State mismatch error when signing in with social providers in Next.js integration since v1.4.4

[Cybermb]

Is this suited for github?

• Yes, this is suited for github

To Reproduce

https://github.com/Cybermb/better-auth-new-nextjs-sso-issue

1. Clone the reproduction repository.

2. Set the required environment variables.

3. Run the development server.

4. Click the sign-in button.

5. Authenticate using GitHub (also reproducible with Google and Discord).

6. Observe the error after redirect.

Current vs. Expected behavior

When signing in using a social provider via the client library (not a server action), an error is thrown during the callback phase:

APIError [Error [APIError]: ] {
  status: 'FOUND',
  body: undefined,
  headers: Headers {
    'set-cookie': '__Secure-better-auth.state=; Max-Age=0; Secure, __Secure-better-auth.session_token=JbFVwakAGlkSJ7Ro5p3e8jXFb6JUzJLe.ymH39VA4gTmnmfWOSVph8GnCh1flVoZ2qrsU9zgPVrs%3D; Max-Age=604800; Path=/; HttpOnly; Secure; SameSite=None',
    location: 'http://localhost:3000'
  },
  statusCode: 302
}

The error indicates a state mismatch, even though:

• The state parameter appears to be present in the callback URL.

• Authentication ultimately succeeds.

• A valid session cookie is set.

• The user is redirected correctly.

Expected behavior:

• No error should be thrown during a successful OAuth sign-in flow.

• State validation should pass when using the client-side sign-in API, as it did prior to v1.4.4.

What version of Better Auth are you using?

1.4.4-1.4.9

System info

{
  "system": {
    "platform": "win32",
    "arch": "x64",
  },
  "node": {
    "version": "v22.19.0",
    "env": "production"
  },
  "packageManager": {
    "name": "npm",
    "version": "9.6.6"
  },
  "frameworks": [
    {
      "name": "next",
      "version": "^16.1.1"
    },
    {
      "name": "react",
      "version": "^19.0.0"
    }
  ],
  "databases": [
    {
      "name": "@prisma/client",
      "version": "^6.6.0"
    }
  ],
  "betterAuth": {
    "version": "1.4.4-beta.1",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

Additional context

This issue appears to have been introduced in version 1.4.4. Downgrading to v1.4.3 resolves the problem. Occurs when using the Next.js integration. Sign-in is initiated via the client library, not a server action. Reproducible locally in development. The OAuth flow completes successfully despite the error being thrown.

Reproducible with multiple providers:

• GitHub
• Google
• Discord

[better-auth-agent]

It seems you've encountered a "state mismatch" error when trying to sign in with social providers using Better Auth in your Next.js application. This issue has been noted by others in the community and appears to have been introduced with version 1.4.4 of Better Auth.

To tackle this, here are a few suggestions:

1. Environment Variables: Double-check that your environment variables are correctly configured for the OAuth authentication process. Ensure all required values such as client IDs and secrets are set correctly.

2. Session Management: Since this issue happens even though authentication succeeds, confirm that session management is aligned with your OAuth flow. Problems can arise if session tokens are not being handled properly.

3. Error Tracking: Investigate the logs for more detailed error messages during the authentication process. This can help identify if there's a specific point at which things are going wrong.

4. Downgrade: If possible, try downgrading to version 1.4.3, as it resolves the issue according to your observations and works without throwing errors during the OAuth flow [2].

A community member noted similar experiences and mentioned that they resolved issues by focusing on the session states and ensuring proper integration with their social providers [4].

If you need additional support or if none of the above steps work, I recommend tagging @Bekacru or @ping__ for guidance tailored to your specific setup.

Have you had a chance to try any of these approaches, or do you have other details you’d like to explore?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

[dosubot]

Hi @Cybermb! I'm Dosu and I’m helping the better-auth team.

The "state mismatch" error in Better Auth v1.4.4+ for Next.js integrations is caused by stricter OAuth state cookie validation introduced in that version. The callback now requires the OAuth state cookie to be present and match the state parameter; if not, it throws a state mismatch error—even if authentication succeeds and the session cookie is set. This typically happens when the OAuth sign-in is initiated server-side or from a Next.js Server Component, where the cookie isn't set in the browser and is missing during callback validation. Downgrading to v1.4.3 works because earlier versions did not enforce this check, allowing the flow to succeed even if the cookie was missing or mismatched [issue discussion].

To resolve this in affected versions, initiate OAuth sign-in from a Next.js Client Component using the better-auth client library so the state cookie is set in the browser and available during callback [discussion]. You can also manually configure the state cookie attributes in your Better Auth config to use SameSite=None and Secure=true for better cookie propagation:

advanced: {
  cookies: {
    state: {
      attributes: {
        sameSite: "none",
        secure: true,
      }
    }
  }
}

[issue]

There is a config option skipStateCookieCheck (added in v1.4.4) that bypasses state cookie validation, but this is only recommended for development or staging due to security risks [PR].

If you use the Next.js integration's nextCookies plugin, it can help replay set-cookie headers into Next.js cookies, but it may cause crashes if used outside request scope or in certain monorepo setups [source].

For production, always initiate social sign-in from the client and ensure all app URLs are listed in trustedOrigins to avoid state mismatch errors [issue].

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[bytaesu]

Hi @Cybermb, I'll look into this!

[bytaesu]

Hi @Cybermb,

I couldn't reproduce this in the same environment. Could you try again? 🤔

And, you don't need to explicitly specify socialProviders.github.redirectURI

If you run into any blockers, I can help 🙂

---

record.mov

[Cybermb]

Hey @bytaesu
I do see you get same error (0:02-0:03) as I do

As noted, the OAuth flow completes successfully despite the error being thrown.

I did not get into this reproduction but one my production apps are appending error=please_restart_the_process in url after user singin. I believe that is caused by this issue. Nevermind, it was unrelated to this issue

[bytaesu]

Hi @Cybermb,

When using pnpm instead of yarn, the logs disappear.

It seems the filtering that disables logs on HTTP 302 redirects (not actual error) doesn't work correctly with yarn for now 🤔

Will look into this

[tjx666]

I use pnpm also occur this when sign with google

• "better-auth": "^1.4.6"
• repo: https://github.com/lobehub/lobe-chat/tree/dev

⏺ POST /api/auth/sign-in/social 200 in 965ms (compile: 28ms, proxy.ts: 5ms, render: 932ms)
  2025-12-30T09:15:17.252Z ERROR [Better Auth]: APIError [Error [APIError]: ] {
    status: 'FOUND',
    body: undefined,
    headers: Headers {
      'set-cookie': 'better-auth.state=; Max-Age=0, better-auth.session_token=<REDACTED_SESSION_TOKEN>; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax, better-auth.session_data=<REDACTED_SESSION_DATA>; Max-Age=600; Path=/; HttpOnly; SameSite=Lax',
      location: '/'
    },
    statusCode: 302
  }
   GET /api/auth/callback/google?state=<REDACTED_STATE>&code=<REDACTED_CODE>&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&prompt=none 302 in 4.3s (compile: 8ms, proxy.ts: 1842µs, render: 4.3s)
  [rewrite] / -> /zh-CN__0__dark

[tjx666]

After I lock betterauth version to 1.4.6, this error disappear

[himself65]

After I lock betterauth version to 1.4.6, this error disappear

I will take a look

[ItayElgazar]

Is this solved?