[{"data":1,"prerenderedAt":719},["ShallowReactive",2],{"navigation_docs":3,"-core-concepts-security-caveats":152,"-core-concepts-security-caveats-surround":714},[4,42,68,110,131],{"title":5,"path":6,"stem":7,"children":8,"icon":11},"Getting Started","/getting-started","1.getting-started/0.index",[9,12,17,22,27,32,37],{"title":10,"path":6,"stem":7,"icon":11},"Introduction","i-lucide-sparkles",{"title":13,"path":14,"stem":15,"icon":16},"Installation","/getting-started/installation","1.getting-started/1.installation","i-lucide-download",{"title":18,"path":19,"stem":20,"icon":21},"Configuration","/getting-started/configuration","1.getting-started/2.configuration","i-lucide-settings",{"title":23,"path":24,"stem":25,"icon":26},"Client Setup","/getting-started/client-setup","1.getting-started/3.client-setup","i-lucide-monitor",{"title":28,"path":29,"stem":30,"icon":31},"Type Augmentation","/getting-started/type-augmentation","1.getting-started/4.type-augmentation","i-lucide-type",{"title":33,"path":34,"stem":35,"icon":36},"Schema Generation (NuxtHub)","/getting-started/schema-generation","1.getting-started/5.schema-generation","i-lucide-database",{"title":38,"path":39,"stem":40,"icon":41},"How It Works","/getting-started/how-it-works","1.getting-started/6.how-it-works","i-lucide-workflow",{"title":43,"path":44,"stem":45,"children":46,"page":67},"Core Concepts","/core-concepts","2.core-concepts",[47,51,55,59,63],{"title":48,"path":49,"stem":50},"serverAuth()","/core-concepts/server-auth","2.core-concepts/1.server-auth",{"title":52,"path":53,"stem":54},"Sessions","/core-concepts/sessions","2.core-concepts/2.sessions",{"title":56,"path":57,"stem":58},"Route Protection","/core-concepts/route-protection","2.core-concepts/3.route-protection",{"title":60,"path":61,"stem":62},"Auto‑Imports and Aliases","/core-concepts/auto-imports-aliases","2.core-concepts/4.auto-imports-aliases",{"title":64,"path":65,"stem":66},"Security & Caveats","/core-concepts/security-caveats","2.core-concepts/5.security-caveats",false,{"title":69,"path":70,"stem":71,"children":72,"page":67},"Guides","/guides","3.guides",[73,77,81,85,89,94,98,102,106],{"title":74,"path":75,"stem":76},"Role‑Based Access","/guides/role-based-access","3.guides/1.role-based-access",{"title":78,"path":79,"stem":80},"OAuth Providers","/guides/oauth-providers","3.guides/2.oauth-providers",{"title":82,"path":83,"stem":84},"Custom Database","/guides/custom-database","3.guides/3.custom-database",{"title":86,"path":87,"stem":88},"Database-less Mode","/guides/database-less-mode","3.guides/4.database-less-mode",{"title":90,"path":91,"stem":92,"icon":93},"External Auth Backend","/guides/external-auth-backend","3.guides/5.external-auth-backend","i-lucide-server",{"title":95,"path":96,"stem":97},"Migrating from nuxt-auth-utils","/guides/migrate-from-nuxt-auth-utils","3.guides/6.migrate-from-nuxt-auth-utils",{"title":99,"path":100,"stem":101},"Two-Factor Authentication (TOTP + Backup Codes)","/guides/two-factor-auth","3.guides/7.two-factor-auth",{"title":103,"path":104,"stem":105},"Testing","/guides/testing","3.guides/8.testing",{"title":107,"path":108,"stem":109},"Production