Using access control with the organisation client causes a huge bundle size.

[irishgreencitrus]

Is this suited for github?

• Yes, this is suited for github

To Reproduce

1. Create a better-auth instance as shown in the docs using any framework with a bundler.
2. Add the organisation plugin to the server.
3. Add the organisationClient plugin to the client.
   Create custom access control e.g.:

import { createAccessControl } from 'better-auth/plugins';
import {
	adminAc,
	defaultStatements,
	memberAc,
	ownerAc
} from 'better-auth/plugins/organization/access';

export const statement = {
	...defaultStatements,
	site: ['create', 'update', 'delete'],
} as const;

export const ac = createAccessControl(statement);

export const owner = ac.newRole({
	...ownerAc.statements,
	site: ['create', 'update', 'delete'],
});

export const admin = ac.newRole({
	...adminAc.statements,
	site: ['create', 'update', 'delete']
});

export const editor = ac.newRole({
       ...memberAc.statements,
       site: ['update']
});

export const member = ac.newRole({
	...memberAc.statements
});

4. Doing as the docs say, import this file both into the server and the client.
5. Watch your client bundle size explode!

Current vs. Expected behavior

The current behaviour is that using access control on the client causes server dependencies to be pulled into the client. This should either be resolved or an alternative package for defining access control on the client should be provided.

What version of Better Auth are you using?

1.4.17

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.2.0: Tue Nov 18 21:08:48 PST 2025; root:xnu-12377.61.12~1/RELEASE_ARM64_T8132",
    "release": "25.2.0",
    "cpuCount": 10,
    "cpuModel": "Apple M4",
    "totalMemory": "16.00 GB",
    "freeMemory": "0.15 GB"
  },
  "node": {
    "version": "v25.4.0",
    "env": "development"
  },
  "packageManager": {
    "name": "pnpm",
    "version": "10.28.1"
  },
  "frameworks": [
    {
      "name": "svelte",
      "version": "^5.46.4"
    },
    {
      "name": "@sveltejs/kit",
      "version": "^2.49.5"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.17.2"
    },
    {
      "name": "drizzle",
      "version": "^1.0.0-beta.12-a5629fb"
    }
  ],
  "betterAuth": {
    "version": "^1.4.17",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Client, Backend

Auth config (if applicable)

import { betterAuth } from 'better-auth/minimal';
import { drizzleAdapter } from '@better-auth/drizzle-adapter';
import { db } from '../db/db';
import { sveltekitCookies } from 'better-auth/svelte-kit';
import { getRequestEvent } from '$app/server';
import * as authSchema from '../db/schema/auth-schema';
import { admin, organization } from 'better-auth/plugins';
import {
	ac,
	admin as adminRole,
	approver,
	inviter,
	member,
	office,
	owner,
	siteManager
} from '$lib/permissions';

export const auth = betterAuth({
	emailAndPassword: {
		enabled: true
	},
	plugins: [
		admin(),
		organization({
			teams: { enabled: false },
			ac,
			roles: {
				owner,
				admin: adminRole,
				approver,
				office,
				siteManager,
				inviter,
				member
			}
		}),
		sveltekitCookies(getRequestEvent)
	],
	database: drizzleAdapter(db, {
		provider: 'pg',
		schema: authSchema
	})
});

Additional context

Removing the access control from the client causes the bundle to shrink down as expected, but without the niceties of typescript typing.

[dosubot]

Hi @irishgreencitrus! I'm Dosu and I’m helping the better-auth team.

The bundle size explosion happens because importing access control helpers (like createAccessControl) and organization access statements from better-auth/plugins or better-auth/plugins/organization/access pulls in server-side dependencies—like kysely, database adapters, and even zod—into your client bundle. This is due to how some plugins and helpers are structured: client and server logic are bundled together, and some imports (especially from better-auth/plugins) re-export server code, which bundlers like Vite or Webpack can't always tree-shake away, even if you only use types or type-only imports. This is a known issue in Better Auth's package structure see discussion.

To avoid this, only import client plugins from better-auth/client/plugins in your client code, and never import from better-auth, better-auth/plugins, or any server adapter/config in client files see workaround. For access control, import createAccessControl from better-auth/plugins/access, not from better-auth/plugins. Also, split your permissions and plugin code into separate files for server and client, and avoid re-exporting client plugins from server plugin index files. For shared types, put them in files that don't import any server code, and use import type for types to help bundlers skip runtime code.

If you're using Vite, add optimizeDeps: { exclude: ['better-auth'] } to your config to help prevent server code from leaking into the client bundle see Vite workaround.

The underlying cause is that the access control helper imports BetterAuthError from @better-auth/core/error, which pulls in a chain of utilities and dependencies (like zod) that you don't need on the client. Fixing this fully would require Better Auth to refactor its client/server separation or provide a lightweight client-only access control helper see technical note.

For now, the best practice is to strictly separate your client and server imports, use the correct entrypoints, and avoid re-exports that mix client and server code. This will keep your client bundle lean while retaining TypeScript type safety.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[irishgreencitrus]

@dosu The documentation should be updated to reflect the fact that importing from 'better-auth/plugins' instead of the correct 'better-auth/plugins/access' in the 'permission.ts' file will make your bundle size be huge as access control is one of the areas in the docs where it recommends sharing a file between client and server.

[dosubot]

You're absolutely right—there's currently no warning in the docs about the bundle size impact of importing from 'better-auth/plugins' instead of 'better-auth/plugins/access' in shared permission files. While the official documentation does show the correct import path for createAccessControl and recommends sharing the permissions file between client and server, it doesn't mention that using the wrong path can pull in server dependencies and dramatically increase your client bundle size (source, docs).

The technical reason is that 'better-auth/plugins' re-exports server-side modules, so if you use that path in a shared file, your bundler will include things like Kysely, Zod, and other backend dependencies in your client build (source). IntelliSense can sometimes suggest the shorter path, which makes this easy to miss.

Best practice: always use 'better-auth/plugins/access' for access control in shared files, and audit your imports to avoid accidental server code in the client. Until the docs are updated, it's worth adding a comment in your own codebase to warn teammates about this pitfall.

If you want to avoid this issue right now, double-check your import paths and use explicit client-only entrypoints for anything that runs in the browser.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}