Password Confirmation
Password confirmation re-verifies a user's current password through Better Auth to clear a sensitive-action step-up — no new login and no password change.
Password confirmation is one of the three sensitive-action verification methods. The user re-enters their current password to prove identity before a dangerous action proceeds.
How it works
The password is checked through Better Auth's own verifier
(security/passwordConfirmation.ts). This is not a new login and not a
password change — it only confirms the existing credential. On success the
backend mints a short-lived, action-scoped grant and the original action is
retried.
The plaintext password is never stored or logged. The audit log records that a verification happened, never the secret itself.
Availability
Password confirmation is only offered to accounts that have a password. OAuth-only and magic-link users have no password to confirm, so they are automatically routed to email verification codes instead. Every account type therefore always has at least one available method.
Rate limiting
Wrong-password attempts are limited by the sensitivePasswordConfirm rule in
rateLimit.ts (5 attempts per 15 minutes, keyed per user and action). See
Rate Limiting.
Fresh Session
Fresh-session verification lets recently signed-in users clear low and medium-risk step-up checks without re-entering a credential.
Email Verification Codes
A 6-digit, single-use, hashed, rate-limited email code that clears a sensitive-action step-up for any account type — the universal verification fallback.