Deployment","/guides/production-deployment","3.guides/9.production-deployment",{"title":111,"path":112,"stem":113,"children":114,"page":67},"Integrations","/integrations","4.integrations",[115,119,123,127],{"title":116,"path":117,"stem":118},"NuxtHub","/integrations/nuxthub","4.integrations/1.nuxthub",{"title":120,"path":121,"stem":122},"DevTools","/integrations/devtools","4.integrations/2.devtools",{"title":124,"path":125,"stem":126},"Convex","/integrations/convex","4.integrations/3.convex",{"title":128,"path":129,"stem":130},"i18n","/integrations/i18n","4.integrations/4.i18n",{"title":132,"path":133,"stem":134,"children":135,"page":67},"API Reference","/api","5.api",[136,140,144,148],{"title":137,"path":138,"stem":139},"Composables","/api/composables","5.api/1.composables",{"title":141,"path":142,"stem":143},"Server Utilities","/api/server-utils","5.api/2.server-utils",{"title":145,"path":146,"stem":147},"Components","/api/components","5.api/3.components",{"title":149,"path":150,"stem":151},"Types","/api/types","5.api/4.types",{"id":153,"title":64,"body":154,"description":708,"extension":709,"links":710,"meta":711,"navigation":231,"path":65,"seo":712,"stem":66,"__hash__":713},"docs/2.core-concepts/5.security-caveats.md",{"type":155,"value":156,"toc":698},"minimark",[157,161,166,169,173,189,300,307,311,322,327,330,336,493,498,555,566,629,633,644,651,655,658,663,676,679,683,694],[158,159,160],"p",{},"Use this page when you are moving from “it works locally” to “it is safe to deploy”.",[162,163,165],"h2",{"id":164},"client-redirects-are-not-security","Client redirects are not security",[158,167,168],{},"Client-side redirects improve UX but don't prevent unauthorized access. Always validate on the server.",[162,170,172],{"id":171},"csrf-origin-checks","CSRF / origin checks",[158,174,175,176,180,181,184,185,188],{},"Better Auth performs origin checks for cookie-based requests (it validates ",[177,178,179],"code",{},"Origin"," / ",[177,182,183],{},"Referer","). If you use multiple domains (custom domains, preview URLs, etc.), add them to ",[177,186,187],{},"trustedOrigins"," in your auth config.",[190,191,197],"pre",{"className":192,"code":193,"filename":194,"language":195,"meta":196,"style":196},"language-ts shiki shiki-themes one-light synthwave-84 synthwave-84","import { defineServerAuth } from '@onmax/nuxt-better-auth/config'\n\nexport default defineServerAuth({\n  trustedOrigins: [\n    'http://localhost:3000',\n    'https://your-domain.com',\n    'https://your-preview.workers.dev',\n  ],\n})\n","server/auth.config.ts","ts","",[177,198,199,226,233,250,263,272,280,288,294],{"__ignoreMap":196},[200,201,204,208,212,216,219,222],"span",{"class":202,"line":203},"line",1,[200,205,207],{"class":206},"sqe1H","import",[200,209,211],{"class":210},"s17Py"," { ",[200,213,215],{"class":214},"sYvLG","defineServerAuth",[200,217,218],{"class":210}," } ",[200,220,221],{"class":206},"from",[200,223,225],{"class":224},"sPAZv"," '@onmax/nuxt-better-auth/config'\n",[200,227,229],{"class":202,"line":228},2,[200,230,232],{"emptyLinePlaceholder":231},true,"\n",[200,234,236,239,243,247],{"class":202,"line":235},3,[200,237,238],{"class":206},"export",[200,240,242],{"class":241},"sKg8T"," default",[200,244,246],{"class":245},"sfT9l"," defineServerAuth",[200,248,249],{"class":210},"({\n",[200,251,253,256,260],{"class":202,"line":252},4,[200,254,255],{"class":214},"  trustedOrigins",[200,257,259],{"class":258},"sVnqq",":",[200,261,262],{"class":210}," [\n",[200,264,266,269],{"class":202,"line":265},5,[200,267,268],{"class":224},"    'http://localhost:3000'",[200,270,271],{"class":210},",\n",[200,273,275,278],{"class":202,"line":274},6,[200,276,277],{"class":224},"    