[{"data":1,"prerenderedAt":732},["ShallowReactive",2],{"navigation_docs":3,"-core-concepts-security-caveats":152,"-core-concepts-security-caveats-surround":727},[4,42,68,110,131],{"title":5,"path":6,"stem":7,"children":8,"icon":11},"Getting Started","/getting-started","1.getting-started/0.index",[9,12,17,22,27,32,37],{"title":10,"path":6,"stem":7,"icon":11},"Introduction","i-lucide-sparkles",{"title":13,"path":14,"stem":15,"icon":16},"Installation","/getting-started/installation","1.getting-started/1.installation","i-lucide-download",{"title":18,"path":19,"stem":20,"icon":21},"Configuration","/getting-started/configuration","1.getting-started/2.configuration","i-lucide-settings",{"title":23,"path":24,"stem":25,"icon":26},"Client Setup","/getting-started/client-setup","1.getting-started/3.client-setup","i-lucide-monitor",{"title":28,"path":29,"stem":30,"icon":31},"Type Augmentation","/getting-started/type-augmentation","1.getting-started/4.type-augmentation","i-lucide-type",{"title":33,"path":34,"stem":35,"icon":36},"Schema Generation (NuxtHub)","/getting-started/schema-generation","1.getting-started/5.schema-generation","i-lucide-database",{"title":38,"path":39,"stem":40,"icon":41},"How It Works","/getting-started/how-it-works","1.getting-started/6.how-it-works","i-lucide-workflow",{"title":43,"path":44,"stem":45,"children":46,"page":67},"Core Concepts","/core-concepts","2.core-concepts",[47,51,55,59,63],{"title":48,"path":49,"stem":50},"serverAuth()","/core-concepts/server-auth","2.core-concepts/1.server-auth",{"title":52,"path":53,"stem":54},"Sessions","/core-concepts/sessions","2.core-concepts/2.sessions",{"title":56,"path":57,"stem":58},"Route Protection","/core-concepts/route-protection","2.core-concepts/3.route-protection",{"title":60,"path":61,"stem":62},"Auto‑Imports and Aliases","/core-concepts/auto-imports-aliases","2.core-concepts/4.auto-imports-aliases",{"title":64,"path":65,"stem":66},"Security & Caveats","/core-concepts/security-caveats","2.core-concepts/5.security-caveats",false,{"title":69,"path":70,"stem":71,"children":72,"page":67},"Guides","/guides","3.guides",[73,77,81,85,89,94,98,102,106],{"title":74,"path":75,"stem":76},"Role‑Based Access","/guides/role-based-access","3.guides/1.role-based-access",{"title":78,"path":79,"stem":80},"OAuth Providers","/guides/oauth-providers","3.guides/2.oauth-providers",{"title":82,"path":83,"stem":84},"Custom Database","/guides/custom-database","3.guides/3.custom-database",{"title":86,"path":87,"stem":88},"Database-less Mode","/guides/database-less-mode","3.guides/4.database-less-mode",{"title":90,"path":91,"stem":92,"icon":93},"External Auth Backend","/guides/external-auth-backend","3.guides/5.external-auth-backend","i-lucide-server",{"title":95,"path":96,"stem":97},"Migrating from nuxt-auth-utils","/guides/migrate-from-nuxt-auth-utils","3.guides/6.migrate-from-nuxt-auth-utils",{"title":99,"path":100,"stem":101},"Two-Factor Authentication (TOTP + Backup Codes)","/guides/two-factor-auth","3.guides/7.two-factor-auth",{"title":103,"path":104,"stem":105},"Testing","/guides/testing","3.guides/8.testing",{"title":107,"path":108,"stem":109},"Production Deployment","/guides/production-deployment","3.guides/9.production-deployment",{"title":111,"path":112,"stem":113,"children":114,"page":67},"Integrations","/integrations","4.integrations",[115,119,123,127],{"title":116,"path":117,"stem":118},"NuxtHub","/integrations/nuxthub","4.integrations/1.nuxthub",{"title":120,"path":121,"stem":122},"DevTools","/integrations/devtools","4.integrations/2.devtools",{"title":124,"path":125,"stem":126},"Convex","/integrations/convex","4.integrations/3.convex",{"title":128,"path":129,"stem":130},"i18n","/integrations/i18n","4.integrations/4.i18n",{"title":132,"path":133,"stem":134,"children":135,"page":67},"API