Highlights
- Cross-app authentication stability: Authentication callbacks are now isolated per application within the same browser session, eliminating interference caused by shared
_interactioncookies. - New webhook event
Identifier.Lockout: A new webhook eventIdentifier.Lockoutis introduced, triggered when a user is locked out after repeated failed sign-in attempts. - Improved refresh token reliability: Refresh tokens now correctly honor the configured 180-day TTL, resolving an issue where they previously expired after 14 days.
New features & enhancements
Cross-app authentication
Multiple applications can now initiate authentication in the same browser session without affecting each other.
_interactioncookie now stores a structured mapping{ [appId]: [interactionId] }.appIdis propagated via URL parameters or headers to maintain isolation.- Includes fallback logic for backward compatibility.
Webhooks
New event: Identifier.Lockout
- Triggered when a user is locked out due to repeated failed sign-in attempts, enhancing security observability and automation.
Bug fixes & stability
Refresh token TTL fix
Addressed an issue where refresh tokens expired after 14 days due to an internal provider grant TTL cap.
- TTL now correctly aligns with the configured 180-day lifespan.
- Supports refresh token validity up to 180 days as intended.
Correct email verification code template selection during multi-step sign-up
Fixed a bug where the system incorrectly switched to MFA binding templates during multi-step sign-up flows.
- Sign-up templates are now selected correctly when email/phone identifiers are part of the ongoing sign-up process.
Case-insensitive SSO connectors domain matching
- SSO connector domains are now normalized to lowercase upon insertion.
- Prevents duplicate domain entries and ensures proper connector lookup.
- Domain matching during sign-in is now robustly case-insensitive.