Confused about cookie domain/trustedOrigins

Looking at the Cookies docs the example for cross subdomain cookies looks like this.

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        crossSubDomainCookies: {
            enabled: true,
            domain: "app.example.com", // your domain
        },
    },
    trustedOrigins: [
        'https://example.com',
        'https://app1.example.com',
        'https://app2.example.com',
    ],
})

import { betterAuth } from "better-auth"
 
export const auth = betterAuth({
    advanced: {
        crossSubDomainCookies: {
            enabled: true,
            domain: "app.example.com", // your domain
        },
    },
    trustedOrigins: [
        'https://example.com',
        'https://app1.example.com',
        'https://app2.example.com',
    ],
})

My understanding is this would scope auth cookies to the ‘app’ subdomain only. But that makes me wonder why the root and other subdomains would be included in the trustedOrigins if they can’t read/write auth, like what can they do? Also does the ‘app’ subdomain not need to be included in the array?

Cookies | Better Auth

Learn how cookies are used in Better Auth.

1 Reply

Ping•2mo ago

I think that's an error in the docs, I'll fix it

Gaming

Programming

Confused about cookie domain/trustedOrigins

Did you find this page helpful?