Bearer 2FA
I’m using bearer plugin for auth flow because of tauri mobile app. Default login are working fine when I receive a token - just put it inside localstorage and that’s all. Problem is when I need to sign in with TOTP enabled, after sign-in I receive ‘twoFactorEnabled’ and requesting a TOTP code but I cannot verify it because token that we have not linked to any session yet. I see some other cookies that I can’t use because of tauri cookie limitation such as 2fa, don’t remember and other.
@Better Auth can you please provide a doc link where defined flow of not using any cookies but having 2fa, trust device, remember me features working?
1 Reply
Hey there! Currently, the TOTP flow in Better Auth is designed to work with cookies—for example, the 2FA (and trust device/remember me) flows rely on cookies (like the two_factor cookie) to store the pending verification state [1], [13]. When using the Bearer plugin for a Tauri mobile app, those cookies aren’t available, so while your default login via bearer works fine (storing the token in localStorage as described in our Bearer documentation [11]), the 2FA endpoints will expect that extra cookie to link the verification process.
At this time, we don’t have a dedicated documentation page that outlines a completely cookie-less flow for 2FA while still supporting trust device or remember me features. If you need a cookie-free setup, you’d have to implement custom logic—for example, persisting the pending 2FA state and tying it back to the bearer token (or a similar identifier stored securely on the client). This custom approach would mimic the session linkage that our default 2FA flow manages via cookies.
I hope that clarifies things! Let me know if you have any more questions or need further guidance.
Sources:
[1] Two-Factor Authentication (2FA) | Better Auth
[11] Bearer Token Authentication | Better Auth
[13] Cookies | Better Auth
Two-Factor Authentication (2FA) | Better Auth
Enhance your app's security with two-factor authentication.
Bearer Token Authentication | Better Auth
Authenticate API requests using Bearer tokens instead of browser cookies