'https://your-domain.com'",[200,279,271],{"class":210},[200,281,283,286],{"class":202,"line":282},7,[200,284,285],{"class":224},"    'https://your-preview.workers.dev'",[200,287,271],{"class":210},[200,289,291],{"class":202,"line":290},8,[200,292,293],{"class":210},"  ],\n",[200,295,297],{"class":202,"line":296},9,[200,298,299],{"class":210},"})\n",[301,302,303,304,306],"important",{},"If you deploy preview environments, you must include the preview origin in ",[177,305,187],{},". Otherwise, sign-in or sign-up requests can fail origin validation even when the API endpoint is healthy.",[162,308,310],{"id":309},"api-enforcement-behavior","API enforcement behavior",[158,312,313,314,317,318,321],{},"The built-in Nitro middleware only checks ",[177,315,316],{},"routeRules.auth"," for ",[177,319,320],{},"/api/**",".",[323,324,326],"h3",{"id":325},"customizing-unauthorized-behavior","Customizing Unauthorized Behavior",[158,328,329],{},"By default, unauthorized requests to protected routes receive a 401 response. To customize:",[158,331,332],{},[333,334,335],"strong",{},"Redirect to login instead of 401:",[190,337,340],{"className":192,"code":338,"filename":339,"language":195,"meta":196,"style":196},"import { sendRedirect } from 'h3'\n\nexport default defineEventHandler(async (event) => {\n  const session = await getUserSession(event)\n  if (!session && event.path.startsWith('/api/protected')) {\n    return sendRedirect(event, '/login', 302)\n  }\n})\n","server/middleware/auth.ts",[177,341,342,358,362,393,419,458,484,489],{"__ignoreMap":196},[200,343,344,346,348,351,353,355],{"class":202,"line":203},[200,345,207],{"class":206},[200,347,211],{"class":210},[200,349,350],{"class":214},"sendRedirect",[200,352,218],{"class":210},[200,354,221],{"class":206},[200,356,357],{"class":224}," 'h3'\n",[200,359,360],{"class":202,"line":228},[200,361,232],{"emptyLinePlaceholder":231},[200,363,364,366,368,371,374,377,380,384,387,390],{"class":202,"line":235},[200,365,238],{"class":206},[200,367,242],{"class":241},[200,369,370],{"class":245}," defineEventHandler",[200,372,373],{"class":210},"(",[200,375,376],{"class":206},"async",[200,378,379],{"class":210}," (",[200,381,383],{"class":382},"sgisi","event",[200,385,386],{"class":210},") ",[200,388,389],{"class":206},"=>",[200,391,392],{"class":210}," {\n",[200,394,395,398,402,406,409,412,414,416],{"class":202,"line":252},[200,396,397],{"class":206},"  const",[200,399,401],{"class":400},"s6Rhl"," session",[200,403,405],{"class":404},"sQBpM"," =",[200,407,408],{"class":206}," await",[200,410,411],{"class":245}," getUserSession",[200,413,373],{"class":210},[200,415,383],{"class":214},[200,417,418],{"class":210},")\n",[200,420,421,424,426,430,433,436,440,442,445,447,450,452,455],{"class":202,"line":265},[200,422,423],{"class":206},"  if",[200,425,379],{"class":210},[200,427,429],{"class":428},"sn-Jc","!",[200,431,432],{"class":214},"session",[200,434,435],{"class":428}," &&",[200,437,439],{"class":438},"svFNh"," event",[200,441,321],{"class":210},[200,443,444],{"class":214},"path",[200,446,321],{"class":210},[200,448,449],{"class":245},"startsWith",[200,451,373],{"class":210},[200,453,454],{"class":224},"'/api/protected'",[200,456,457],{"class":210},")) {\n",[200,459,460,463,466,468,470,473,476,478,482],{"class":202,"line":274},[200,461,462],{"class":206},"    