chore: sync upstream better-auth v1.5.5 + bump @btst to v2.1.1

.cspell/names.txt

@@ -28,4 +28,4 @@ guilhermejansen
 iamjasonkendrick
 ejirocodes
 0-Sandy
-olliethedev
+qamarq

biome.json

@@ -146,6 +146,7 @@
       "!**/.output",
       "!**/.tmp",
       "!**/tmp-docs-fetch",
+      "!**/.claude/worktrees/**",
       "!**/btst/**",
       "!scripts/**"
     ]

docs/content/blogs/1-5.mdx

@@ -694,7 +694,6 @@ All previously deprecated APIs have been removed. This includes deprecated adapt
 
 | Removed | Replacement |
 | --- | --- |
-| `createAdapter` | `createAdapterFactory` |
 | `Adapter` | `DBAdapter` |
 | `TransactionAdapter` | `DBTransactionAdapter` |
 | `Store` (client) | `ClientStore` |

docs/content/docs/integrations/solid-start.mdx

@@ -7,9 +7,9 @@ Before you start, make sure you have a Better Auth instance configured. If you h
 
 ### Mount the handler
 
-We need to mount the handler to SolidStart server. Put the following code in your `*auth.ts` file inside `/routes/api/auth` folder.
+We need to mount the handler to SolidStart server. Put the following code in your `[...auth].ts` file inside `/routes/api/auth` folder.
 
-```ts title="*auth.ts"
+```ts title="[...auth].ts"
 import { auth } from "~/lib/auth";
 import { toSolidStartHandler } from "better-auth/solid-start";
 

docs/content/docs/plugins/dodopayments.mdx

@@ -99,6 +99,7 @@ export const auth = betterAuth({
   <Step title="Set up client-side integration">
     Create or update `src/lib/auth-client.ts`:
 ```typescript
+import { createAuthClient } from "better-auth/react";
 import { dodopaymentsClient } from "@dodopayments/better-auth";
 
 export const authClient = createAuthClient({
@@ -114,27 +115,21 @@ export const authClient = createAuthClient({
 ### Creating a Checkout Session
 
 ```typescript
-const { data: checkout, error } = await authClient.dodopayments.checkout({
+const { data: checkoutSession, error } =
+  await authClient.dodopayments.checkoutSession({
   slug: "premium-plan",
-  customer: {
-    email: "customer@example.com",
-    name: "John Doe",
-  },
-  billing: {
-    city: "San Francisco",
-    country: "US",
-    state: "CA",
-    street: "123 Market St",
-    zipcode: "94103",
-  },
-  referenceId: "order_123",
 });
 
-if (checkout) {
-  window.location.href = checkout.url;
+if (checkoutSession) {
+  window.location.href = checkoutSession.url;
 }
 ```
 
+<Callout type="warn">
+  `authClient.dodopayments.checkout()` is deprecated. Use
+  `authClient.dodopayments.checkoutSession()` for new integrations.
+</Callout>
+
 ### Accessing the Customer Portal
 
