[{"data":1,"prerenderedAt":716},["ShallowReactive",2],{"navigation_docs":3,"-core-concepts-security-caveats":152,"-core-concepts-security-caveats-surround":711},[4,42,68,110,131],{"title":5,"path":6,"stem":7,"children":8,"icon":11},"Getting Started","/getting-started","1.getting-started/0.index",[9,12,17,22,27,32,37],{"title":10,"path":6,"stem":7,"icon":11},"Introduction","i-lucide-sparkles",{"title":13,"path":14,"stem":15,"icon":16},"Installation","/getting-started/installation","1.getting-started/1.installation","i-lucide-download",{"title":18,"path":19,"stem":20,"icon":21},"Configuration","/getting-started/configuration","1.getting-started/2.configuration","i-lucide-settings",{"title":23,"path":24,"stem":25,"icon":26},"Client Setup","/getting-started/client-setup","1.getting-started/3.client-setup","i-lucide-monitor",{"title":28,"path":29,"stem":30,"icon":31},"Type Augmentation","/getting-started/type-augmentation","1.getting-started/4.type-augmentation","i-lucide-type",{"title":33,"path":34,"stem":35,"icon":36},"Schema Generation (NuxtHub)","/getting-started/schema-generation","1.getting-started/5.schema-generation","i-lucide-database",{"title":38,"path":39,"stem":40,"icon":41},"How It Works","/getting-started/how-it-works","1.getting-started/6.how-it-works","i-lucide-workflow",{"title":43,"path":44,"stem":45,"children":46,"page":67},"Core Concepts","/core-concepts","2.core-concepts",[47,51,55,59,63],{"title":48,"path":49,"stem":50},"serverAuth()","/core-concepts/server-auth","2.core-concepts/1.server-auth",{"title":52,"path":53,"stem":54},"Sessions","/core-concepts/sessions","2.core-concepts/2.sessions",{"title":56,"path":57,"stem":58},"Route Protection","/core-concepts/route-protection","2.core-concepts/3.route-protection",{"title":60,"path":61,"stem":62},"Auto‑Imports and Aliases","/core-concepts/auto-imports-aliases","2.core-concepts/4.auto-imports-aliases",{"title":64,"path":65,"stem":66},"Security & Caveats","/core-concepts/security-caveats","2.core-concepts/5.security-caveats",false,{"title":69,"path":70,"stem":71,"children":72,"page":67},"Guides","/guides","3.guides",[73,77,81,85,89,94,98,102,106],{"title":74,"path":75,"stem":76},"Role‑Based Access","/guides/role-based-access","3.guides/1.role-based-access",{"title":78,"path":79,"stem":80},"OAuth Providers","/guides/oauth-providers","3.guides/2.oauth-providers",{"title":82,"path":83,"stem":84},"Custom Database","/guides/custom-database","3.guides/3.custom-database",{"title":86,"path":87,"stem":88},"Database-less Mode","/guides/database-less-mode","3.guides/4.database-less-mode",{"title":90,"path":91,"stem":92,"icon":93},"External Auth Backend","/guides/external-auth-backend","3.guides/5.external-auth-backend","i-lucide-server",{"title":95,"path":96,"stem":97},"Migrating from nuxt-auth-utils","/guides/migrate-from-nuxt-auth-utils","3.guides/6.migrate-from-nuxt-auth-utils",{"title":99,"path":100,"stem":101},"Two-Factor Authentication (TOTP + Backup Codes)","/guides/two-factor-auth","3.guides/7.two-factor-auth",{"title":103,"path":104,"stem":105},"Testing","/guides/testing","3.guides/8.testing",{"title":107,"path":108,"stem":109},"Production