better-auth
diff --git a/‎packages/better-auth/src/api/routes/password.ts‎
Lines changed: 1 addition & 1 deletion b/‎packages/better-auth/src/api/routes/password.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/better-auth/src/api/routes/update-user.ts‎
Lines changed: 3 additions & 1 deletion b/‎packages/better-auth/src/api/routes/update-user.ts‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎packages/better-auth/src/db/internal-adapter.test.ts‎
Lines changed: 2 additions & 2 deletions b/‎packages/better-auth/src/db/internal-adapter.test.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/better-auth/src/db/internal-adapter.ts‎
Lines changed: 46 additions & 21 deletions b/‎packages/better-auth/src/db/internal-adapter.ts‎
Lines changed: 46 additions & 21 deletions
diff --git a/‎packages/better-auth/src/plugins/email-otp/routes.ts‎
Lines changed: 30 additions & 29 deletions b/‎packages/better-auth/src/plugins/email-otp/routes.ts‎
Lines changed: 30 additions & 29 deletions
diff --git a/‎packages/better-auth/src/plugins/magic-link/index.ts‎
Lines changed: 6 additions & 6 deletions b/‎packages/better-auth/src/plugins/magic-link/index.ts‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎packages/better-auth/src/plugins/mcp/index.ts‎
Lines changed: 4 additions & 4 deletions b/‎packages/better-auth/src/plugins/mcp/index.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎packages/better-auth/src/plugins/oidc-provider/index.ts‎
Lines changed: 8 additions & 8 deletions b/‎packages/better-auth/src/plugins/oidc-provider/index.ts‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎packages/better-auth/src/plugins/one-time-token/index.ts‎
Lines changed: 2 additions & 2 deletions b/‎packages/better-auth/src/plugins/one-time-token/index.ts‎
Lines changed: 2 additions & 2 deletions
@@ -308,7 +308,7 @@ export const resetPassword = createAuthEndpoint(
 		} else {
 			await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);
 		}
-		await ctx.context.internalAdapter.deleteVerificationValue(verification.id);
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(id);
 
 		if (ctx.context.options.emailAndPassword?.onPasswordReset) {
 			const user = await ctx.context.internalAdapter.findUserById(userId);
 
@@ -643,7 +643,9 @@ export const deleteUserCallback = createAuthEndpoint(
 		await ctx.context.internalAdapter.deleteUser(session.user.id);
 		await ctx.context.internalAdapter.deleteSessions(session.user.id);
 		await ctx.context.internalAdapter.deleteAccounts(session.user.id);
-		await ctx.context.internalAdapter.deleteVerificationValue(token.id);
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+			`delete-account-${ctx.query.token}`,
+		);
 
 		deleteSessionCookie(ctx);
 
 
@@ -233,13 +233,13 @@ describe("internal adapter test", async () => {
 	});
 
 	it("should delete verification by value with hooks", async () => {
-		const verification = await internalAdapter.createVerificationValue({
+		await internalAdapter.createVerificationValue({
 			identifier: `test-id-1`,
 			value: "test-id-1",
 			expiresAt: new Date(Date.now() + 1000),
 		});
 
-		await internalAdapter.deleteVerificationValue(verification.id);
+		await internalAdapter.deleteVerificationByIdentifier("test-id-1");
 		expect(hookVerificationDeleteBefore).toHaveBeenCalledOnce();
 		expect(hookVerificationDeleteAfter).toHaveBeenCalledOnce();
 	});
 
