All of the changes made will be available here.

Jun 28, 2025

v1.2.12

Jun 28, 2025

🐞 Bug Fixes

---

• account:
  • Add placeholder URL for type inference in linkSocialAccount response –
• create-adapter:
  • getModelName should apply plural to custom model names –
  • TransformWhere should account for customTransformInput –
  • Doesn't work with mongoAdapter –
• email-otp:
  • Doesn't call onEmailVerification –

    View changes on GitHub

Jun 28, 2025

v1.2.11

Jun 28, 2025

🐞 Bug Fixes

---

• api-key: Update should only use by ID –
• sveltekit: Only dynamic import $app/environment once –
• user-card: Refactor email verification button and update trusted origins –
• username: Log the correct username –

    View changes on GitHub

Jun 20, 2025

v1.2.10

Jun 20, 2025

🚀 Features

---

• Allow passing id in DB hook create –
• Link account with idToken –
• Add Hugging Face provider –
• cli: Allow cli to use custom adapter createSchema if implemented –
• organization: MaximumMembersPerTeam support –

🐞 Bug Fixes

---

• Support "ne" (not equal) filter in Prisma adapter –
• Propagate a secondary storage updates on updated user –
• Incremental scopes for Microsoft and return all granted scopes for Google –
• Remove active organization when member isn't found –
• DeleteUser check session freshAge using ms instead of sec –
• Always use custom errorURL when available –
• Duplicate oauth registration –
• Expose-headers override in bearer plugin when setting set-auth-token –
• Delete user should respect freshAge config –
• Use correct refresh token endpoint for github –
• OnLinkAccount trigger on phone number verification –
• Expose headers override in jwt plugin –
• email-otp: Auto-verify on email otp reset –
• email-verification: Improve email verification logic to check session and user email consistency –
• expo: Remove duplicated trusted origins –
• get-session: Missing null type on /get-session when throw:true is set –
• oauth-proxy: Resolve current URL with precedence –
• organization: Organization with no members error –
• twitter: Update email verification logic in profile mapping –

    View changes on GitHub

Jun 10, 2025

v1.2.9

Jun 10, 2025

🚀 Features

---

• Support bun sqlite by default –
• MCP plugin –
• New user delete flow –
• Add account info endpoint –
• Add promise support for custom user info claims –
• Add getCookieCache helper and update session handling –
• Support passing error callback url for account linking –
• Support stripe seat upgrade –
• customPaths: Provide an option to modify and map api paths –
• passkey: AAGUID field support –

🐞 Bug Fixes

---

• Use dynamic list of social providers to allow generic oauth –
• Make sure updatedAt is updated on session refresh –
• Improve the callbackURL parameter for social, oauth, SSO –
• Plugin init context should carry modified context from other plugins –
• Avoid refreshing tokens if the provider doesn't return refresh tokens –
• Init snapshot –
• Prisma schema not required on dev/bun –
• SSR handling in useAuthQuery to prevent hydration issues –
• Encoded callbackURL –
• Allow contains filter for users in admin –
• Microsoft entra token refresh scope –
• Demo build & upgrades –
• Docs sidebar height –
• Default value on generate –
• Construct valid URL from VERCEL_URL env –
• Add prompt option on github –
• Remove empty migration with semi colon –
• Rename forgetPassword APIs to requestPasswordReset –
• Lookup keys without the priceId –
• Oauth proxy between http and https –
• X:
  • Used x.com domain for all twitter provider urls –
• admin:
  • Respect cookie prefix for impersonate admin cookies –
• api-key:
  • Rate limits not working –
• apple:
  • Correctly map email verification status from profile –
  • Response type should be set to idToken code to get full user profile data –
• cli:
  • Missing dependency @babel/core –
• demo:
  • Avoid page refresh on session termination –
• magic-link:
  • URI-encode magic link callbackURL –
• mongo-adapter:
  • Fix incorrect transformation of findOneAndX outputs –
• oidc-provider:
  • Consent should be able to be accepted if state is empty –
  • Authorize post-auth flow –
• prisma:
  • "eq" invalid argument OR clause –
• stripe:
  • Inconsistency preventing subscription upgrades –
  • Use the stripeSubscriptionId from the fetched subscription instead of the one from the request –

    View changes on GitHub

May 16, 2025

v1.2.8

May 16, 2025

🚀 Features

---

• Make update account on signin optional –
• Add getAccessToken api for oauth accounts –
• getActions from client plugins to include clientOptions in get user client config –
• Add one time token generator –
• adapter:
  • Allow providing id in create method –
• anonymous:
  • Custom anonymous names –
• api-key:
  • Disable hashing API Keys –
• custom-session:
  • Add ctx on custom session callback fn –
• generic-oauth:
  • Support same provider account linking –
  • Authorization request headers –
• stripe:
  • Migrate to stripe sdk v18.0.0 –