return",[200,464,465],{"class":245}," sendRedirect",[200,467,373],{"class":210},[200,469,383],{"class":214},[200,471,472],{"class":210},", ",[200,474,475],{"class":224},"'/login'",[200,477,472],{"class":210},[200,479,481],{"class":480},"s3ZNE","302",[200,483,418],{"class":210},[200,485,486],{"class":202,"line":282},[200,487,488],{"class":210},"  }\n",[200,490,491],{"class":202,"line":290},[200,492,299],{"class":210},[158,494,495],{},[333,496,497],{},"Return JSON error for API routes:",[190,499,501],{"className":192,"code":500,"language":195,"meta":196,"style":196},"// This is the default behavior for /api/* routes\nthrow createError({\n  statusCode: 401,\n  data: { error: 'Authentication required' }\n})\n",[177,502,503,509,519,531,551],{"__ignoreMap":196},[200,504,505],{"class":202,"line":203},[200,506,508],{"class":507},"st7cf","// This is the default behavior for /api/* routes\n",[200,510,511,514,517],{"class":202,"line":228},[200,512,513],{"class":206},"throw",[200,515,516],{"class":245}," createError",[200,518,249],{"class":210},[200,520,521,524,526,529],{"class":202,"line":235},[200,522,523],{"class":214},"  statusCode",[200,525,259],{"class":258},[200,527,528],{"class":480}," 401",[200,530,271],{"class":210},[200,532,533,536,538,540,543,545,548],{"class":202,"line":252},[200,534,535],{"class":214},"  data",[200,537,259],{"class":258},[200,539,211],{"class":210},[200,541,542],{"class":214},"error",[200,544,259],{"class":258},[200,546,547],{"class":224}," 'Authentication required'",[200,549,550],{"class":210}," }\n",[200,552,553],{"class":202,"line":265},[200,554,299],{"class":210},[158,556,557,558,561,562,565],{},"If you want different behavior (e.g. enforce ",[177,559,560],{},"auth: 'user'"," for APIs), add your own Nitro middleware and/or call ",[177,563,564],{},"requireUserSession(event)"," directly inside handlers.",[190,567,570],{"className":192,"code":568,"filename":569,"language":195,"meta":196,"style":196},"export default defineEventHandler(async (event) => {\n  await requireUserSession(event)\n  return { ok: true }\n})\n","server/api/secret.get.ts",[177,571,572,594,608,625],{"__ignoreMap":196},[200,573,574,576,578,580,582,584,586,588,590,592],{"class":202,"line":203},[200,575,238],{"class":206},[200,577,242],{"class":241},[200,579,370],{"class":245},[200,581,373],{"class":210},[200,583,376],{"class":206},[200,585,379],{"class":210},[200,587,383],{"class":382},[200,589,386],{"class":210},[200,591,389],{"class":206},[200,593,392],{"class":210},[200,595,596,599,602,604,606],{"class":202,"line":228},[200,597,598],{"class":206},"  await",[200,600,601],{"class":245}," requireUserSession",[200,603,373],{"class":210},[200,605,383],{"class":214},[200,607,418],{"class":210},[200,609,610,613,615,618,620,623],{"class":202,"line":235},[200,611,612],{"class":206},"  return",[200,614,211],{"class":210},[200,616,617],{"class":214},"ok",[200,619,259],{"class":258},[200,621,622],{"class":480}," true",[200,624,550],{"class":210},[200,626,627],{"class":202,"line":252},[200,628,299],{"class":210},[162,630,632],{"id":631},"default-login-route","Default login route",[158,634,635,636,639,640,643],{},"Unauthenticated users are redirected to ",[177,637,638],{},"/login"," when a page requires auth. To use another path, set ",[177,641,642],{},"redirectTo"," on the protected route rule (or page meta auth object).",[645,646,647,648,650],"warning",{},"If your ",[177,649,642],{}," target does not exist, users will be redirected to a 404 page. Ensure redirect targets are valid app