authgear/authgear-server

📦 Highlights

• Link and unlink social logins from SDKs. End users can now connect or disconnect their OAuth/social providers themselves directly from the SDK, skipping the setting page.
• Account recovery by username. The account recovery flow now works for projects that use a username as the primary login ID, not just email or phone. (Custom UI/Auth Flow only.)
• Account lockout management. The Portal's User Details screen now shows a user's account lockout status and lets you reset it. The same is available through the Admin API via a new `resetAccountLockout` mutation, with audit logging for both.
• Redesigned Getting Started page. The Portal onboarding page has been rebuilt with a cleaner layout, clearer integration CTAs, and a responsive grid that adapts down to smaller screens.
• Project switcher in the Portal header. A project selector now lives in the header.
• Identities in the userinfo endpoint. The userinfo endpoint now returns an `identities` claim, including provider type, login ID type and key, and created/updated timestamps.
• Subresource Integrity (SRI). The Portal and AuthUI now emit SRI hashes and integrity-checked import maps for their bundled assets, hardening them against tampering.

📋 Other changes

• User Details now has a paginated User Activities tab in place of the old inline logs view.
• Social and enterprise login tables now show the OAuth provider alias.
• Login-link email templates are now shown in the MFA via Email tab.
• Fixed: fraud protection could not be turned off once enabled.
• Fixed: Portal crash when an unknown OAuth provider type was configured.
• Fixed: JWKS fetch failed with a 307 redirect when the internal endpoint was HTTP and the public endpoint was HTTPS.
• Fixed: clock skew on Admin API JWT verification and internal endpoint access.
• Fixed: required array fields could drop out of a YAML config round-trip.
• + 1 more

📦 Highlights

• Site Admin Portal. A new site-wide admin view for monitoring usage and managing projects across your Authgear deployment.

📋 Other changes

• AuthUI translation overrides for the account selector and magic-link verification pages can now reference `{AppName}` and `{ClientName}`.
• Email alerts when a project hits its SMS usage limit.
• The Portal's Add User screen now uses the standard country-code phone input.
• Fixed: OTP form double-submitting on fast typing in Safari.
• Fixed: stale Admin API documentation link in the Portal.

📦 Highlights

• Usage alerts for project owners. Set soft limits on your Authgear usage and get alerted before you hit a hard cap. When a threshold is crossed, Authgear emails the project owner and fires a `usage.alert.triggered` webhook. Catch runaway SMS, email, or MAU costs before they become billing surprises.
• Authflow session-scoped cooldowns. Cooldowns on OTP retries used to reset when users changed the target phone number or email mid-flow. Now the cooldown sticks to the whole authflow session. Closes a real abuse vector.
• Non-ASCII sender names in custom SMTP. Custom SMTP now accepts sender names in Chinese, Japanese, and other non-Latin scripts.
• Smaller portal improvements. Clearer social login setup flow. The Endpoint field now shows up for OIDC and SAML app types, not just OAuth.

🗑️ v1 Auth UI removed

• The legacy v1 Auth UI has been fully retired. All flows now run on the v2 UI, which is faster and more customizable.

📋 Other changes

• Fixed an issue where the phone/email verification button in user settings was disabled when verification wasn't required
• Fixed recovery code page buttons remaining disabled after clicking Download
• Fixed search bar in the audit log page crashing on input
• Updated the IP blocklist testing UI in the portal
• Advanced user fields are now always visible on the Add User screen
• Portal now shows your configured disposable/free email domain list instead of the upstream repo defaults
• Updated GeoIP database for more accurate location-based features
• Updated disposable email domain list

📋 Changes

• ⏳ Added support for configuring an account valid period directly in the Portal.
• 🛡️ Introduced IP blocklist support for faster response to spam and malicious attacks.
• 🔑 Enabled generating Temporary Access Tokens for the Admin API in the Portal to support quick testing.
• ⏸️ Added temporary account blocking (suspension) capability for better user management.
• 📝 Added support for specifying a reason when blocking or deleting a user account.
• 🎨 Supported displaying different logos in AuthUI for different application clients.
• 🐞 Misc bug fixes and stability improvements.

📋 Changes

• 🔐 Returned authenticators owned by the user in `UserInfo` for easier visibility and integration.
• 🆔 Made it easier to copy the Project ID directly from the Portal.
• 🚫 Added the ability to block disposable email domains to improve account quality.
• 📤 Included created_at and account status in user export for better auditing.
• 🌐 Fixed an issue where AuthUI links did not fall back to the default language when unset.
• 🙅‍♂️ Allowed users with a username to have no password for more flexible authentication flows.