🐞 Bug Fixes

---

• Username empty field on update guard –
• Docs on oauth refresh token fn –
• MapProfileToUser getting called twice during idToken login –
• Awaitable calls –
• Enforce override user info on oauth signin –
• Join waitlist banner styling –
• Fields for custom schema should be optional –
• UpdateAt field on banning/unbanning users –
• Improve signin builder and tabs functionality –
• Add a default value for generated fields –
• Resolve type error caused by incorrect plugin import –
• Resolve custom ts config path –
• Core schema model name definition on api-key –
• Username error code export –
• Resolve logo assets redirection and toaster styling issues –
• Remove unnecessary password hashing –
• Revoke session on password reset –
• Added password hashing to prevent timing attacks –
• Add default refreshAccessToken for microsoft provider –
• Pass context into createVerificationValue –
• Origin check failing when there is symbol in a query param –
• Remove userInfoUrl check to allow using custom function without url –
• getAccessToken should be available on the client –
• admin:
  • Handle redirecting banned users properly –
• api-key:
  • Pass real rateLimitvalue from ctx.body –
• create-adapter:
  • Get default model ingetModelname –
• drizzle-adapter:
  • Missing operators –
• generic-oauth:
  • On link account make sure to match provider Id before updating existing account –
  • Include missing tokens in account linking –
• open-api:
  • Misplaced requires properties –
• organization:
  • Incorrect delete team error message –
• passkey:
  • Add userDisplayName to the simplewebauthn generateRegistrationOptions call –
• stripe:
  • Include priceId on list active subscriptions –
  • Reactivate subcrition filtering to only active or trialing subscription –
• two-factor:
  • Verification deletion on otp should use the correct ID –

    View changes on GitHub

Apr 13, 2025

v1.2.7

Apr 13, 2025

🚀 Features

---

• Error code support for haveibeenpwned –
• plugin: Error code support for haveibeenpwned plugin –

🐞 Bug Fixes

---

• Added c.authentication to refresh token –
• Authentication type missing on refershToken options –
• Prevent a user from created on haveibeenpwned –
• adapter:
  • Improve field lookup logic in createAdapter –
• cli:
  • Schema gen with Drizzle for PG to generate text instead of uuid –
• drizzle-adapter:
  • Correct count retrieval in the update function –
• haveIBeenPwned:
  • Add proper error code –
• organization:
  • Checking if User is intended recipient of Invite is casesensetive –
• plugin:
  • Prevent user from being created on compromised password –
• stripe:
  • Force post method for subscription restore –
  • Adding ability to restore cancelled trialing subscriptions –

    View changes on GitHub

Apr 12, 2025

v1.2.6

Apr 12, 2025

🚀 Features

---

• MapProfileToUser in vk social-provider –
• One-time token plugin –
• createAdapter and useNumberId –
• Support user data mapping in id token social sign-in –
• Update hover style for light mode in community page –
• Zoom social provider –
• (captcha plugin) adding support for Google ReCAPTCHA v3 and hCaptcha –
• Openapi spec update –
• Have-i-been-pwned plugin –
• Support custom issuer totp –
• Delete token expiry configuration –
• Add option to disable session refresh on use –
• admin:
  • Add support for passing multiple roles as array –
• email-otp:
  • Support attempt numbers for email-otp –
• facebook:
  • Add support for business login using config ids –
• generic-oauth:
  • Added field discoveryHeaders to GenericOAuthConfig –
• jwt:
  • Add sub claim and getSubject –
• oauth2:
  • Override user info on provider sign-in –
• organization:
  • Add invitation limit –
  • Support multiple permissions check –
• phone-number:
  • Add attempts check –
  • Add number of attempts configuration –
  • Add phone number verification requirement before sign-in –
• provider:
  • Twitter email support –
• react-start:
  • Add react-start integration for cookie handling –
• socialLink:
  • Add support for custom scopes in social account linking –
• stripe:
  • Restore subscription –
• two-factor:
  • Refactor two-factor authentication with better error handling, configurable otp limits and verification –
• username:
  • Export the correct error codes for the plugin –

🐞 Bug Fixes

---

• Import orders and alias to avoid conflict in ac code examples –
• Fallback to checking main db on session retrieval when storeSessionInDatabase is enabled –
• Export oAuth types –
• Og image compat –
• Og image compatibility on multiple link previews –
• Tooltip arrow –
• Tooltip arrow pointer –
• Forget password flow failing because of id conversion –
• Dep issue –
• Deployment compat issue –
• Verify github email when profile has an email –
• Docs syntax spacing –
• GenericOAuth default redirectURI for account linking –
• Missing disableRefresh type in server side getSession –
• Redirect to defaultErrorURL if errorURL doens't exist –
• Plugin middleware docs –
• Improve header value retrieval for IP address extraction –
• Prisma client docs –
• Community page interaction –
• Community page interaction –
• Hover style for light mode in community page –
• IpAddress and userAgent missing on server authentication –
• Missing export one time token plugin –
• Delete from session table when stopImpersonate called –
• Filter out fields with returned: false from session cookie cache –
• Rethrow error from db hooks if it is APIError instances –
• admin:
  • Pass where clause to adapter.count to fix total value on listUser –
  • DefaultRoles, adminRoles + others not applying user config –
  • 'dontRememberMe' cookie handling during impersonation –
• api-key:
  • Return value of permissions should be object, not string –
  • Update rateLimitEnabled default to consider options –
• apple:
  • Update responseType to include code and id_token –
• custom-session:
  • Custom session failing to set cookies –
• generic-oauth:
  • Should check for email after mapProfileToUser –
• oauth:
  • Encode clientId and clientSecret in authorization header –
• oauth-proxy:
  • Extend callback and sign-in path matchers to include /oauth2/callback and /sign-in/oauth2 –
• oidc-provider:
  • Add cookie options for path and sameSite in authorize –
• open-api:
  • Hide disabled paths –
• organization:
  • Update default invitation expiration time to use seconds –
  • Fix conditional teamId inference –
  • UpdateMemberRole failing if issuer has multiple roles –
• stripe:
  • Allow customizing subscription schema –
  • Throw err if passed referenceId when no subscription authorizeReference` is defined –
  • Update referenceId in checkout session to use client_reference_id instead of metadata –
• two-factor:
  • 2fa error codes failing to infer –

    View changes on GitHub