All of the changes made will be available here.

Jul 21, 2025

v1.3.2

Jul 21, 2025

🐞 Bug Fixes

---

• Improve setting active org performance –

    View changes on GitHub

Jul 20, 2025

v1.3.1

Jul 20, 2025

🐞 Bug Fixes

---

• Changed the Twitter provider to use "post" authentication instead of "basic" when validating the authorization code –
• organization:
  • Dixed organization schema inference when multiple plugins are present in the plugins array –
  • Multi teams breaking active organization id type inference –

    View changes on GitHub

Jul 19, 2025

v1.3.0

Jul 19, 2025

🚀 Features

---

• Sveltekit cookie helper plugin –
• SSO plugin with OIDC and SAML support –
• Linear social provider –
• Add encryption for OTPs and other verification information –
• Notion provider –
• Add sendOnSignIn option to make sending verification link in sign in route explicit –
• Add inferAuth to infer plugin types and more on the client without needing client plugins –
• Add rememberMe option to signUpEmail –
• Add slack social provider –
• Add an option to encrypt oauth tokens by default –
• OnPasswordReset callback –
• AfterEmailVerification callback –
• SIWE plugin –
• admin:
  • Update user –
• anonymous:
  • Update generateName to support returning a promise –
• api-key:
  • Async support for verify key –
  • requireName to enforce name on keys –
• docs:
  • APIMethod, documents all server & client auth examples –
• drizzle:
  • Support camel case schema generation –
• email-otp:
  • Support email verification override –
• generic-oauth:
  • Add support for additional token URL params in generic OAuth –
• magic-link:
  • Support errorCallbackURL & newUserCallbackURL –
• oidc:
  • Add refresh token support to discovery document and token endpoint –
  • Support JWKs with JWT plugin –
  • Add support for public clients with PKCE authentication –
• oidc-provider:
  • Trusted clients –
  • Support encrypting and hashing secrets –
• organization:
  • listUserInvitations adds the ability to list all invitations for a given user –
  • AdditionalFields for org, member, invitation & team –
  • Multi-team support –
• social-providers:
  • Add Faceit Social Provider –
  • Add Faceit Social Provider " –
• sso:
  • Configurable provider limit –
• stripe:
  • Pass context obejct to stripe plugin callbacks –
• username:
  • Check username availability –
  • Add custom username normalization option –

🐞 Bug Fixes

---

• Import setCookie from tanstack start core package –
• Exclude current user from username update checks –
• Correct way detect facebook limited token jwt –
• Update Discord link to use the correct invite URL in blogs section –
• Linking accounts for anon users with one tap and passkey –
• Don't require email for account linking –
• Add image option to signUpEmail types and schema –
• Implement standard Base64 encoding for HTTP Basic Auth in token refresh and validation –
• Schema generation when using advanced.databse.useNumberId –
• Mysql foreign key constraints on generate –
• Zodv4 migration leftover due to conflict –
• Sso typecheck –
• Global onSuccess callback hook not being called –
• admin:
  • Throw an error if user id in /remove-user is invalid –
  • Before create hook was not triggered when creating a user through the admin plugin –
  • Pass ctx to user create db hook –
• api-key:
  • Incorrect rate limit error status code –
  • Incorrect rate limit error status code –
  • Non-expiring API keys (with expiresAt set to null) were being deleted by mistake –
• cli:
  • Format drizzle schema output –
• db:
  • Add varchar to postgres string mapping and normalize type comparison –
• drizzle-cli:
  • Use serial as PK when useNumberId is enabled –
  • Use serial as PK when useNumberId is enabled –
• dropbox:
  • Added support for the token access type option –
• email-otp:
  • Throw USER_NOT_FOUND when sign-up is disabled –
  • Throw USER_NOT_FOUND when sign-up is disabled –
• expo:
  • Expo plugin should import types from the types path –
• generic-oauth:
  • Error callback should avoid malformed URLs when the original URL already has query parameters –
• jwt:
  • Allow to generate JWKS with other algorithm than the default one –
• mcp:
  • Issue with hardcoded baseURL in withMcpAuth –
• mongodb:
  • Honor custom generateId in create –
• next-cookies:
  • Don't throw in monorepo workspaces –
• oauth:
  • Google prompt doesn't allow + –
  • Extended oauth2 tokens with refresh_token_expires_in field –
• oidc-provider:
  • Relax offline_access scope validation by removing prompt=consent requirement –
• open-api:
  • Include additional fields –
• organization:
  • List-teams endpoint returns unknown –
  • Allow org owner to update their own roles –
• origin-check:
  • Support protocol-specific wildcard trusted origins –
• phone-number:
  • Verification value should be removed after successful password reset –
• social-providers:
  • Twitch provider not returning if email is valid –
• sso:
  • Saml redirection –
• stripe:
  • Allow upgrading incomplete subscriptions –
  • Prevent duplicate customers –
• two-factor:
  • Incorrect default OTP period & fix incorrect docs –
  • Incorrect default OTP period & fix incorrect docs –
  • Getting totp uri shouldn't require twoFactor enabled –
  • Otp separator mismatch –
  • Use twoFactorEnabled flag instead of database lookup for OTP validation –
• username:
  • Add callbackURL option to signInUsername –

