How to add allowedAttempts for sendOTP

[MaksimPrudnikau]

In the current phoneNumber plugin configuration, there's an allowedAttempts limit for OTP verification attempts, but I also want to add rate-limiting to sendOTP method. For example, a user shouldn't be able to request the OTP more than once withing 5 minutes window. Is there a built-in way in betterAuth to handle this case or what are your advices to do so?

[dosubot[bot]]

Yes, better-auth has a built-in way to rate-limit the sendOTP endpoint. You can use the global rateLimit configuration with customRules to restrict how often a user can request an OTP. For your use case (max 1 request per 5 minutes), add this to your betterAuth config:

rateLimit: {
  enabled: true,
  customRules: {
    "/phone-number/send-otp": {
      window: 300, // 5 minutes in seconds
      max: 1,
    },
  },
  // For distributed/serverless setups, set storage: "database" or "secondary-storage"
}

This will limit each IP to one OTP request per 5 minutes on that endpoint. By default, rate limiting is IP+path-based, but you can customize the storage logic for per-user limits if needed. Rate limiting only applies to client-initiated requests, not server-side calls via auth.api (docs, code example). For distributed environments, use secondaryStorage or customStorage (e.g., Redis) to persist rate limit data (docs). No changes are needed in your sendOTP implementation itself—just configure the rate limiter as shown.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[MaksimPrudnikau]

@dosu Thanks for the answer!

I’ve configured rate limiting for the /phone-number/send-otp endpoint with a window of 300 seconds (5 min) and a max of 1 request, but the limit is not being enforced consistently. After sending an OTP client-side , refreshing the page (Next.js) allows another immediate OTP request, bypassing the rate limit.

Configuration:

  rateLimit: {
    enabled: true,
    window: 10,
    max: 3,

    customRules: {
      "/phone-number/send-otp": {
        window: 300, // 5 min
        max: 1,
      },
    },
  },

A phone number should be blocked from requesting another OTP for 5 minutes after the first attempt, regardless of page refreshes. Is there a misconfiguration?

[dosubot[bot]]

You're seeing the No IP address found for rate limiting error because Next.js middleware can't actually mutate request headers in a way that persists to downstream API handlers—setting request.headers.set("x-real-ip", "127.0.0.1") in middleware is local to that middleware and doesn't reach your API routes or better-auth logic. This is a known limitation of Next.js middleware, not a bug in better-auth or your config (details, discussion).

To fix this for local development, you need to inject the IP header at the proxy/load balancer layer (like with a custom dev proxy or reverse proxy), or have your client send the header directly. There’s no way to do this from within Next.js middleware itself. In production, make sure your proxy (e.g., Vercel, Nginx) forwards the real client IP in one of the headers you’ve configured (x-forwarded-for, x-real-ip) (docs).

If you want to confirm, try logging the headers in your API route or handler—x-real-ip won’t be present unless it was set by the client or a proxy, not by middleware.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[MaksimPrudnikau]

@dosu So how can I set x-real-ip with my client send the header directly?

[dosubot[bot]]

You can't set the x-real-ip header from browser JavaScript—it's a forbidden header, so fetch, axios, and XMLHttpRequest will silently ignore it for security reasons. This is by design to prevent IP spoofing from the client side. In production, x-real-ip (or x-forwarded-for) should always be set by a trusted proxy or load balancer (like Vercel, Nginx, etc.), not by the client, to ensure accurate rate limiting and prevent abuse details.

For local development, if you need to simulate an IP header, you have to use a custom proxy or a dev tool that injects the header before the request reaches your Next.js app—setting it in Next.js middleware doesn't work because headers are immutable and changes don't propagate downstream discussion. If you want to test rate limiting, you can use tools like curl or Postman to send requests with a custom x-real-ip header, but this won't work from the browser.

If you want an example of setting custom headers from the client, you can do so for allowed headers like Authorization or Cookie:

fetch("/api/endpoint", {
  headers: {
    "Authorization": "Bearer ...",
    // "x-real-ip": "127.0.0.1" // This will be ignored by browsers
  }
});

But again, x-real-ip is blocked by browsers. For real IP tracking, always rely on your proxy or dev proxy to set the header.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[MaksimPrudnikau]

@dosu How can I configure otp rate-limit only by phone number but without ip-check?

[dosubot[bot]]

You can configure OTP rate limiting by phone number only (no IP check) in better-auth using the customStorage option in your rateLimit config. With customStorage, you control the key used for rate limiting—so for /phone-number/send-otp, just extract the phone number from the request body and use it as the key. This bypasses IP checks entirely for that endpoint; rate limiting will be enforced per phone number, regardless of client IP or browser state docs, discussion.

Here’s a production-ready Redis example:

import { Redis } from '@upstash/redis';

export const redis = new Redis({
  url: process.env.UPSTASH_REDIS_REST_URL!,
  token: process.env.UPSTASH_REDIS_REST_TOKEN!,
});

const getPhoneNumberFromRequest = async (req: Request) => {
  try {
    const body = await req.clone().json();
    return typeof body.phoneNumber === "string" ? body.phoneNumber : undefined;
  } catch {
    return undefined;
  }
};

const phoneNumberRateLimitStorage = {
  get: async (key: string) => {
    const value = await redis.get(key);
    if (!value) return undefined;
    try {
      return JSON.parse(value as string); // { key, count, lastRequest }
    } catch {
      return undefined;
    }
  },
  set: async (key: string, value: any) => {
    await redis.set(key, JSON.stringify(value));
  },
};

export const auth = betterAuth({
  rateLimit: {
    enabled: true,
    customRules: {
      "/phone-number/send-otp": {
        window: 300, // 5 minutes
        max: 1,
      },
    },
    customStorage: {
      get: async (_key, req) => {
        if (req.url.endsWith("/phone-number/send-otp")) {
          const phoneNumber = await getPhoneNumberFromRequest(req);
          if (!phoneNumber) return undefined;
          return phoneNumberRateLimitStorage.get(phoneNumber);
        }
        return phoneNumberRateLimitStorage.get(_key);
      },
      set: async (_key, value, req) => {
        if (req.url.endsWith("/phone-number/send-otp")) {
          const phoneNumber = await getPhoneNumberFromRequest(req);
          if (!phoneNumber) return;
          return phoneNumberRateLimitStorage.set(phoneNumber, value);
        }
        return phoneNumberRateLimitStorage.set(_key, value);
      },
    },
  },
});

No extra config is needed to "disable" IP checks—just ensure your customStorage logic uses phone number as the key for the relevant endpoint source. For other endpoints, you can fall back to the default key or handle them as needed. Make sure to validate the presence of phoneNumber in the request body and use a persistent store like Redis for distributed setups.

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.