Leave Localhost logoLeave LocalhostDocs
Security

Password Confirmation

Password confirmation re-verifies a user's current password through Better Auth to clear a sensitive-action step-up — no new login and no password change.

Password confirmation is one of the three sensitive-action verification methods. The user re-enters their current password to prove identity before a dangerous action proceeds.

How it works

The password is checked through Better Auth's own verifier (security/passwordConfirmation.ts). This is not a new login and not a password change — it only confirms the existing credential. On success the backend mints a short-lived, action-scoped grant and the original action is retried.

The plaintext password is never stored or logged. The audit log records that a verification happened, never the secret itself.

Availability

Password confirmation is only offered to accounts that have a password. OAuth-only and magic-link users have no password to confirm, so they are automatically routed to email verification codes instead. Every account type therefore always has at least one available method.

Rate limiting

Wrong-password attempts are limited by the sensitivePasswordConfirm rule in rateLimit.ts (5 attempts per 15 minutes, keyed per user and action). See Rate Limiting.

On this page