Skip to content

fix(agent-auth): claim before-hook by token typ, not JWT shape#31

Open
dbworku wants to merge 1 commit into
better-auth:mainfrom
dbworku:fix/agent-auth-token-ownership-matcher
Open

fix(agent-auth): claim before-hook by token typ, not JWT shape#31
dbworku wants to merge 1 commit into
better-auth:mainfrom
dbworku:fix/agent-auth-token-ownership-matcher

Conversation

@dbworku

@dbworku dbworku commented Jun 3, 2026

Copy link
Copy Markdown

The agent-auth before hook matched any request carrying a 3-segment Bearer JWT and then hard-rejected it with INVALID_JWT when the token's protected-header typ was not "host+jwt" or "agent+jwt". On a betterAuth() instance composed with another plugin that issues its own JWTs (e.g. @better-auth/infra's dash() plugin), this intercepted and 401'd requests the other plugin owned, before its routes could validate them.

Claim requests by token ownership instead: decode the protected header in the matcher and only handle tokens whose typ is "host+jwt"/"agent+jwt". Foreign Bearer JWTs now pass through untouched to the plugin that owns them.

Fixes better-auth/better-auth#9885

The agent-auth `before` hook matched any request carrying a 3-segment
Bearer JWT and then hard-rejected it with INVALID_JWT when the token's
protected-header `typ` was not "host+jwt" or "agent+jwt". On a betterAuth()
instance composed with another plugin that issues its own JWTs (e.g.
@better-auth/infra's dash() plugin), this intercepted and 401'd requests
the other plugin owned, before its routes could validate them.

Claim requests by token ownership instead: decode the protected header in
the matcher and only handle tokens whose `typ` is "host+jwt"/"agent+jwt".
Foreign Bearer JWTs now pass through untouched to the plugin that owns them.

Fixes better-auth/better-auth#9885
@vercel

vercel Bot commented Jun 3, 2026

Copy link
Copy Markdown

@dbworku is attempting to deploy a commit to the better-auth Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

agent-auth + infra plugin collision: before-hook throws INVALID_JWT on the dash plugin's own JWT

1 participant