Reference","/api","5.api",[136,140,144,148],{"title":137,"path":138,"stem":139},"Composables","/api/composables","5.api/1.composables",{"title":141,"path":142,"stem":143},"Server Utilities","/api/server-utils","5.api/2.server-utils",{"title":145,"path":146,"stem":147},"Components","/api/components","5.api/3.components",{"title":149,"path":150,"stem":151},"Types","/api/types","5.api/4.types",{"id":153,"title":64,"body":154,"description":721,"extension":722,"links":723,"meta":724,"navigation":231,"path":65,"seo":725,"stem":66,"__hash__":726},"docs/2.core-concepts/5.security-caveats.md",{"type":155,"value":156,"toc":711},"minimark",[157,161,166,169,173,189,300,307,311,334,339,342,348,506,511,568,579,642,646,657,664,668,671,676,689,692,696,707],[158,159,160],"p",{},"Use this page when you are moving from “it works locally” to “it is safe to deploy”.",[162,163,165],"h2",{"id":164},"client-redirects-are-not-security","Client redirects are not security",[158,167,168],{},"Client-side redirects improve UX but don't prevent unauthorized access. Always validate on the server.",[162,170,172],{"id":171},"csrf-origin-checks","CSRF / origin checks",[158,174,175,176,180,181,184,185,188],{},"Better Auth performs origin checks for cookie-based requests (it validates ",[177,178,179],"code",{},"Origin"," / ",[177,182,183],{},"Referer","). If you use multiple domains (custom domains, preview URLs, etc.), add them to ",[177,186,187],{},"trustedOrigins"," in your auth config.",[190,191,197],"pre",{"className":192,"code":193,"filename":194,"language":195,"meta":196,"style":196},"language-ts shiki shiki-themes one-light synthwave-84 synthwave-84","import { defineServerAuth } from '@onmax/nuxt-better-auth/config'\n\nexport default defineServerAuth({\n  trustedOrigins: [\n    'http://localhost:3000',\n    'https://your-domain.com',\n    'https://your-preview.workers.dev',\n  ],\n})\n","server/auth.config.ts","ts","",[177,198,199,226,233,250,263,272,280,288,294],{"__ignoreMap":196},[200,201,204,208,212,216,219,222],"span",{"class":202,"line":203},"line",1,[200,205,207],{"class":206},"sqe1H","import",[200,209,211],{"class":210},"s17Py"," { ",[200,213,215],{"class":214},"sYvLG","defineServerAuth",[200,217,218],{"class":210}," } ",[200,220,221],{"class":206},"from",[200,223,225],{"class":224},"sPAZv"," '@onmax/nuxt-better-auth/config'\n",[200,227,229],{"class":202,"line":228},2,[200,230,232],{"emptyLinePlaceholder":231},true,"\n",[200,234,236,239,243,247],{"class":202,"line":235},3,[200,237,238],{"class":206},"export",[200,240,242],{"class":241},"sKg8T"," default",[200,244,246],{"class":245},"sfT9l"," defineServerAuth",[200,248,249],{"class":210},"({\n",[200,251,253,256,260],{"class":202,"line":252},4,[200,254,255],{"class":214},"  trustedOrigins",[200,257,259],{"class":258},"sVnqq",":",[200,261,262],{"class":210}," [\n",[200,264,266,269],{"class":202,"line":265},5,[200,267,268],{"class":224},"    'http://localhost:3000'",[200,270,271],{"class":210},",\n",[200,273,275,278],{"class":202,"line":274},6,[200,276,277],{"class":224},"    'https://your-domain.com'",[200,279,271],{"class":210},[200,281,283,286],{"class":202,"line":282},7,[200,284,285],{"class":224},"    