2026-06-11.0

Highlights

• Link and unlink social logins from SDKs. End users can now connect or disconnect their OAuth/social providers themselves directly from the SDK, skipping the setting page.
• Account recovery by username. The account recovery flow now works for projects that use a username as the primary login ID, not just email or phone. (Custom UI/Auth Flow only.)
• Account lockout management. The Portal's User Details screen now shows a user's account lockout status and lets you reset it. The same is available through the Admin API via a new resetAccountLockout mutation, with audit logging for both.
• Redesigned Getting Started page. The Portal onboarding page has been rebuilt with a cleaner layout, clearer integration CTAs, and a responsive grid that adapts down to smaller screens.
• Project switcher in the Portal header. A project selector now lives in the header.
• Identities in the userinfo endpoint. The userinfo endpoint now returns an identities claim, including provider type, login ID type and key, and created/updated timestamps.
• Subresource Integrity (SRI). The Portal and AuthUI now emit SRI hashes and integrity-checked import maps for their bundled assets, hardening them against tampering.

Other changes

• User Details now has a paginated User Activities tab in place of the old inline logs view.
• Social and enterprise login tables now show the OAuth provider alias.
• Login-link email templates are now shown in the MFA via Email tab.
• Fixed: fraud protection could not be turned off once enabled.
• Fixed: Portal crash when an unknown OAuth provider type was configured.
• Fixed: JWKS fetch failed with a 307 redirect when the internal endpoint was HTTP and the public endpoint was HTTPS.
• Fixed: clock skew on Admin API JWT verification and internal endpoint access.
• Fixed: required array fields could drop out of a YAML config round-trip.
• Other misc fixes