2.6

Important

This release comes with several breaking changes. Please read carefully.

New features

Offline mode (mobile app) 🥳

Adds the necessary backend changes to (finally!) support offline mode in the mobile app. The data is saved in a local sqlite database and synced with the server when the network is reachable again. Basically the whole application can be used without internet, with few exceptions such as

• routines (needs some backend logic to calculate the routine data)
• gallery (due to the image upload)
• account actions like changing the email, etc.

Buttons and menus will be grayed out if they can't currently be used.

Social login and 2FA

It's now possible to login with social auth providers like Google, Facebook, etc. Also, we now support two-factor authentication like security codes or passkeys (note that due to these changes, you will need to re-login on the website).

• https://wger.readthedocs.io/en/latest/administration/mfa.html
• https://wger.readthedocs.io/en/latest/administration/social_auth.html

Others

• The exercise image API now exposes thumbnails with small and medium URLs, consistent with the ingredient API

• The ingredient API filter now supports range lookups on nutriscore (gt, gte, lt, lte) in addition to exact and in, enabling queries like "better than C" (#2295).

• Add a new, more efficient ingredient API endpoint (/api/v2/ingredient-sync) for synchronizing the local database with an upstream wger server (note that this is a fallback, the regular sync is still via the db dump which is faster)

• JWT refresh tokens now rotate on every use. Combined with blacklist-after-rotation this makes refresh tokens single-use and lets a leaked token live only until the next refresh call. It's recommended to update your prod.env and set REFRESH_TOKEN_LIFETIME to a value like 3000.

• When a username is already taken during registration, the system now suggests available alternatives. This replaces the default DRF UniqueValidator with a custom validator that includes suggested usernames in the error response. Suggestions are supported in both the serializer and web registration form validation.

• The exercise language is now also checked when performing edits, instead of only during submission so it's not possible to e.g. save a Spanish text for the English description.

Upgrade steps

• If you are using docker, make sure to pull the latest changes from the docker repo as there is a new service ("powersync"), configs (e.g. for nginx/Caddy) and settings (prod.env). Take a look at https://wger.readthedocs.io/en/latest/administration/powersync.html for administration details.

• The new powersync service needs its own dedicated user and schema inside the Postgres database to store its sync state, run docker compose exec web ./manage.py setup-powersync-storage to apply. If you want to change the defaults, this can be configured in PS_STORAGE_PG_URI.

• SIGNING_KEY is replaced by JWT_PRIVATE_KEY and JWT_PUBLIC_KEY. Run docker compose exec web ./manage.py generate-jwt-keys to generate a new pair.

• Make sure you have set SITE_URL with your server's URL

• Some unused thumbnail sizes have been deleted, run ./manage.py prune-thumbnails to delete dangling files

• The default location for ingredient images has changed. Please run ./manage migrate-ingredient-image-paths to migrate existing entries. Note that this is technically optional, as the old paths will continue working, but it is advised for consistency.

(ignore these if you didn't change the default db password)

• Set the PS_DATABASE_URI with the wger db password in the usual format postgres://<user>:<password>@<host>:<port>/<dbname>.

• The Postgres container in the docker-compose setup now reads its credentials (POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB) from prod.env instead of having them hardcoded in the yaml file.

Breaking changes

(only relevant if you have your own scripts or interact with the REST API)

The type for the ID was changed from integer to string (UUID) for several models,
to allow clients to generate IDs locally. This affects the following endpoints:

• /api/v2/measurement-category/
• /api/v2/measurement/
• /api/v2/nutritionplan/ and /api/v2/nutritionplaninfo/
• /api/v2/meal/
• /api/v2/mealitem/
• /api/v2/nutritiondiary/
• /api/v2/workoutsession/
• /api/v2/workoutlog/

/api/v2/login/ and /api/v2/register/ endpoints removed. These endpoints returned
a permanent token, use the allauth ones instead (JWT based). If you still need a permanent
one, visit the "API key" page in the user settings and paste it into scripts.