routes.",[162,652,654],{"id":653},"rate-limiting","Rate limiting",[158,656,657],{},"This module does not include built-in rate limiting. Authentication endpoints can be targeted by brute force attacks.",[158,659,660],{},[333,661,662],{},"Recommendations:",[664,665,666,670,673],"ul",{},[667,668,669],"li",{},"Use Cloudflare rate limiting rules",[667,671,672],{},"Implement server middleware with Redis-backed rate limiting",[667,674,675],{},"Configure your reverse proxy (nginx, Caddy) to limit requests",[677,678],"read-more",{"title":107,"to":108},[162,680,682],{"id":681},"devtools-in-production","DevTools in production",[158,684,685,686,689,690,693],{},"DevTools are automatically disabled when ",[177,687,688],{},"NODE_ENV=production",". The ",[177,691,692],{},"/api/_better-auth/*"," endpoints and devtools page are never registered in production builds.",[695,696,697],"style",{},"html pre.shiki code .sqe1H, html code.shiki .sqe1H{--shiki-light:#A626A4;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .s17Py, html code.shiki .s17Py{--shiki-light:#383A42;--shiki-default:#BBBBBB;--shiki-dark:#BBBBBB}html pre.shiki code .sYvLG, html code.shiki .sYvLG{--shiki-light:#E45649;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sPAZv, html code.shiki .sPAZv{--shiki-light:#50A14F;--shiki-default:#FF8B39;--shiki-dark:#FF8B39}html pre.shiki code .sKg8T, html code.shiki .sKg8T{--shiki-light:#E45649;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .sfT9l, html code.shiki .sfT9l{--shiki-light:#4078F2;--shiki-default:#36F9F6;--shiki-dark:#36F9F6}html pre.shiki code .sVnqq, html code.shiki .sVnqq{--shiki-light:#0184BC;--shiki-default:#B6B1B1;--shiki-dark:#B6B1B1}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sgisi, html code.shiki .sgisi{--shiki-light:#383A42;--shiki-light-font-style:inherit;--shiki-default:#FF7EDB;--shiki-default-font-style:italic;--shiki-dark:#FF7EDB;--shiki-dark-font-style:italic}html pre.shiki code .s6Rhl, html code.shiki .s6Rhl{--shiki-light:#986801;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sQBpM, html code.shiki .sQBpM{--shiki-light:#0184BC;--shiki-default:#FFFFFFEE;--shiki-dark:#FFFFFFEE}html pre.shiki code .sn-Jc, html code.shiki .sn-Jc{--shiki-light:#0184BC;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .svFNh, html code.shiki .svFNh{--shiki-light:#383A42;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .s3ZNE, html code.shiki .s3ZNE{--shiki-light:#986801;--shiki-default:#F97E72;--shiki-dark:#F97E72}html pre.shiki code .st7cf, html code.shiki .st7cf{--shiki-light:#A0A1A7;--shiki-light-font-style:italic;--shiki-default:#848BBD;--shiki-default-font-style:italic;--shiki-dark:#848BBD;--shiki-dark-font-style:italic}",{"title":196,"searchDepth":228,"depth":228,"links":699},[700,701,702,705,706,707],{"id":164,"depth":228,"text":165},{"id":171,"depth":228,"text":172},{"id":309,"depth":228,"text":310,"children":703},[704],{"id":325,"depth":235,"text":326},{"id":631,"depth":228,"text":632},{"id":653,"depth":228,"text":654},{"id":681,"depth":228,"text":682},"What is enforced where, and what you should not assume.","md",null,{},{"title":64,"description":708},"ND8rZSbwDW3zI4dUJaZiEq-XDxlC-JZgrlHXslAgF3U",[715,717],{"title":60,"path":61,"stem":62,"description":716,"children":-1},"What the module registers for you.",{"title":74,"path":75,"stem":76,"description":718,"children":-1},"Protect routes using generic field matching on AuthUser.",1777451672656]