logto-io/logto v1.40.0 on GitHub

Highlights

Audit logs time-range picker: Scope the audit log to a bounded time window (preset windows plus a custom range), backed by a server-side count cap that keeps large-volume tenants responsive.
Organization membership webhook deltas: Organization.Membership.Updated now reports exactly which users and applications were added or removed.
Faster organizations at scale: New secondary indexes and query rewrites speed up membership listing and per-user role lookups on large tenants.
Air-gapped & self-hosted friendliness: A new --dapc install/seed flag and DB-direct admin signing keys remove outbound-network and DNS friction for OSS deployments.
New connectors: MailJunky email, SMSBao SMS, and the Aliyun SMS authentication service connector, plus Aliyun Direct Mail regions and richer WeCom profiles.

The Console audit logs page now ships a time-range picker with a default window of the last 7 days. Presets cover Last 1 hour / Last 24 hours / Last 7 days / Last 30 days, plus a custom date range.
The API gains start_time and end_time query parameters on GET /api/logs and GET /api/hooks/{id}/recent-logs (exclusive bounds, unix milliseconds). On GET /api/hooks/{id}/recent-logs, supplying either bound replaces the default 24-hour lower bound.
A new enableCap=true query parameter on GET /api/logs and GET /api/hooks/{id}/recent-logs short-circuits the count query at ~10,000 rows to reduce statement_timeout risk on very large log volumes. Capped responses return a Total-Number-Is-Capped: true header, and the Console renders a Prev/Next layout in that case. Default behavior (without the param) is unchanged.

The Organization.Membership.Updated webhook payload is enriched with explicit delta fields: addedUserIds / removedUserIds and addedApplicationIds / removedApplicationIds across the user and application membership endpoints, plus addedUserIds on invitation accept and just-in-time provisioning (email-domain JIT and enterprise SSO JIT).
Empty deltas are omitted; each delta array is capped at 5000 entries (reconcile bulk changes via GET /organizations/:id/users or .../applications). This is an additive, non-breaking change — see the webhook reference.

GET /api/my-account/sessions now returns isCurrent: boolean on every entry, so session-management UIs can mark the "This device" entry and avoid revoking the caller's own session. The admin user-sessions endpoints are unchanged.

GET /organizations/:id/users is rewritten to aggregate roles via a LATERAL subquery, so LIMIT prunes the user set before role lookups instead of materializing the full members × roles join on every page.
New secondary indexes speed up reverse lookups: organization_user_relations (tenant_id, user_id) (hit on every sign-in and the membership middleware) and organization_role_user_relations (tenant_id, organization_id, user_id) (hit by getUserScopes and per-user role joins).
PUT /organizations/:id/users now uses a new delta-based replaceWithDelta() query that writes only the rows that actually changed, preserving role assignments for members whose membership survives the update.

Arbitrary JSON object schemas now declare additionalProperties: true in the OpenAPI document, so generated TypeScript clients (e.g. @logto/api) type fields such as customData as { [key: string]: unknown } instead of Record<string, never>.

Terms agreement on sign-in-to-registration: When the agreement policy is ManualRegistrationOnly, signing in with an unregistered email or phone and then confirming "create a new account" now prompts the terms agreement before the account is created, matching the dedicated registration and social/SSO flows.

Initial password setup: Users with no password, no primary email, and no primary phone can now set their initial password without a verification record through the Account API.
Silent re-authentication: On a user-info error (e.g. a stale access token after switching users in the same browser), Account Center re-authenticates with prompt=none instead of forcing the login screen, falling back to prompt=login only when no valid session exists.
Expired sessions: Expired Account Center sessions now redirect cleanly without flashing the manual sign-in error.
Social linking callback: The social linking callback is rendered through React Router so connectorId is read correctly, fixing a spurious "social sign-in method is not enabled" error.
2-step verification label: Clarified the Account Center 2-step verification toggle label.

Air-gapped admin setup (--dapc): The install and db seed commands accept a new --dapc flag (alias --disable-admin-pwned-password-check). It seeds the admin password policy with the Have I Been Pwned breach check disabled, so the first admin sign-up no longer hangs when api.pwnedpasswords.com is unreachable.
Admin signing keys read from the database: OSS deployments now read the admin tenant signing keys directly from the database, removing the extra host/DNS mappings that previously let the container fetch its own admin tenant OIDC configuration through the external endpoint.
Database migration required: This release ships schema alterations (the new organization-relation indexes and additional internal columns). After upgrading, run the database alteration command (npm run alteration deploy in the @logto/cli/core image, or logto db alteration deploy) before starting the new version. See the upgrade guide.

New — MailJunky email connector: Send transactional auth emails via the MailJunky send API.
New — SMSBao SMS connector: Domestic SMS verification flows via SMSBao.
New — Aliyun SMS authentication service connector: Adds the Aliyun SMS authentication (MAS) service.
Aliyun Direct Mail regions: The Aliyun DM connector now supports configuring the Direct Mail region.
WeCom: Fetches richer user profile details via additional API calls.
SMTP: The auth config may now omit user and pass, so relays that authorize by source (e.g. IP/VLAN) can be configured without forging credentials.
Connector Kit: Tightened email branding URL detection to avoid false positives on dotted abbreviations.

Huge thanks to the community members whose work shipped in this release:

For the complete list of changes, see the full changelog.