📋 Changes

• 🕒 Added support for account valid period in both the Admin API and Import API, giving you more control over account lifecycles.
• 🔓 You can now create users without a password directly from the portal, perfect for passwordless setups.
• 🚫 Reserved project IDs that start with "xx-" (e.g. "us-", "hk-", "ab-") to avoid conflicts with system prefixes.
• 🐛 Miscellaneous bug fixes and improvements to keep things running smoothly.

📋 Changes

• 🪪 Added oidc.id_token.pre_create hooks for mutation on ID Tokens. See docs for tutorial: https://docs.authgear.com/integration/add-custom-fields-to-a-jwt-access-token#mutation-on-id-tokens
• 📖 Added "Authentication Blocked" audit log events when a user is blocked from login during the auth flow.
• 🔗 Support WhatsApp Cloud API for phone passwordless logins

📋 Changes

• 🔐 Support Machine-to-machine authorization (M2M Token):
• Powered by OAuth 2.0 Client Credentials flow. Register your API Resources and M2M applications to secure service-to-service communications. Get Started: https://docs.authgear.com/get-started/m2m-applications

📋 Changes

• 🔐 A new set of blocking events is introduced `authentication.pre_initialize`, `authentication.post_identified`, `authentication.pre_authenticated`:
• Allows users to add logic to block users login/signup based on an array of signals, such as email, roles, date/time, GeoIP.
• Beyond simple allow/block, you can also prompt CAPTCHA, trigger 2FA, or rate-limit specific users.
• See common use cases in: https://docs.authgear.com/customization/events-hooks/examples-common-use-cases
• ✨ Support "Do not ask again" in passkey upsell screen
• ✨ Add a cancel button to bot protection dialog
• 🔐 Allow creating passwords in the portal when the user has no password
• ✨ Hide deprecated "Post Login URIs" in application settings
• + 1 more

📋 Changes

• ✨ A completely redesigned project setup wizard. Preview the login methods and branding in real time!
• 🪪 Support Demo Mode for social and enterprise login providers. You can now preview the login UI without entering the actual provider credentials.
• 📚 Updated all links to the documentation site in the portal
• 1️⃣ Authgear ONCE related changes in the portal. Learn more about Authgear ONCE at https://authgear.com
• 🐞 Misc bug fixes and security fixes

📋 Changes

• ☎️ For newly created projects, phone numbers are only validated for the country code and length. Stricter validation can be enabled by following [this guide](https://docs.authgear.com/how-to-guide/authenticate/phone-number-validation)
• ⛑️ Include Redis server status in the health check endpoint
• 🪪 Advanced feature: Support custom attributes in SAML response. Configure them by following [this guide](https://github.com/authgear/authgear-server/blob/main/docs/specs/saml.md#-customizing-the-attributes).
• 💬 (Behind the scene) Support WhatsApp Cloud API in addition to the existing "On-premise API"
• 🐞 Misc bug fixes

📋 Changes

• 📧 Set the default sender name and email address in the "Custom Email Provider" page in the portal
• 🐞 Fixed a bug where OAuth conflict error is incorrectly shown when attempting login with a non-existing user

📋 Changes

• 💬 Support setting up custom SMS providers using Twilio, Webhook or TypeScript Hooks
• ☎️ New option to turn off phone number validation on the Authgear server, and rely on the SMS provider to verify a user's number.
• 🪄 Misc UI and stability fixes

📋 Changes

• 📱 Support add/edit phone, email, username in Flutter SDK. By calling the function, the AuthUI will open and help you verify the email & phone numbers with OTPs.
• 🍎 Fixed a bug causing "Login with Apple" not working
• 🪄 Misc UI fixes in account setting page and bug fixes

📋 Changes

• 🏷️ New Simplier Pricing plans! All features are available in all plans, start building for free!
• See upcoming write-up and website updates for more details
• 🔎 Elastic Search is no longer a compulsory requirement. Support using PostgreSQL instead of ElasticSearch
• 🪄 Redesigned "Endpoint Direct Access" settings page
• 🦊 Fixed Login with Passkey in Firefox
• 🌐 Removed NFT/Ethereum login
• 🐞 Misc bug fixes

📋 Changes

• 🦸 Use Authgear as SAML IDP is now available in the portal:
• See Doc to learn how to enable SSO in SAML-compatible applications: https://docs.authgear.com/how-to-guide/single-sign-on/single-sign-on-with-saml
• 
• 📏 UX-Improvement: Logo height is controlled by a slider in "Branding" settings
• 
• 🐞 Fix a bug where users may get stuck in the Captcha dialog during login
• 🐞 Other Misc Bug fixes