@@ -1139,19 +1139,6 @@ export const createInternalAdapter = (
 
 			return (verification[0] as Verification) || null;
 		},
-		/**
-		 * Note: In secondary-only mode, this is a no-op since secondary storage
-		 * is keyed by identifier, not id. Use deleteVerificationByIdentifier instead.
-		 */
-		deleteVerificationValue: async (id: string) => {
-			if (!secondaryStorage || options.verification?.storeInDatabase) {
-				await deleteWithHooks(
-					[{ field: "id", value: id }],
-					"verification",
-					undefined,
-				);
-			}
-		},
 		deleteVerificationByIdentifier: async (identifier: string) => {
 			const storageOption = getStorageOption(
 				identifier,
@@ -1174,17 +1161,55 @@ export const createInternalAdapter = (
 				);
 			}
 		},
-		updateVerificationValue: async (
-			id: string,
+		updateVerificationByIdentifier: async (
+			identifier: string,
 			data: Partial<Verification>,
 		) => {
-			const verification = await updateWithHooks<Verification>(
-				data,
-				[{ field: "id", value: id }],
-				"verification",
-				undefined,
+			const storageOption = getStorageOption(
+				identifier,
+				options.verification?.storeIdentifier,
+			);
+			const storedIdentifier = await processIdentifier(
+				identifier,
+				storageOption,
 			);
-			return verification;
+
+			if (secondaryStorage) {
+				const cached = await secondaryStorage.get(
+					`verification:${storedIdentifier}`,
+				);
+				if (cached) {
+					const parsed = safeJSONParse<Verification>(cached);
+					if (parsed) {
+						const updated = { ...parsed, ...data };
+						const expiresAt = updated.expiresAt ?? parsed.expiresAt;
+						const ttl = getTTLSeconds(
+							expiresAt instanceof Date ? expiresAt : new Date(expiresAt),
+						);
+						if (ttl > 0) {
+							await secondaryStorage.set(
+								`verification:${storedIdentifier}`,
+								JSON.stringify(updated),
+								ttl,
+							);
+						}
+						if (!options.verification?.storeInDatabase) {
+							return updated;
+						}
+					}
+				}
+			}
+
+			if (!secondaryStorage || options.verification?.storeInDatabase) {
+				const verification = await updateWithHooks<Verification>(
+					data,
+					[{ field: "identifier", value: storedIdentifier }],
+					"verification",
+					undefined,
+				);
+				return verification;
+			}
+			return data as Verification;
 		},
 	};
 };
@@ -378,25 +378,26 @@ export const checkVerificationOTP = (opts: RequiredEmailOTPOptions) =>
 			if (!verificationValue) {
 				throw APIError.from("BAD_REQUEST", ERROR_CODES.INVALID_OTP);
 			}
+			const otpIdentifier = `${ctx.body.type}-otp-${email}`;
 			if (verificationValue.expiresAt < new Date()) {
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+					otpIdentifier,
 				);
 				throw APIError.from("BAD_REQUEST", ERROR_CODES.OTP_EXPIRED);
 			}
 