/api/v2/token endpoint removed. Exchanging username + password for a JWT
pair via this endpoint bypassed 2FA. To get tokens, either use
/allauth/app/v1/auth/login (which respects the MFA challenge flow) or manually
mint a long-lived refresh token from the "API key" page in the user settings.

The details

Features

• feat(nutrition): allow range lookups on nutriscore ingredient filter by @kiranannadatha8 in #2305
• Fix/core url typo and serializer fields by @pankaj-basnet in #2309
• Fix/preferences email validation by @BigJimmy333 in #2327
• Improvements to exercise submission api by @rolandgeider in #2339
• Fix: Handle missing product_name in Open Food Facts import by @Ewin7 in #2343
• Feature/username suggestion system by @birjd002 in #2344
• docs: fix broken Docker documentation link in README.md (#2353) by @Marcelluxx in #2354
• fix: barcode fetch result was never returned by @anjakDev in #2355
• feat: trigger Open Food Facts lookup on manual barcode text search by @Ewin7 in #2351
• fix: unknown language code is ignored instead of defaulted to english by @anjakDev in #2356
• POWERSYNC: add migration to create postgresql publication by @Dieterbe in #1747
• Thumbnail changes by @rolandgeider in #2345
• Version 2.6 by @rolandgeider in #2359

Dependencies

• Bump tzdata from 2026.1 to 2026.2 by @dependabot[bot] in #2314
• Bump reportlab from 4.4.10 to 4.5.0 by @dependabot[bot] in #2320
• Bump icalendar from 7.0.3 to 7.1.0 by @dependabot[bot] in #2324
• Bump boto3 from 1.42.94 to 1.43.2 by @dependabot[bot] in #2323
• Bump gunicorn from 25.3.0 to 26.0.0 by @dependabot[bot] in #2325
• Bump markdown-it-py from 4.0.0 to 4.1.0 by @dependabot[bot] in #2330
• Bump markdown-it-py from 4.1.0 to 4.2.0 by @dependabot[bot] in #2331
• Bump packaging from 26.1 to 26.2 by @dependabot[bot] in #2313
• Bump django from 5.2.13 to 5.2.14 by @dependabot[bot] in #2333
• Bump urllib3 from 2.6.3 to 2.7.0 by @dependabot[bot] in #2335
• Bump coverage from 7.13.5 to 7.14.0 by @dependabot[bot] in #2336
• Bump requests from 2.33.1 to 2.34.0 by @dependabot[bot] in #2337
• Bump picomatch from 4.0.3 to 4.0.4 by @dependabot[bot] in #2267
• Bump invoke from 2.2.1 to 3.0.3 by @dependabot[bot] in #2283
• Bump faker from 40.15.0 to 40.18.0 by @dependabot[bot] in #2341
• Bump django-formtools from 2.5.1 to 2.6.1 by @dependabot[bot] in #2346
• Bump idna from 3.13 to 3.15 by @dependabot[bot] in #2347
• Bump django-allauth from 65.16.1 to 65.17.0 by @dependabot[bot] in #2348
• Bump openfoodfacts from 5.0.1 to 5.1.0 by @dependabot[bot] in #2363
• Bump django-redis from 6.0.0 to 7.0.0 by @dependabot[bot] in #2367
• Bump tqdm from 4.67.3 to 4.68.1 by @dependabot[bot] in #2370
• Bump pyjwt from 2.12.1 to 2.13.0 by @dependabot[bot] in #2382
• Bump gevent from 26.4.0 to 26.5.0 by @dependabot[bot] in #2349
• Bump cryptography from 46.0.7 to 48.0.1 by @dependabot[bot] in #2390
• Bump openfoodfacts from 5.1.0 to 5.2.0 by @dependabot[bot] in #2386

New Contributors

• @kiranannadatha8 made their first contribution in #2305
• @BigJimmy333 made their first contribution in #2327
• @Ewin7 made their first contribution in #2343
• @birjd002 made their first contribution in #2344
• @Marcelluxx made their first contribution in #2354
• @anjakDev made their first contribution in #2355

Full Changelog: 2.5...2.6