Deployment","/guides/production-deployment","3.guides/9.production-deployment",{"title":111,"path":112,"stem":113,"children":114,"page":67},"Integrations","/integrations","4.integrations",[115,119,123,127],{"title":116,"path":117,"stem":118},"NuxtHub","/integrations/nuxthub","4.integrations/1.nuxthub",{"title":120,"path":121,"stem":122},"DevTools","/integrations/devtools","4.integrations/2.devtools",{"title":124,"path":125,"stem":126},"Convex","/integrations/convex","4.integrations/3.convex",{"title":128,"path":129,"stem":130},"i18n","/integrations/i18n","4.integrations/4.i18n",{"title":132,"path":133,"stem":134,"children":135,"page":67},"API Reference","/api","5.api",[136,140,144,148],{"title":137,"path":138,"stem":139},"Composables","/api/composables","5.api/1.composables",{"title":141,"path":142,"stem":143},"Server Utilities","/api/server-utils","5.api/2.server-utils",{"title":145,"path":146,"stem":147},"Components","/api/components","5.api/3.components",{"title":149,"path":150,"stem":151},"Types","/api/types","5.api/4.types",{"id":153,"title":64,"body":154,"description":705,"extension":706,"links":707,"meta":708,"navigation":228,"path":65,"seo":709,"stem":66,"__hash__":710},"docs/2.core-concepts/5.security-caveats.md",{"type":155,"value":156,"toc":695},"minimark",[157,162,166,170,186,297,304,308,319,324,327,333,490,495,552,563,626,630,641,648,652,655,660,673,676,680,691],[158,159,161],"h2",{"id":160},"client-redirects-are-not-security","Client redirects are not security",[163,164,165],"p",{},"Client-side redirects improve UX but don't prevent unauthorized access. Always validate on the server.",[158,167,169],{"id":168},"csrf-origin-checks","CSRF / origin checks",[163,171,172,173,177,178,181,182,185],{},"Better Auth performs origin checks for cookie-based requests (it validates ",[174,175,176],"code",{},"Origin"," / ",[174,179,180],{},"Referer","). If you use multiple domains (custom domains, preview URLs, etc.), add them to ",[174,183,184],{},"trustedOrigins"," in your auth config.",[187,188,194],"pre",{"className":189,"code":190,"filename":191,"language":192,"meta":193,"style":193},"language-ts shiki shiki-themes one-light synthwave-84 synthwave-84","import { defineServerAuth } from '@onmax/nuxt-better-auth/config'\n\nexport default defineServerAuth({\n  trustedOrigins: [\n    'http://localhost:3000',\n    'https://your-domain.com',\n    'https://your-preview.workers.dev',\n  ],\n})\n","server/auth.config.ts","ts","",[174,195,196,223,230,247,260,269,277,285,291],{"__ignoreMap":193},[197,198,201,205,209,213,216,219],"span",{"class":199,"line":200},"line",1,[197,202,204],{"class":203},"sqe1H","import",[197,206,208],{"class":207},"s17Py"," { ",[197,210,212],{"class":211},"sYvLG","defineServerAuth",[197,214,215],{"class":207}," } ",[197,217,218],{"class":203},"from",[197,220,222],{"class":221},"sPAZv"," '@onmax/nuxt-better-auth/config'\n",[197,224,226],{"class":199,"line":225},2,[197,227,229],{"emptyLinePlaceholder":228},true,"\n",[197,231,233,236,240,244],{"class":199,"line":232},3,[197,234,235],{"class":203},"export",[197,237,239],{"class":238},"sKg8T"," default",[197,241,243],{"class":242},"sfT9l"," defineServerAuth",[197,245,246],{"class":207},"({\n",[197,248,250,253,257],{"class":199,"line":249},4,[197,251,252],{"class":211},"  trustedOrigins",[197,254,256],{"class":255},"sVnqq",":",[197,258,259],{"class":207}," [\n",[197,261,263,266],{"class":199,"line":262},5,[197,264,265],{"class":221},"    'http://localhost:3000'",[197,267,268],{"class":207},",\n",[197,270,272,275],{"class":199,"line":271},6,[197,273,274],{"class":221},"    'https://your-domain.com'",[197,276,268],{"class":207},[197,278,280,283],{"class":199,"line":279},7,[197,281,282],{"class":221},"    