 			const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
 			const allowedAttempts = opts?.allowedAttempts || 3;
 			if (attempts && parseInt(attempts) >= allowedAttempts) {
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+					otpIdentifier,
 				);
 				throw APIError.from("FORBIDDEN", ERROR_CODES.TOO_MANY_ATTEMPTS);
 			}
 			const verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);
 			if (!verified) {
-				await ctx.context.internalAdapter.updateVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.updateVerificationByIdentifier(
+					otpIdentifier,
 					{
 						value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
 					},
@@ -1097,9 +1098,10 @@ export const requestEmailChangeEmailOTP = (opts: RequiredEmailOTPOptions) =>
 				if (!currentEmailVerificationValue) {
 					throw APIError.from("BAD_REQUEST", ERROR_CODES.INVALID_OTP);
 				}
+				const currentEmailIdentifier = `email-verification-otp-${email}`;
 				if (currentEmailVerificationValue.expiresAt < new Date()) {
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						currentEmailVerificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						currentEmailIdentifier,
 					);
 					throw APIError.from("BAD_REQUEST", ERROR_CODES.OTP_EXPIRED);
 				}
@@ -1109,8 +1111,8 @@ export const requestEmailChangeEmailOTP = (opts: RequiredEmailOTPOptions) =>
 				);
 				const allowedAttempts = opts?.allowedAttempts || 3;
 				if (attempts && parseInt(attempts) >= allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						currentEmailVerificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						currentEmailIdentifier,
 					);
 					throw APIError.from("FORBIDDEN", ERROR_CODES.TOO_MANY_ATTEMPTS);
 				}
@@ -1122,16 +1124,16 @@ export const requestEmailChangeEmailOTP = (opts: RequiredEmailOTPOptions) =>
 					ctx.body.otp,
 				);
 				if (!verified) {
-					await ctx.context.internalAdapter.updateVerificationValue(
-						currentEmailVerificationValue.id,
+					await ctx.context.internalAdapter.updateVerificationByIdentifier(
+						currentEmailIdentifier,
 						{
 							value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
 						},
 					);
 					throw APIError.from("BAD_REQUEST", ERROR_CODES.INVALID_OTP);
 				}
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					currentEmailVerificationValue.id,
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+					currentEmailIdentifier,
 				);
 			} else {
 				if (ctx.body.otp) {
@@ -1265,34 +1267,35 @@ export const changeEmailEmailOTP = (opts: RequiredEmailOTPOptions) =>
 			if (!verificationValue) {
 				throw APIError.from("BAD_REQUEST", ERROR_CODES.INVALID_OTP);
 			}
+			const changeEmailIdentifier = `change-email-otp-${email}-${newEmail}`;
 			if (verificationValue.expiresAt < new Date()) {
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+					changeEmailIdentifier,
 				);
 				throw APIError.from("BAD_REQUEST", ERROR_CODES.OTP_EXPIRED);
 			}
 
 			const [otpValue, attempts] = splitAtLastColon(verificationValue.value);
 			const allowedAttempts = opts?.allowedAttempts || 3;
 			if (attempts && parseInt(attempts) >= allowedAttempts) {
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+					changeEmailIdentifier,
 				);
 				throw APIError.from("FORBIDDEN", ERROR_CODES.TOO_MANY_ATTEMPTS);
 			}
 
 			const verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);
 			if (!verified) {
-				await ctx.context.internalAdapter.updateVerificationValue(
-					verificationValue.id,
+				await ctx.context.internalAdapter.updateVerificationByIdentifier(
+					changeEmailIdentifier,
 					{
 						value: `${otpValue}:${parseInt(attempts || "0") + 1}`,
 					},
 				);
 				throw APIError.from("BAD_REQUEST", ERROR_CODES.INVALID_OTP);
 			}
-			await ctx.context.internalAdapter.deleteVerificationValue(
-				verificationValue.id,
+			await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+				changeEmailIdentifier,
 			);
 
 			const currentUser =
@@ -1371,8 +1374,8 @@ async function atomicVerifyOTP(
 	}
 
 	if (verificationValue.expiresAt < new Date()) {
-		await ctx.context.internalAdapter.deleteVerificationValue(
-			verificationValue.id,
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+			identifier,
 		);
 		throw APIError.from("BAD_REQUEST", ERROR_CODES.OTP_EXPIRED);
 	}
@@ -1381,16 +1384,14 @@ async function atomicVerifyOTP(
 	const allowedAttempts = opts?.allowedAttempts || 3;
 
 	if (attempts && parseInt(attempts) >= allowedAttempts) {
-		await ctx.context.internalAdapter.deleteVerificationValue(
-			verificationValue.id,
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+			identifier,
 		);
 		throw APIError.from("FORBIDDEN", ERROR_CODES.TOO_MANY_ATTEMPTS);
 	}
 
 	// Atomically delete token before verification to prevent race condition
-	await ctx.context.internalAdapter.deleteVerificationValue(
-		verificationValue.id,
-	);
+	await ctx.context.internalAdapter.deleteVerificationByIdentifier(identifier);
 
 	const verified = await verifyStoredOTP(ctx, opts, otpValue, providedOTP);
 