 ```typescript

docs/content/docs/plugins/oauth-provider.mdx

@@ -1368,6 +1368,56 @@ oauthProvider({
 ```
 
 
+### Pairwise Subject Identifiers
+
+By default, the `sub` (subject) claim in tokens uses the user's internal ID, which is the same across all clients. This is the **public** subject type per [OIDC Core Section 8](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
+
+You can enable **pairwise** subject identifiers so each client receives a unique, unlinkable `sub` for the same user. This prevents relying parties from correlating users across services.
+
+```ts title="auth.ts"
+oauthProvider({
+  pairwiseSecret: "your-256-bit-secret", // [!code highlight]
+})
+```
+
+When `pairwiseSecret` is configured, the server advertises both `"public"` and `"pairwise"` in the discovery endpoint's `subject_types_supported`. Clients opt in by setting `subject_type: "pairwise"` at registration.
+
+#### Per-Client Configuration
+
+```ts title="register-client.ts"
+const response = await auth.api.createOAuthClient({
+  headers,
+  body: {
+    client_name: 'Privacy-Sensitive App',
+    redirect_uris: ['https://app.example.com/callback'],
+    token_endpoint_auth_method: 'client_secret_post',
+    subject_type: 'pairwise', // Enable pairwise sub for this client
+  }
+});
+```
+
+#### How It Works
+
+Pairwise identifiers are computed using HMAC-SHA256 over the **sector identifier** (the host of the client's first redirect URI) and the user ID, keyed with `pairwiseSecret`. This means:
+
+- Two clients with different redirect URI hosts always receive different `sub` values for the same user
+- Two clients sharing the same redirect URI host receive the **same** pairwise `sub` (per OIDC Core Section 8.1)
+- The same client always receives the same `sub` for the same user (deterministic)
+
+Pairwise `sub` appears in:
+- `id_token`
+- `/oauth2/userinfo` response
+- Token introspection (`/oauth2/introspect`)
+
+JWT access tokens always use the real user ID as `sub`, since resource servers may need to look up users directly.
+
+<Callout type="warn">
+**Limitations:**
+- `sector_identifier_uri` is not yet supported. All `redirect_uris` for a pairwise client must share the same host. Clients with redirect URIs on different hosts will be rejected at registration.
+- `pairwiseSecret` must be at least 32 characters long.
+- Rotating `pairwiseSecret` will change all pairwise `sub` values, breaking existing RP sessions. Treat this secret as permanent once set.
+</Callout>
+
 ### MCP
 
 You can easily make your APIs [MCP-compatible](https://modelcontextprotocol.io/specification/draft/basic/authorization) simply by adding a resource server which directs users to this OAuth 2.1 authorization server.
@@ -1577,6 +1627,12 @@ Table Name: `oauthClient`
       description: "Field that indicates if the application can logout via an id_token. You may choose to enable this for trusted applications.",
       isOptional: true,
     },
+    {
+      name: "subjectType",
+      type: "string",
+      description: "Subject identifier type for this client. Set to \"pairwise\" to receive unique, unlinkable sub claims per user. Requires pairwiseSecret to be configured on the server.",
+      isOptional: true,
+    },
     {
       name: "scopes",
       type: "string[]",

docs/content/docs/reference/security.mdx

@@ -200,7 +200,7 @@ Trusted origins prevent CSRF attacks and block open redirects. You can set a lis
 
 ### Basic Usage
 
-The most basic usage is to specify exact origins:
+The most basic usage is to specify exact origins, below is an example of a trusted origins configuration:
 