'https://your-preview.workers.dev'",[197,284,268],{"class":207},[197,286,288],{"class":199,"line":287},8,[197,289,290],{"class":207},"  ],\n",[197,292,294],{"class":199,"line":293},9,[197,295,296],{"class":207},"})\n",[298,299,300,301,303],"important",{},"If you deploy preview environments, you must include the preview origin in ",[174,302,184],{},". Otherwise, sign-in or sign-up requests can fail origin validation even when the API endpoint is healthy.",[158,305,307],{"id":306},"api-enforcement-behavior","API enforcement behavior",[163,309,310,311,314,315,318],{},"The built-in Nitro middleware only checks ",[174,312,313],{},"routeRules.auth"," for ",[174,316,317],{},"/api/**",".",[320,321,323],"h3",{"id":322},"customizing-unauthorized-behavior","Customizing Unauthorized Behavior",[163,325,326],{},"By default, unauthorized requests to protected routes receive a 401 response. To customize:",[163,328,329],{},[330,331,332],"strong",{},"Redirect to login instead of 401:",[187,334,337],{"className":189,"code":335,"filename":336,"language":192,"meta":193,"style":193},"import { sendRedirect } from 'h3'\n\nexport default defineEventHandler(async (event) => {\n  const session = await getUserSession(event)\n  if (!session && event.path.startsWith('/api/protected')) {\n    return sendRedirect(event, '/login', 302)\n  }\n})\n","server/middleware/auth.ts",[174,338,339,355,359,390,416,455,481,486],{"__ignoreMap":193},[197,340,341,343,345,348,350,352],{"class":199,"line":200},[197,342,204],{"class":203},[197,344,208],{"class":207},[197,346,347],{"class":211},"sendRedirect",[197,349,215],{"class":207},[197,351,218],{"class":203},[197,353,354],{"class":221}," 'h3'\n",[197,356,357],{"class":199,"line":225},[197,358,229],{"emptyLinePlaceholder":228},[197,360,361,363,365,368,371,374,377,381,384,387],{"class":199,"line":232},[197,362,235],{"class":203},[197,364,239],{"class":238},[197,366,367],{"class":242}," defineEventHandler",[197,369,370],{"class":207},"(",[197,372,373],{"class":203},"async",[197,375,376],{"class":207}," (",[197,378,380],{"class":379},"sgisi","event",[197,382,383],{"class":207},") ",[197,385,386],{"class":203},"=>",[197,388,389],{"class":207}," {\n",[197,391,392,395,399,403,406,409,411,413],{"class":199,"line":249},[197,393,394],{"class":203},"  const",[197,396,398],{"class":397},"s6Rhl"," session",[197,400,402],{"class":401},"sQBpM"," =",[197,404,405],{"class":203}," await",[197,407,408],{"class":242}," getUserSession",[197,410,370],{"class":207},[197,412,380],{"class":211},[197,414,415],{"class":207},")\n",[197,417,418,421,423,427,430,433,437,439,442,444,447,449,452],{"class":199,"line":262},[197,419,420],{"class":203},"  if",[197,422,376],{"class":207},[197,424,426],{"class":425},"sn-Jc","!",[197,428,429],{"class":211},"session",[197,431,432],{"class":425}," &&",[197,434,436],{"class":435},"svFNh"," event",[197,438,318],{"class":207},[197,440,441],{"class":211},"path",[197,443,318],{"class":207},[197,445,446],{"class":242},"startsWith",[197,448,370],{"class":207},[197,450,451],{"class":221},"'/api/protected'",[197,453,454],{"class":207},")) {\n",[197,456,457,460,463,465,467,470,473,475,479],{"class":199,"line":271},[197,458,459],{"class":203},"    