Highlights
- reCAPTCHA domain customization: You can now customize the domain for reCAPTCHA, enabling usage with alternative domains like
recaptcha.netfor regions where the default domain may be blocked. - reCAPTCHA Enterprise checkbox mode: Choose between invisible score-based verification or the classic "I'm not a robot" checkbox widget.
- Third-party SPA & Native apps: Previously limited to traditional web apps, you can now create third-party single-page applications (SPA) and native applications for more flexible OAuth/OIDC integration scenarios.
New features & enhancements
reCAPTCHA improvements
Domain customization
You can now customize the domain for reCAPTCHA. This is particularly useful for users in regions where the default google.com/recaptcha domain may be inaccessible, allowing them to use alternatives like recaptcha.net.
Enterprise checkbox mode
You can now choose between two verification modes for reCAPTCHA Enterprise:
- Invisible: Score-based verification that runs automatically in the background (default)
- Checkbox: Displays the "I'm not a robot" widget for user interaction
Note: The verification mode must match your reCAPTCHA key type configured in Google Cloud Console.
Third-party SPA & Native applications
Previously, only traditional web applications could be marked as third-party apps. Now you can also create third-party single-page applications (SPA) and native applications, enabling more flexible OAuth/OIDC integration scenarios.
Client IP in passwordless connector payload
The SendMessageData type now includes an optional ip field that contains the client IP address of the user who triggered the message. This can be used by HTTP email/SMS connectors for:
- Rate limiting
- Fraud detection
- Logging purposes
Email/SMS template fallback
Email and SMS connectors now fall back to TemplateType.Generic if a usage-specific template is not found. Additionally, the email template retrieval logic will also attempt to retrieve the generic template with default locale if both the locale-specific and fallback templates are unavailable.
Bug fixes & stability
SAML relay state length fix
The data type of the relay_state column in the saml_application_sessions table has been changed from varchar(256) to varchar(512) to accommodate longer Relay State values. This fix enables Firebase integration with Logto as a Service Provider, which previously failed due to relay state length constraints (approximately 300-400 characters).
Additionally, error handling logic in SAML authentication flow APIs has been improved to provide more straightforward error messages.
SAML app creation API parameter fix
Fixed the API parameter naming from "type" to "types" for SAML app creation, ensuring the filter works correctly and paywall calculations are accurate.