 
@@ -354,8 +354,8 @@ export const magicLink = (options: MagicLinkOptions) => {
 						redirectWithError("INVALID_TOKEN");
 					}
 					if (tokenValue.expiresAt < new Date()) {
-						await ctx.context.internalAdapter.deleteVerificationValue(
-							tokenValue.id,
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+							storedToken,
 						);
 						redirectWithError("EXPIRED_TOKEN");
 					}
@@ -369,13 +369,13 @@ export const magicLink = (options: MagicLinkOptions) => {
 						attempt?: number | undefined;
 					};
 					if (attempt >= opts.allowedAttempts) {
-						await ctx.context.internalAdapter.deleteVerificationValue(
-							tokenValue.id,
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+							storedToken,
 						);
 						redirectWithError("ATTEMPTS_EXCEEDED");
 					}
-					await ctx.context.internalAdapter.updateVerificationValue(
-						tokenValue.id,
+					await ctx.context.internalAdapter.updateVerificationByIdentifier(
+						storedToken,
 						{
 							value: JSON.stringify({
 								email,
 
@@ -489,8 +489,8 @@ export const mcp = (options: MCPOptions) => {
 						});
 					}
 
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						verificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						code.toString(),
 					);
 
 					if (!client_id) {
@@ -612,8 +612,8 @@ export const mcp = (options: MCPOptions) => {
 					}
 
 					const requestedScopes = value.scope;
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						verificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						code.toString(),
 					);
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const refreshToken = generateRandomString(32, "A-Z", "a-z");
 
@@ -594,8 +594,8 @@ export const oidcProvider = (options: OIDCOptions) => {
 					}
 
 					if (!ctx.body.accept) {
-						await ctx.context.internalAdapter.deleteVerificationValue(
-							verification.id,
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+							consentCode,
 						);
 						return ctx.json({
 							redirectURI: `${value.redirectURI}?error=access_denied&error_description=User denied access`,
@@ -605,8 +605,8 @@ export const oidcProvider = (options: OIDCOptions) => {
 					const codeExpiresInMs =
 						(opts?.codeExpiresIn ?? DEFAULT_CODE_EXPIRES_IN) * 1000;
 					const expiresAt = new Date(Date.now() + codeExpiresInMs);
-					await ctx.context.internalAdapter.updateVerificationValue(
-						verification.id,
+					await ctx.context.internalAdapter.updateVerificationByIdentifier(
+						consentCode,
 						{
 							value: JSON.stringify({
 								...value,
@@ -812,8 +812,8 @@ export const oidcProvider = (options: OIDCOptions) => {
 						});
 					}
 
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						verificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						code.toString(),
 					);
 					if (!client_id) {
 						throw new APIError("UNAUTHORIZED", {
@@ -921,8 +921,8 @@ export const oidcProvider = (options: OIDCOptions) => {
 					}
 
 					const requestedScopes = value.scope;
-					await ctx.context.internalAdapter.deleteVerificationValue(
-						verificationValue.id,
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+						code.toString(),
 					);
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const refreshToken = generateRandomString(32, "A-Z", "a-z");
 
@@ -183,8 +183,8 @@ export const oneTimeToken = (options?: OneTimeTokenOptions | undefined) => {
 							message: "Invalid token",
 						});
 					}
-					await c.context.internalAdapter.deleteVerificationValue(
-						verificationValue.id,
+					await c.context.internalAdapter.deleteVerificationByIdentifier(
+						`one-time-token:${storedToken}`,
 					);
 					if (verificationValue.expiresAt < new Date()) {
 						throw c.error("BAD_REQUEST", {
Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,7 @@ export const resetPassword = createAuthEndpoint(`
`308`	`308`	`} else {`
`309`	`309`	`await ctx.context.internalAdapter.updatePassword(userId, hashedPassword);`
`310`	`310`	`}`
`311`		`- await ctx.context.internalAdapter.deleteVerificationValue(verification.id);`
	`311`	`+ await ctx.context.internalAdapter.deleteVerificationByIdentifier(id);`
`312`	`312`
`313`	`313`	`if (ctx.context.options.emailAndPassword?.onPasswordReset) {`
`314`	`314`	`const user = await ctx.context.internalAdapter.findUserById(userId);`