return",[197,461,462],{"class":242}," sendRedirect",[197,464,370],{"class":207},[197,466,380],{"class":211},[197,468,469],{"class":207},", ",[197,471,472],{"class":221},"'/login'",[197,474,469],{"class":207},[197,476,478],{"class":477},"s3ZNE","302",[197,480,415],{"class":207},[197,482,483],{"class":199,"line":279},[197,484,485],{"class":207},"  }\n",[197,487,488],{"class":199,"line":287},[197,489,296],{"class":207},[163,491,492],{},[330,493,494],{},"Return JSON error for API routes:",[187,496,498],{"className":189,"code":497,"language":192,"meta":193,"style":193},"// This is the default behavior for /api/* routes\nthrow createError({\n  statusCode: 401,\n  data: { error: 'Authentication required' }\n})\n",[174,499,500,506,516,528,548],{"__ignoreMap":193},[197,501,502],{"class":199,"line":200},[197,503,505],{"class":504},"st7cf","// This is the default behavior for /api/* routes\n",[197,507,508,511,514],{"class":199,"line":225},[197,509,510],{"class":203},"throw",[197,512,513],{"class":242}," createError",[197,515,246],{"class":207},[197,517,518,521,523,526],{"class":199,"line":232},[197,519,520],{"class":211},"  statusCode",[197,522,256],{"class":255},[197,524,525],{"class":477}," 401",[197,527,268],{"class":207},[197,529,530,533,535,537,540,542,545],{"class":199,"line":249},[197,531,532],{"class":211},"  data",[197,534,256],{"class":255},[197,536,208],{"class":207},[197,538,539],{"class":211},"error",[197,541,256],{"class":255},[197,543,544],{"class":221}," 'Authentication required'",[197,546,547],{"class":207}," }\n",[197,549,550],{"class":199,"line":262},[197,551,296],{"class":207},[163,553,554,555,558,559,562],{},"If you want different behavior (e.g. enforce ",[174,556,557],{},"auth: 'user'"," for APIs), add your own Nitro middleware and/or call ",[174,560,561],{},"requireUserSession(event)"," directly inside handlers.",[187,564,567],{"className":189,"code":565,"filename":566,"language":192,"meta":193,"style":193},"export default defineEventHandler(async (event) => {\n  await requireUserSession(event)\n  return { ok: true }\n})\n","server/api/secret.get.ts",[174,568,569,591,605,622],{"__ignoreMap":193},[197,570,571,573,575,577,579,581,583,585,587,589],{"class":199,"line":200},[197,572,235],{"class":203},[197,574,239],{"class":238},[197,576,367],{"class":242},[197,578,370],{"class":207},[197,580,373],{"class":203},[197,582,376],{"class":207},[197,584,380],{"class":379},[197,586,383],{"class":207},[197,588,386],{"class":203},[197,590,389],{"class":207},[197,592,593,596,599,601,603],{"class":199,"line":225},[197,594,595],{"class":203},"  await",[197,597,598],{"class":242}," requireUserSession",[197,600,370],{"class":207},[197,602,380],{"class":211},[197,604,415],{"class":207},[197,606,607,610,612,615,617,620],{"class":199,"line":232},[197,608,609],{"class":203},"  return",[197,611,208],{"class":207},[197,613,614],{"class":211},"ok",[197,616,256],{"class":255},[197,618,619],{"class":477}," true",[197,621,547],{"class":207},[197,623,624],{"class":199,"line":249},[197,625,296],{"class":207},[158,627,629],{"id":628},"default-login-route","Default login route",[163,631,632,633,636,637,640],{},"Unauthenticated users are redirected to ",[174,634,635],{},"/login"," when a page requires auth. To use another path, set ",[174,638,639],{},"redirectTo"," on the protected route rule (or page meta auth object).",[642,643,644,645,647],"warning",{},"If your ",[174,646,639],{}," target does not exist, users will be redirected to a 404 page. Ensure redirect targets are valid app