`/sign-in/email-otp` OpenAPI spec missing `requestBody`

[JohnCido]

Is this suited for github?

• Yes, this is suited for github

Reproduction

1. Add openAPI and emailOTP plugin
2. Download the OpenAPI spec from /[basePath]/open-api/generate-schema

Current vs. Expected behavior

...
"/sign-in/email-otp": {
  "post": {
    "tags": [
      "Email-otp"
    ],
    "description": "Sign in with email and OTP",
    "operationId": "signInWithEmailOTP",
    "security": [
      {
        "bearerAuth": []
      }
    ],
    "parameters": [],
    "responses": {
...

...
"/sign-in/email-otp": {
  "post": {
    "tags": [
      "Email-otp"
    ],
    "description": "Sign in with email and OTP",
    "operationId": "signInWithEmailOTP",
    "security": [
      {
        "bearerAuth": []
      }
    ],
    "parameters": [],
+   "requestBody" {...},
    "responses": {
...

What version of Better Auth are you using?

1.6.11

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.4.0: Thu Mar 19 19:30:44 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T6000",
    "release": "25.4.0",
    "cpuCount": 8,
    "cpuModel": "Apple M1 Pro",
    "totalMemory": "16.00 GB",
    "freeMemory": "0.21 GB"
  },
  "node": {
    "version": "v25.7.0",
    "env": "development"
  },
  "packageManager": {
    "name": "bun",
    "version": "1.2.23"
  },
  "frameworks": null,
  "databases": null,
  "betterAuth": {
    "version": "Unknown",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend, Other

Auth config (if applicable)

betterAuth({
    appName: '***',
    baseURL: ***,
    basePath: '/auth',
    database: drizzleAdapter(db, {
      provider: 'pg',
      usePlural: true,
    }),
    user: {
      ***
    },
    secret: ***,
    socialProviders: {
      apple: {
        clientId: ***,
        clientSecret: ***,
        appBundleIdentifier: ***,
        audience: [***],
      },
      google: {
        clientId: ***,
        clientSecret: ***,
      },
    },
    trustedOrigins: ['https://appleid.apple.com'],
    advanced: {
      database: {
        generateId: false,
      },
      cookiePrefix: '***',
      disableCSRFCheck: true,
      ipAddress: {
        ipAddressHeaders: [***],
      },
    },
    plugins: [
      bearer(),
      openAPI(),
      dash({
        apiKey: ***,
      }),
      admin({
        ac,
        roles: {
          ***
        },
      }),
      emailOTP({
        sendVerificationOTP: ***,
        otpLength: 6,
        storeOTP: 'hashed',
      }),
    ],
    telemetry: {
      enabled: false,
    },
  })

Additional context

No response

[dosubot]

This is a duplicate of #9298 [1], which covers the same missing requestBody across all emailOTP endpoints. The same root cause also affects the phone-number plugin (#8122) [2].

Root cause: The OpenAPI generator's processZodType function has no handler for ZodIntersection types. The signInEmailOTP endpoint uses .and(z.record(z.string(), z.any())) on its body schema, and the generator silently drops the requestBody when it encounters that type .

No fix has been merged to main or next as of today.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.