npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

better-auth-one-time-token-session

v1.0.6

Published

One-time token session plugin for Better Auth

Downloads

119

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sixzero-tmpsixzero-tmpsixzerosixzero

Keywords

better-authpluginone-time-tokensessionauthenticationauthtokentemporary-access

Readme

one-time-token-session

A lightweight one-time token plugin for the Better Auth framework that generates temporary tokens for existing authenticated sessions. Unlike the official one-time-token plugin, this plugin doesn't require additional database tables and works with the existing verification system.

Note: This plugin requires an existing authenticated session to generate tokens. By default, verifying a token creates a new session (createSession: true).

Key Differences from Official Plugin

  • No Database Schema: Uses existing verification table instead of dedicated one-time-token table
  • Session-Based: Generates tokens for existing authenticated sessions
  • Simpler Setup: No additional database migrations required
  • Lightweight: Minimal configuration and setup

Installation

npm install better-auth

Your Plugin is Ready! 🎉

Your current implementation is already a complete Better Auth plugin. Users can:

Use it directly from Better Auth:

import { betterAuth } from "better-auth";
import { createAuthClient } from "better-auth/client";
import { oneTimeTokenSession } from "better-auth/plugins/one-time-token-session";
import { oneTimeTokenSessionClient } from "better-auth/plugins/one-time-token-session/client";

// Server
const auth = betterAuth({
  plugins: [oneTimeTokenSession()]
});

// Client
const authClient = createAuthClient({
  plugins: [oneTimeTokenSessionClient()]
});

Or as a standalone package:

import { oneTimeTokenSession } from "better-auth-one-time-token-session";

File Structure

The plugin consists of:

  • index.ts - Main plugin implementation
  • client.ts - Client-side plugin
  • utils.ts - Utility functions
  • README.md - Documentation
  • one-time-token.test.ts - Test suite

Usage

Basic Setup

import { betterAuth } from "better-auth"
import { oneTimeTokenSession } from "better-auth/plugins/one-time-token-session"

export const auth = betterAuth({
    // ... other config options
    plugins: [
        oneTimeTokenSession()
    ]
})

Client Setup

import { createAuthClient } from "better-auth/client"
import { oneTimeTokenSessionClient } from "better-auth/plugins/one-time-token-session/client"

export const authClient = createAuthClient({
    // ... other config options
    plugins: [
        oneTimeTokenSessionClient()
    ]
})

Configuration Options

oneTimeTokenSession({
    expiresIn: 5,              // Token expires in 5 minutes (default: 3)
    disableClientRequest: true, // Server-only token generation (default: false)
    createSession: false,       // Don't create new session on verify (default: true)
    storeToken: "hashed",      // Hash tokens in database (default: "plain")
})

API Methods

Generate Token

Requires existing authenticated session

// Server
const { token } = await auth.api.generateOneTimeToken({
    headers: { /* session headers */ }
})

// Client
const { token } = await authClient.oneTimeToken.generate({
    fetchOptions: {
        headers: { /* session headers */ }
    }
})

Verify Token

Creates new session by default

// Server
const { session, user, token } = await auth.api.verifyOneTimeToken({
    body: { token: "abc123" }
})

// Client
const response = await authClient.oneTimeToken.verify({ token: "abc123" })

Configuration Options

| Option | Type | Default | Description | |--------|------|---------|-------------| | expiresIn | number | 3 | Token expiration time in minutes | | disableClientRequest | boolean | false | Only allow server-initiated token generation | | createSession | boolean | true | Create new session when verifying token | | storeToken | "plain" \| "hashed" \| CustomHasher | "plain" | How tokens are stored in database | | generateToken | function | undefined | Custom token generation function |

Use Cases

  • Session Transfer: Move authenticated session to another device/browser
  • Temporary Links: Generate short-lived access links for authenticated users
  • API Handoff: Transfer session context to external services
  • Mobile Deep Links: Authenticate mobile app from web session

Security Notes

  • Tokens are single-use and automatically deleted after verification
  • Expired tokens are automatically cleaned up
  • Uses existing Better Auth verification system
  • No additional attack surface from new database tables
  • Use storeToken: "hashed" for additional security in production
  • Consider setting disableClientRequest: true for server-only token generation
  • Default expiration of 3 minutes provides good security/usability balance