'https://your-preview.workers.dev'",[200,287,271],{"class":210},[200,289,291],{"class":202,"line":290},8,[200,292,293],{"class":210},"  ],\n",[200,295,297],{"class":202,"line":296},9,[200,298,299],{"class":210},"})\n",[301,302,303,304,306],"important",{},"If you deploy preview environments, you must include the preview origin in ",[177,305,187],{},". Otherwise, sign-in or sign-up requests can fail origin validation even when the API endpoint is healthy.",[162,308,310],{"id":309},"api-enforcement-behavior","API enforcement behavior",[158,312,313,314,317,318,321,322,325,326,329,330,333],{},"The built-in Nitro middleware checks ",[177,315,316],{},"routeRules.auth"," for app-owned ",[177,319,320],{},"/api/**"," routes. It skips Better Auth's ",[177,323,324],{},"/api/auth/**"," handler and known framework or module internals such as ",[177,327,328],{},"/api/_nuxt_icon/**"," and ",[177,331,332],{},"/api/_better-auth/**",", so broad route rules do not break auth, icons, or module tooling.",[335,336,338],"h3",{"id":337},"customizing-unauthorized-behavior","Customizing Unauthorized Behavior",[158,340,341],{},"By default, unauthorized requests to protected routes receive a 401 response. To customize:",[158,343,344],{},[345,346,347],"strong",{},"Redirect to login instead of 401:",[190,349,352],{"className":192,"code":350,"filename":351,"language":195,"meta":196,"style":196},"import { sendRedirect } from 'h3'\n\nexport default defineEventHandler(async (event) => {\n  const session = await getUserSession(event)\n  if (!session && event.path.startsWith('/api/protected')) {\n    return sendRedirect(event, '/login', 302)\n  }\n})\n","server/middleware/auth.ts",[177,353,354,370,374,405,431,471,497,502],{"__ignoreMap":196},[200,355,356,358,360,363,365,367],{"class":202,"line":203},[200,357,207],{"class":206},[200,359,211],{"class":210},[200,361,362],{"class":214},"sendRedirect",[200,364,218],{"class":210},[200,366,221],{"class":206},[200,368,369],{"class":224}," 'h3'\n",[200,371,372],{"class":202,"line":228},[200,373,232],{"emptyLinePlaceholder":231},[200,375,376,378,380,383,386,389,392,396,399,402],{"class":202,"line":235},[200,377,238],{"class":206},[200,379,242],{"class":241},[200,381,382],{"class":245}," defineEventHandler",[200,384,385],{"class":210},"(",[200,387,388],{"class":206},"async",[200,390,391],{"class":210}," (",[200,393,395],{"class":394},"sgisi","event",[200,397,398],{"class":210},") ",[200,400,401],{"class":206},"=>",[200,403,404],{"class":210}," {\n",[200,406,407,410,414,418,421,424,426,428],{"class":202,"line":252},[200,408,409],{"class":206},"  const",[200,411,413],{"class":412},"s6Rhl"," session",[200,415,417],{"class":416},"sQBpM"," =",[200,419,420],{"class":206}," await",[200,422,423],{"class":245}," getUserSession",[200,425,385],{"class":210},[200,427,395],{"class":214},[200,429,430],{"class":210},")\n",[200,432,433,436,438,442,445,448,452,455,458,460,463,465,468],{"class":202,"line":265},[200,434,435],{"class":206},"  if",[200,437,391],{"class":210},[200,439,441],{"class":440},"sn-Jc","!",[200,443,444],{"class":214},"session",[200,446,447],{"class":440}," &&",[200,449,451],{"class":450},"svFNh"," event",[200,453,454],{"class":210},".",[200,456,457],{"class":214},"path",[200,459,454],{"class":210},[200,461,462],{"class":245},"startsWith",[200,464,385],{"class":210},[200,466,467],{"class":224},"'/api/protected'",[200,469,470],{"class":210},")) {\n",[200,472,473,476,479,481,483,486,489,491,495],{"class":202,"line":274},[200,474,475],{"class":206},"    