github logto-io/logto v1.32.0
on GitHub

17 hours ago

logto-changelog-2025-09-30 (1)

Email and phone MFA

You can now let users choose either email or phone number for MFA, and verify them with OTP codes.

  • Add two new MFA factors: Email verification code and SMS (phone) verification code.
  • Support binding these factors during registration or first sign-in when MFA is required.
  • Support verifying these factors on subsequent sign-ins with dedicated MFA verification pages.
  • Update Console to configure these factors and surface guidance/conflict warnings.
  • Support customizing forgot password methods in Sign-in Experience (related).

To learn more about this feature, please refer to the documentation: https://docs.logto.io/end-user-flows/mfa

Support OIDC standard authentication parameter ui_locales

We are now supporting the standard OIDC ui_locales auth parameter to customize the language of the authentication pages. You can pass the ui_locales parameter in the signIn method via the extraParams option in all Logto SDKs.

What it does

  • Determines the UI language of the Logto-hosted sign-in experience at runtime. Logto picks the first language tag in ui_locales that is supported in your tenant's language library.
  • Affects email localization for messages triggered by the interaction (e.g., verification code emails).
  • Exposes the original value to email templates as a variable uiLocales, allowing you to include it in the email subject/content if needed.

Example

If you want to display the sign-in page in French (Canada), you can do it like this: 

await logtoClient.signIn({
  redirectUri: "https://your.app/callback",
  extraParams: {
    ui_locales: "fr-CA fr en",
  },
});

Refer to the documentation for more details.

Support config Twilio risk control

You can now disable Twilio's built-in risk check by setting the "Disable risk check" option in the connector configuration.

X connector email address syncing

You can now add the users.email scope to sync users' email addresses from X accounts.

Bug fixes

  • Bind WebAuthn rpId to request domain for account api: The rpId now matches the domain you use to access the API (including custom domains), consistent with the sign-in experience.

Full Changelog: v1.31.1...v1.32.0

Check out latest releases or
releases around logto-io/logto v1.32.0

Don't miss a new logto release

NewReleases is sending notifications on new releases.

Get notifications