routes.",[158,649,651],{"id":650},"rate-limiting","Rate limiting",[163,653,654],{},"This module does not include built-in rate limiting. Authentication endpoints can be targeted by brute force attacks.",[163,656,657],{},[330,658,659],{},"Recommendations:",[661,662,663,667,670],"ul",{},[664,665,666],"li",{},"Use Cloudflare rate limiting rules",[664,668,669],{},"Implement server middleware with Redis-backed rate limiting",[664,671,672],{},"Configure your reverse proxy (nginx, Caddy) to limit requests",[674,675],"read-more",{"title":107,"to":108},[158,677,679],{"id":678},"devtools-in-production","DevTools in production",[163,681,682,683,686,687,690],{},"DevTools are automatically disabled when ",[174,684,685],{},"NODE_ENV=production",". The ",[174,688,689],{},"/api/_better-auth/*"," endpoints and devtools page are never registered in production builds.",[692,693,694],"style",{},"html pre.shiki code .sqe1H, html code.shiki .sqe1H{--shiki-light:#A626A4;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .s17Py, html code.shiki .s17Py{--shiki-light:#383A42;--shiki-default:#BBBBBB;--shiki-dark:#BBBBBB}html pre.shiki code .sYvLG, html code.shiki .sYvLG{--shiki-light:#E45649;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sPAZv, html code.shiki .sPAZv{--shiki-light:#50A14F;--shiki-default:#FF8B39;--shiki-dark:#FF8B39}html pre.shiki code .sKg8T, html code.shiki .sKg8T{--shiki-light:#E45649;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .sfT9l, html code.shiki .sfT9l{--shiki-light:#4078F2;--shiki-default:#36F9F6;--shiki-dark:#36F9F6}html pre.shiki code .sVnqq, html code.shiki .sVnqq{--shiki-light:#0184BC;--shiki-default:#B6B1B1;--shiki-dark:#B6B1B1}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sgisi, html code.shiki .sgisi{--shiki-light:#383A42;--shiki-light-font-style:inherit;--shiki-default:#FF7EDB;--shiki-default-font-style:italic;--shiki-dark:#FF7EDB;--shiki-dark-font-style:italic}html pre.shiki code .s6Rhl, html code.shiki .s6Rhl{--shiki-light:#986801;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sQBpM, html code.shiki .sQBpM{--shiki-light:#0184BC;--shiki-default:#FFFFFFEE;--shiki-dark:#FFFFFFEE}html pre.shiki code .sn-Jc, html code.shiki .sn-Jc{--shiki-light:#0184BC;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .svFNh, html code.shiki .svFNh{--shiki-light:#383A42;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .s3ZNE, html code.shiki .s3ZNE{--shiki-light:#986801;--shiki-default:#F97E72;--shiki-dark:#F97E72}html pre.shiki code .st7cf, html code.shiki .st7cf{--shiki-light:#A0A1A7;--shiki-light-font-style:italic;--shiki-default:#848BBD;--shiki-default-font-style:italic;--shiki-dark:#848BBD;--shiki-dark-font-style:italic}",{"title":193,"searchDepth":225,"depth":225,"links":696},[697,698,699,702,703,704],{"id":160,"depth":225,"text":161},{"id":168,"depth":225,"text":169},{"id":306,"depth":225,"text":307,"children":700},[701],{"id":322,"depth":232,"text":323},{"id":628,"depth":225,"text":629},{"id":650,"depth":225,"text":651},{"id":678,"depth":225,"text":679},"What is enforced where, and what you should not assume.","md",null,{},{"title":64,"description":705},"bFc8ucuQ5Tou6eJeYKCSpKiC00dZdjLCh5koVIbivIY",[712,714],{"title":60,"path":61,"stem":62,"description":713,"children":-1},"What the module registers for you.",{"title":74,"path":75,"stem":76,"description":715,"children":-1},"Protect routes using generic field matching on AuthUser.",1774189124864]