return",[200,477,478],{"class":245}," sendRedirect",[200,480,385],{"class":210},[200,482,395],{"class":214},[200,484,485],{"class":210},", ",[200,487,488],{"class":224},"'/login'",[200,490,485],{"class":210},[200,492,494],{"class":493},"s3ZNE","302",[200,496,430],{"class":210},[200,498,499],{"class":202,"line":282},[200,500,501],{"class":210},"  }\n",[200,503,504],{"class":202,"line":290},[200,505,299],{"class":210},[158,507,508],{},[345,509,510],{},"Return JSON error for API routes:",[190,512,514],{"className":192,"code":513,"language":195,"meta":196,"style":196},"// This is the default behavior for /api/* routes\nthrow createError({\n  statusCode: 401,\n  data: { error: 'Authentication required' }\n})\n",[177,515,516,522,532,544,564],{"__ignoreMap":196},[200,517,518],{"class":202,"line":203},[200,519,521],{"class":520},"st7cf","// This is the default behavior for /api/* routes\n",[200,523,524,527,530],{"class":202,"line":228},[200,525,526],{"class":206},"throw",[200,528,529],{"class":245}," createError",[200,531,249],{"class":210},[200,533,534,537,539,542],{"class":202,"line":235},[200,535,536],{"class":214},"  statusCode",[200,538,259],{"class":258},[200,540,541],{"class":493}," 401",[200,543,271],{"class":210},[200,545,546,549,551,553,556,558,561],{"class":202,"line":252},[200,547,548],{"class":214},"  data",[200,550,259],{"class":258},[200,552,211],{"class":210},[200,554,555],{"class":214},"error",[200,557,259],{"class":258},[200,559,560],{"class":224}," 'Authentication required'",[200,562,563],{"class":210}," }\n",[200,565,566],{"class":202,"line":265},[200,567,299],{"class":210},[158,569,570,571,574,575,578],{},"If you want different behavior (e.g. enforce ",[177,572,573],{},"auth: 'user'"," for APIs), add your own Nitro middleware and/or call ",[177,576,577],{},"requireUserSession(event)"," directly inside handlers.",[190,580,583],{"className":192,"code":581,"filename":582,"language":195,"meta":196,"style":196},"export default defineEventHandler(async (event) => {\n  await requireUserSession(event)\n  return { ok: true }\n})\n","server/api/secret.get.ts",[177,584,585,607,621,638],{"__ignoreMap":196},[200,586,587,589,591,593,595,597,599,601,603,605],{"class":202,"line":203},[200,588,238],{"class":206},[200,590,242],{"class":241},[200,592,382],{"class":245},[200,594,385],{"class":210},[200,596,388],{"class":206},[200,598,391],{"class":210},[200,600,395],{"class":394},[200,602,398],{"class":210},[200,604,401],{"class":206},[200,606,404],{"class":210},[200,608,609,612,615,617,619],{"class":202,"line":228},[200,610,611],{"class":206},"  await",[200,613,614],{"class":245}," requireUserSession",[200,616,385],{"class":210},[200,618,395],{"class":214},[200,620,430],{"class":210},[200,622,623,626,628,631,633,636],{"class":202,"line":235},[200,624,625],{"class":206},"  return",[200,627,211],{"class":210},[200,629,630],{"class":214},"ok",[200,632,259],{"class":258},[200,634,635],{"class":493}," true",[200,637,563],{"class":210},[200,639,640],{"class":202,"line":252},[200,641,299],{"class":210},[162,643,645],{"id":644},"default-login-route","Default login route",[158,647,648,649,652,653,656],{},"Unauthenticated users are redirected to ",[177,650,651],{},"/login"," when a page requires auth. To use another path, set ",[177,654,655],{},"redirectTo"," on the protected route rule (or page meta auth object).",[658,659,660,661,663],"warning",{},"If your ",[177,662,655],{}," target does not exist, users will be redirected to a 404 