#missmatch

Hi @iron citrus. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

This error is coming from Better Auth, not from Convex Auth itself, and the provided knowledge only touches Better Auth–Convex integration at a high level. There’s no explicit mention of a state_mismatch error in the sources, so I can’t give a definitive, step‑by‑step fix; I can only point to likely misconfiguration areas.

From the logs:

location: '<https://be-ntc.com/api/auth/error?error=state_mismatch'>

Better Auth is redirecting to your app with error=state_mismatch during the Google callback at:

GET /api/auth/callback/google on your Convex deployment.

Based on the available docs and Discord threads, the most relevant things to double‑check are:

1. Callback URL and base URL alignment

   For Convex + OAuth, the provider’s callback must point at your Convex HTTP Actions URL (the .site URL), with the correct path, e.g.:

   <https://<your-deployment>.convex.site/api/auth/callback/google>
   

   This must exactly match what you configured in the Google console. [Google OAuth; General OAuth]

   Also ensure you’re not accidentally mixing .cloud and .site URLs; Better Auth routes must be hit via the .site URL when exposed through Convex HTTP actions. [Better Auth 404]

2. SITE_URL / CUSTOM_AUTH_SITE_URL / Better Auth baseURL consistency

• Convex Auth expects SITE_URL (and optionally CUSTOM_AUTH_SITE_URL) to be set correctly for your environment. [OAuth production; Custom callback URLs]
  • Better Auth also has its own baseURL option; in a Convex integration, that should be consistent with where the browser is actually starting the OAuth flow and where the callback returns.
  • A mismatch between where the flow starts (e.g. <https://be-ntc.com/...>) and where the callback is handled (<https://<deployment>.convex.site/...>) can cause state verification to fail.

3. Environment separation (dev vs prod)

   If you have separate Google OAuth “apps” for dev and prod (recommended), make sure:

   • The Google client ID/secret you set in Convex env vars (AUTH_GOOGLE_ID, AUTH_GOOGLE_SECRET) belong to the same Google project whose callback URL you configured. [Google OAuth; OAuth production]

4. Routing through your own domain

   Your error redirect is going to <https://be-ntc.com/api/auth/error...,> which suggests you may be proxying or rewriting between your domain and Convex. The Better Auth + Convex 404 thread shows that mis‑routing between .cloud and .site can break things; a similar mis‑routing could also break the state cookie or parameter handling. [Better Auth 404]

Because the sources don’t include Better Auth’s internal state_mismatch docs or a concrete example of this exact error, I can’t say more precisely what in your setup is wrong. If you share:

• Your Google OAuth callback URL as configured in Google,
• The Convex HTTP actions URL,
• How you set baseURL in Better Auth and any SITE_URL / CUSTOM_AUTH_SITE_URL in Convex,

then the next step would be to verify that all four are consistent and that the browser always stays on a single origin for the start and end of the OAuth flow.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@west shadow '2026-01-12T09:10:34.731Z ERROR [Better Auth]: APIError' { [APIError] status: 'FOUND', body: undefined, headers: Headers { 'set-cookie': '__Secure-better-auth.session_token=cQCGkBcuTYAO19MiJpNN6Wffv2QmyYMi.ddRYjJPQVxYzJinHLPiOG4Jy6LMWLYXLJOdO%2B6nUr6g%3D; Max-Age=604800; Path=/; HttpOnly; Secure; SameSite=Lax', location: 'bentc:///' }, statusCode: 302, name: 'APIError' }

Let me check the knowledge base for you again. One moment! :books:

This log line is just Better Auth reporting a successful redirect, not an error in the OAuth flow itself.

From the APIError object:

• status: 'FOUND', statusCode: 302 – this is an HTTP 302 redirect.
• headers.location: 'bentc:///' – Better Auth is redirecting the browser to your custom scheme bentc:///.
• set-cookie: __Secure-better-auth.session_token=... – a Better Auth session cookie is being set.

In Convex + Better Auth, redirects after sign‑in are controlled by:

• The SITE_URL / CUSTOM_AUTH_SITE_URL and the redirect callback in Convex Auth. [ConvexAuthConfig; Custom callback URLs]
• The redirectTo you pass to signIn(...) on the client. [OAuth config]

For React Native / mobile, the recommended pattern is to allow absolute redirect URIs (like myapp://...) via a custom redirect callback, and then pass the full URI from the client. [SITE_URL mobile]

So, seeing location: 'bentc:///' means:

• Your redirect callback (or default behavior plus redirectTo) is returning bentc:///.
• Better Auth is issuing a 302 to that URI and setting the session cookie on the Convex domain.

If this is not the redirect you want, check:

1. What redirectTo you pass into signIn("google", { redirectTo }).
2. Your redirect callback in the Convex Auth / Better Auth config, and ensure it returns the correct URL(s) you intend to support. [ConvexAuthConfig; SITE_URL mobile]

The knowledge sources don’t include Better Auth’s internal error handling, but nothing here indicates a failed login—only that Better Auth is redirecting to bentc:/// with a session cookie set.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@west shadow 1/12/2026, 10:30:38 AM [CONVEX H(GET /api/auth/callback/google)] [ERROR] '2026-01-12T09:30:38.829Z ERROR [Better Auth]: APIError' { [APIError] status: 'FOUND', body: undefined, headers: Headers { 'set-cookie': 'better-auth.session_token=tiCHrYFfaTMDfjDET0nCSecjuCsd0UyX.YH%2BuEpslmyLuPx7ux7jFf1qoAbQFxY3C9V2iGIcY7G4%3D; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax', location: 'bentc:///' }, statusCode: 302, name: 'APIError' }

Let me check the knowledge base for you again. One moment! :books:

This log line indicates that the Google OAuth callback reached your Convex HTTP action and Better Auth completed the flow, then issued a redirect — it is not a failed OAuth exchange by itself.

From the entry:

• status: 'FOUND', statusCode: 302 → HTTP 302 redirect.
• headers.location: 'bentc:///' → Better Auth is redirecting to your custom scheme bentc:///.
• set-cookie: better-auth.session_token=...; Max-Age=604800; Path=/; HttpOnly; SameSite=Lax → a Better Auth session cookie was set on the Convex domain.

This matches the expected pattern for social sign‑in with Convex + Better Auth, where:

• The OAuth provider callback hits your Convex .site URL, e.g.
  <https://<deployment>.convex.site/api/auth/callback/google.> [Google OAuth; General OAuth]
• Better Auth then sets its session cookie and redirects to whatever URL you’ve configured (here: bentc:///), typically via redirectTo and/or a redirect callback. [ConvexAuthConfig; SITE_URL mobile thread]

So:

• If your app is not opening on bentc:///, the issue is likely on the client side (deep‑link / scheme handling), not in Convex/Better Auth.
• If bentc:/// is not the URL you intend, check:
  • What you pass as redirectTo when calling signIn("google", { redirectTo }).
  • Any custom redirect callback in your Convex Auth / Better Auth config, and ensure it returns the correct URL(s). [ConvexAuthConfig]

The knowledge sources don’t document Better Auth’s logging format, so I can’t change how it logs this 302 as an APIError, but functionally this line shows a successful callback + redirect, not an OAuth failure.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: