.

Device/user codes, polling, slow-down, approval, denial, token exchange, and verification URI behavior.

Send, check, verify, sign-in, password-reset, change-email flows, attempts, storage modes, and rate limits.

Core plugin at packages/better_auth/lib/better_auth/plugins/dub.rb for dub_id lead tracking, optional OAuth linking, injected clients, and non-blocking tracking failures.

Server-side authorization proxy, origin override, and trusted deep-link cookie transfer.

Custom OAuth sign-in, callback, link flows, DB/cookie state, dynamic params, issuer checks, and token/userinfo exchange.

SHA-1 k-anonymity lookup and protected password routes.

EdDSA default, RSA/ECDSA algorithms, JWKS publication, rotation helpers, remote verification, and set-auth-jwt.

Email, SIWE, social, and generic OAuth cookie/user-field updates.

Send/verify, redirects/errors, signup, latest-token verification, and token storage modes.

OAuth metadata, registration, authorization-code PKCE, token refresh, userinfo, JWKS, and helper challenge headers.

Device sessions, active switching, replacement, revocation, and sign-out cleanup.

Callback rewriting, encrypted cross-origin cookie forwarding, validation, and stateless state restoration.

Metadata, registration, clients, consent, auth code, client credentials, tokens, introspection, revocation, userinfo, and logout.

Discovery, prompt/max-age, registration, consent, token flows, userinfo, logout, and client-secret storage modes.

Google ID-token callback, account reuse/linking, disabled signup, and session cookies.

Generate/verify, single-use, expiration, cookie behavior, storage modes, and set-ott.

Generator support exists for metadata, route inventory, models, security, rich schemas, path/query parameters, plugin endpoints, and Scalar reference HTML.

Org/member CRUD, invitations, teams, roles, hooks, permissions, and schema migrations.

WebAuthn registration/authentication, challenge cookies, credential management, and schema output.

OTP send/verify, sign-in/sign-up, updates, reset password, attempt limits, and validation hooks.

Token envelopes, Bearer middleware, metadata, user CRUD, provider management, mappings, filters, PATCH, and org enforcement.

Nonce, wallet sign-in, ENS hook, account/session creation, EIP-55 casing, and multi-chain wallets.

OIDC and SAML provider lifecycle, sign-in/callbacks, domain verification, metadata, and SAML validation in better_auth-sso.

Checkout, portal, webhooks, subscription state transitions, seats, trials, org subscriptions, and metadata helpers.

TOTP, OTP, backup codes, trusted devices, disable/recovery, and post-login verification.

Username sign-up/sign-in, availability, normalization, validation, duplicates, and leak-prevention behavior.

The Ruby payment plugin surface is Stripe only.