OAuth Proxy

A proxy plugin that allows you to proxy OAuth requests. Useful for development and preview deployments where the redirect URL can't be known in advance to add to the OAuth provider.

Installation

```ts title="auth.ts"
import { betterAuth } from "better-auth"
import { oAuthProxy } from "better-auth/plugins" // [!code highlight]

export const auth = betterAuth({
  plugins: [
    oAuthProxy({ // [!code highlight]
      productionURL: "https://my-production-app.com", // [!code highlight]
    }), // [!code highlight]
  ],
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID || "",
      clientSecret: process.env.GITHUB_CLIENT_SECRET || "",
    },
  },
})
```

The plugin will automatically route OAuth requests through your production server.

In your OAuth provider's developer console (e.g. GitHub, Google), register the callback URL using your **production** domain. For example:

```
https://my-production-app.com/api/auth/callback/github
```

Only the production callback URL needs to be registered. The plugin handles routing OAuth requests from preview and development environments through production automatically.

Since preview and development servers redirect through production, you need to add them as `trustedOrigins` in your auth config:

```ts title="auth.ts"
export const auth = betterAuth({
  // ...other config
  trustedOrigins: [ // [!code highlight]
    "http://localhost:3000", // [!code highlight]
    "https://my-app-*-preview.example.com", // [!code highlight]
  ], // [!code highlight]
})
```

How it works

The plugin allows you to use a single OAuth client (registered with your production URL) across multiple environments like preview deployments or local development.

1. Preview server initiates OAuth, redirecting to the OAuth provider with production's redirect URI
2. OAuth provider callbacks to production server
3. Production server exchanges the code for tokens and fetches user info
4. Production server encrypts the profile data and redirects to preview server (no database write on production)
5. Preview server decrypts the profile, creates user/session in its own database, and sets the session cookie

import { authClient } from "@/lib/auth-client"

await authClient.signIn.social({
    provider: "github",
    callbackURL: "/dashboard"
})

The encrypted profile data is passed via URL query parameters and can only be decrypted by servers sharing the same secret. This also allows preview deployments to use separate databases from production if needed.

Options

productionURL: The URL of your production server. If this value matches the baseURL in your auth config, requests will not be proxied. Defaults to the BETTER_AUTH_URL environment variable.

currentURL: The application's current URL is automatically determined by the plugin. It first checks the request URL, then vendor-specific environment variables from popular hosting providers, and finally falls back to the baseURL in your auth config. You only need to set this if the URL isn't being inferred correctly in your environment.

maxAge: Maximum age in seconds for encrypted profile payloads. Payloads older than this will be rejected to prevent replay attacks. Keep this value short (e.g., 30-60 seconds) to minimize the window for potential replay attacks while still allowing normal OAuth flows. Defaults to 60 seconds.

secret: A dedicated secret used for encrypting and decrypting data during the OAuth proxy flow. When set, this is used instead of the global BETTER_AUTH_SECRET, limiting the blast radius if the key is shared across environments — a leaked proxy secret cannot forge sessions or decrypt other data protected by the main secret. All environments participating in the proxy flow must share the same secret value.