page. Ensure redirect targets are valid app routes.",[162,665,667],{"id":666},"rate-limiting","Rate limiting",[158,669,670],{},"This module does not include built-in rate limiting. Authentication endpoints can be targeted by brute force attacks.",[158,672,673],{},[345,674,675],{},"Recommendations:",[677,678,679,683,686],"ul",{},[680,681,682],"li",{},"Use Cloudflare rate limiting rules",[680,684,685],{},"Implement server middleware with Redis-backed rate limiting",[680,687,688],{},"Configure your reverse proxy (nginx, Caddy) to limit requests",[690,691],"read-more",{"title":107,"to":108},[162,693,695],{"id":694},"devtools-in-production","DevTools in production",[158,697,698,699,702,703,706],{},"DevTools are automatically disabled when ",[177,700,701],{},"NODE_ENV=production",". The ",[177,704,705],{},"/api/_better-auth/*"," endpoints and devtools page are never registered in production builds.",[708,709,710],"style",{},"html pre.shiki code .sqe1H, html code.shiki .sqe1H{--shiki-light:#A626A4;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .s17Py, html code.shiki .s17Py{--shiki-light:#383A42;--shiki-default:#BBBBBB;--shiki-dark:#BBBBBB}html pre.shiki code .sYvLG, html code.shiki .sYvLG{--shiki-light:#E45649;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sPAZv, html code.shiki .sPAZv{--shiki-light:#50A14F;--shiki-default:#FF8B39;--shiki-dark:#FF8B39}html pre.shiki code .sKg8T, html code.shiki .sKg8T{--shiki-light:#E45649;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .sfT9l, html code.shiki .sfT9l{--shiki-light:#4078F2;--shiki-default:#36F9F6;--shiki-dark:#36F9F6}html pre.shiki code .sVnqq, html code.shiki .sVnqq{--shiki-light:#0184BC;--shiki-default:#B6B1B1;--shiki-dark:#B6B1B1}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sgisi, html code.shiki .sgisi{--shiki-light:#383A42;--shiki-light-font-style:inherit;--shiki-default:#FF7EDB;--shiki-default-font-style:italic;--shiki-dark:#FF7EDB;--shiki-dark-font-style:italic}html pre.shiki code .s6Rhl, html code.shiki .s6Rhl{--shiki-light:#986801;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .sQBpM, html code.shiki .sQBpM{--shiki-light:#0184BC;--shiki-default:#FFFFFFEE;--shiki-dark:#FFFFFFEE}html pre.shiki code .sn-Jc, html code.shiki .sn-Jc{--shiki-light:#0184BC;--shiki-default:#FEDE5D;--shiki-dark:#FEDE5D}html pre.shiki code .svFNh, html code.shiki .svFNh{--shiki-light:#383A42;--shiki-default:#FF7EDB;--shiki-dark:#FF7EDB}html pre.shiki code .s3ZNE, html code.shiki .s3ZNE{--shiki-light:#986801;--shiki-default:#F97E72;--shiki-dark:#F97E72}html pre.shiki code .st7cf, html code.shiki .st7cf{--shiki-light:#A0A1A7;--shiki-light-font-style:italic;--shiki-default:#848BBD;--shiki-default-font-style:italic;--shiki-dark:#848BBD;--shiki-dark-font-style:italic}",{"title":196,"searchDepth":228,"depth":228,"links":712},[713,714,715,718,719,720],{"id":164,"depth":228,"text":165},{"id":171,"depth":228,"text":172},{"id":309,"depth":228,"text":310,"children":716},[717],{"id":337,"depth":235,"text":338},{"id":644,"depth":228,"text":645},{"id":666,"depth":228,"text":667},{"id":694,"depth":228,"text":695},"What is enforced where, and what you should not assume.","md",null,{},{"title":64,"description":721},"uGImR-BZEOgrprivGRowSYqFlmOg-USUYKZTw0jR8ZM",[728,730],{"title":60,"path":61,"stem":62,"description":729,"children":-1},"What the module registers for you.",{"title":74,"path":75,"stem":76,"description":731,"children":-1},"Protect routes using generic field matching on AuthUser.",1782807287102]