 ```typescript
 {
@@ -211,6 +211,9 @@ The most basic usage is to specify exact origins:
   ]
 }
 ```
+<Callout type="warning">
+  Do not leave the localhost origin in a trusted origins list of a production auth instance.
+</Callout>
 
 ### Wildcard Origins
 

knip.jsonc

@@ -86,6 +86,7 @@
 				"better-auth",
 				"c12",
 				"chalk",
+				"get-tsconfig",
 				"open",
 				"prettier",
 				"prompts",

landing/app/blog/[[...slug]]/page.tsx

@@ -7,6 +7,7 @@ import Link from "next/link";
 import { notFound } from "next/navigation";
 import { BlogLeftPanel } from "@/components/blog/blog-left-panel";
 import { Callout } from "@/components/ui/callout";
+import { createMetadata } from "@/lib/metadata";
 import { blogs } from "@/lib/source";
 import { cn } from "@/lib/utils";
 
@@ -270,10 +271,10 @@ export async function generateMetadata({
 }) {
 	const { slug } = await params;
 	if (!slug) {
-		return {
+		return createMetadata({
 			title: "Blog - Better Auth",
 			description: "Latest updates, articles, and insights about Better Auth",
-		};
+		});
 	}
 	const page = blogs.getPage(slug);
 	if (!page || page.data.draft) return notFound();
@@ -296,7 +297,7 @@ export async function generateMetadata({
 
 	const ogImage = image || ogUrl;
 
-	return {
+	return createMetadata({
 		title,
 		description,
 		openGraph: {
@@ -311,7 +312,7 @@ export async function generateMetadata({
 			description,
 			images: [ogImage],
 		},
-	};
+	});
 }
 
 export function generateStaticParams() {

landing/app/blog/layout.tsx

@@ -1,21 +1,34 @@
 import { RootProvider } from "fumadocs-ui/provider/next";
 import type { Metadata } from "next";
+import { createMetadata } from "@/lib/metadata";
 
-export const metadata: Metadata = {
-	title: "Blog - Better Auth",
-	description: "Latest updates, articles, and insights about Better Auth",
+const description = "Latest updates, articles, and insights about Better Auth";
+
+export const metadata: Metadata = createMetadata({
+	title: "Blog",
+	description,
 	openGraph: {
+		url: "/blog",
 		title: "Blog - Better Auth",
-		description: "Latest updates, articles, and insights about Better Auth",
+		description,
 		images: ["/api/og-release?heading=Better%20Auth%20Blog"],
 	},
 	twitter: {
-		card: "summary_large_image",
-		title: "Blog - Better Auth",
-		description: "Latest updates, articles, and insights about Better Auth",
 		images: ["/api/og-release?heading=Better%20Auth%20Blog"],
+		title: "Blog - Better Auth",
+		description,
+	},
+	alternates: {
+		types: {
+			"application/rss+xml": [
+				{
+					title: "Better Auth Blog",
+					url: "https://better-auth.com/blog/rss.xml",
+				},
+			],
+		},
 	},
-};
+});
 
 export default function BlogLayout({
 	children,

landing/app/careers/page.tsx

@@ -1,10 +1,11 @@
 import type { Metadata } from "next";
+import { createMetadata } from "@/lib/metadata";
 import { CareersPageClient } from "./careers-client";
 
-export const metadata: Metadata = {
+export const metadata: Metadata = createMetadata({
 	title: "Careers",
 	description: "Join the Better Auth team — open positions and how to apply.",
-};
+});
 
 export default function CareersPage() {
 	return <CareersPageClient />;

landing/app/changelog/page.tsx

@@ -1,5 +1,6 @@
 import Link from "next/link";
 import { HalftoneBackground } from "@/components/landing/halftone-bg";
+import { createMetadata } from "@/lib/metadata";
 import { ChangelogContent } from "./changelog-content";
 
 export const dynamic = "force-static";
@@ -148,7 +149,7 @@ export default async function ChangelogPage() {
 	);
 }
 
-export const metadata = {
-	title: "Changelog - Better Auth",
+export const metadata = createMetadata({
+	title: "Changelog",
 	description: "Latest changes, fixes, and updates to Better Auth",
-};
+});

landing/app/community/page.tsx

@@ -1,12 +1,13 @@
 import type { Metadata } from "next";
 import { getCommunityStats } from "@/lib/community-stats";
+import { createMetadata } from "@/lib/metadata";
 import { CommunityPageClient } from "./community-client";
 
-export const metadata: Metadata = {
+export const metadata: Metadata = createMetadata({
 	title: "Community",
 	description:
 		"Join the Better Auth community — contributors, Discord members, and ecosystem stats.",
-};
+});
 
 export const revalidate = 21600; // Revalidate every 6 hours
 

landing/app/docs/[[...slug]]/page.tsx

@@ -24,6 +24,7 @@ import {
 	GenerateSecret,
 } from "@/components/docs/mdx-components";
 import { Callout } from "@/components/ui/callout";
+import { createMetadata } from "@/lib/metadata";
 import { getSource } from "@/lib/source";
 import { cn } from "@/lib/utils";
 import { LLMCopyButton, ViewOptions } from "./page.client";
@@ -164,7 +165,7 @@ export async function generateMetadata({
 
 	const ogUrl = `/api/og?${ogSearchParams.toString()}`;
 
-	return {
+	return createMetadata({
 		title: page.data.title,
 		description: page.data.description,
 		openGraph: {
@@ -186,5 +187,5 @@ export async function generateMetadata({
 			description: page.data.description,
 			images: [ogUrl],
 		},
-	};
+	});
 }

landing/app/enterprise/enterprise-client.tsx

@@ -100,7 +100,7 @@ export function EnterprisePageClient() {
 				const url =
 					process.env.NODE_ENV === "development"
 						? "http://localhost:3001/api/enterprise/contact"
-						: "/api/enterprise/contact";
+						: "https://dash.better-auth.com/api/enterprise/contact";
 				const response = await fetch(url, {
 					method: "POST",
 					body: JSON.stringify({

landing/app/enterprise/page.tsx

@@ -1,11 +1,12 @@
 import type { Metadata } from "next";
+import { createMetadata } from "@/lib/metadata";
 import { EnterprisePageClient } from "./enterprise-client";
 
-export const metadata: Metadata = {
+export const metadata: Metadata = createMetadata({
 	title: "Enterprise",
 	description:
 		"Better Auth for enterprise — SSO, SAML, audit logs, and dedicated support.",
-};
+});
 
 export default function EnterprisePage() {
 	return <EnterprisePageClient />;