Highlights
- Link and unlink social logins from SDKs. End users can now connect or disconnect their OAuth/social providers themselves directly from the SDK, skipping the setting page.
- Account recovery by username. The account recovery flow now works for projects that use a username as the primary login ID, not just email or phone. (Custom UI/Auth Flow only.)
- Account lockout management. The Portal's User Details screen now shows a user's account lockout status and lets you reset it. The same is available through the Admin API via a new
resetAccountLockoutmutation, with audit logging for both. - Redesigned Getting Started page. The Portal onboarding page has been rebuilt with a cleaner layout, clearer integration CTAs, and a responsive grid that adapts down to smaller screens.
- Project switcher in the Portal header. A project selector now lives in the header.
- Identities in the userinfo endpoint. The userinfo endpoint now returns an
identitiesclaim, including provider type, login ID type and key, and created/updated timestamps. - Subresource Integrity (SRI). The Portal and AuthUI now emit SRI hashes and integrity-checked import maps for their bundled assets, hardening them against tampering.
Other changes
- User Details now has a paginated User Activities tab in place of the old inline logs view.
- Social and enterprise login tables now show the OAuth provider alias.
- Login-link email templates are now shown in the MFA via Email tab.
- Fixed: fraud protection could not be turned off once enabled.
- Fixed: Portal crash when an unknown OAuth provider type was configured.
- Fixed: JWKS fetch failed with a 307 redirect when the internal endpoint was HTTP and the public endpoint was HTTPS.
- Fixed: clock skew on Admin API JWT verification and internal endpoint access.
- Fixed: required array fields could drop out of a YAML config round-trip.
- Other misc fixes