    View changes on GitHub

Jun 28, 2025

v1.2.12

Jun 28, 2025

🐞 Bug Fixes

---

• account:
  • Add placeholder URL for type inference in linkSocialAccount response –
• create-adapter:
  • getModelName should apply plural to custom model names –
  • TransformWhere should account for customTransformInput –
  • Doesn't work with mongoAdapter –
• email-otp:
  • Doesn't call onEmailVerification –

    View changes on GitHub

Jun 28, 2025

v1.2.11

Jun 28, 2025

🐞 Bug Fixes

---

• api-key: Update should only use by ID –
• sveltekit: Only dynamic import $app/environment once –
• user-card: Refactor email verification button and update trusted origins –
• username: Log the correct username –

    View changes on GitHub

Jun 20, 2025

v1.2.10

Jun 20, 2025

🚀 Features

---

• Allow passing id in DB hook create –
• Link account with idToken –
• Add Hugging Face provider –
• cli: Allow cli to use custom adapter createSchema if implemented –
• organization: MaximumMembersPerTeam support –

🐞 Bug Fixes

---

• Support "ne" (not equal) filter in Prisma adapter –
• Propagate a secondary storage updates on updated user –
• Incremental scopes for Microsoft and return all granted scopes for Google –
• Remove active organization when member isn't found –
• DeleteUser check session freshAge using ms instead of sec –
• Always use custom errorURL when available –
• Duplicate oauth registration –
• Expose-headers override in bearer plugin when setting set-auth-token –
• Delete user should respect freshAge config –
• Use correct refresh token endpoint for github –
• OnLinkAccount trigger on phone number verification –
• Expose headers override in jwt plugin –
• email-otp: Auto-verify on email otp reset –
• email-verification: Improve email verification logic to check session and user email consistency –
• expo: Remove duplicated trusted origins –
• get-session: Missing null type on /get-session when throw:true is set –
• oauth-proxy: Resolve current URL with precedence –
• organization: Organization with no members error –
• twitter: Update email verification logic in profile mapping –

    View changes on GitHub

Jun 10, 2025

v1.2.9

Jun 10, 2025

🚀 Features

---

• Support bun sqlite by default –
• MCP plugin –
• New user delete flow –
• Add account info endpoint –
• Add promise support for custom user info claims –
• Add getCookieCache helper and update session handling –
• Support passing error callback url for account linking –
• Support stripe seat upgrade –
• customPaths: Provide an option to modify and map api paths –
• passkey: AAGUID field support –

🐞 Bug Fixes

---

• Use dynamic list of social providers to allow generic oauth –
• Make sure updatedAt is updated on session refresh –
• Improve the callbackURL parameter for social, oauth, SSO –
• Plugin init context should carry modified context from other plugins –
• Avoid refreshing tokens if the provider doesn't return refresh tokens –
• Init snapshot –
• Prisma schema not required on dev/bun –
• SSR handling in useAuthQuery to prevent hydration issues –
• Encoded callbackURL –
• Allow contains filter for users in admin –
• Microsoft entra token refresh scope –
• Demo build & upgrades –
• Docs sidebar height –
• Default value on generate –
• Construct valid URL from VERCEL_URL env –
• Add prompt option on github –
• Remove empty migration with semi colon –
• Rename forgetPassword APIs to requestPasswordReset –
• Lookup keys without the priceId –
• Oauth proxy between http and https –
• X:
  • Used x.com domain for all twitter provider urls –
• admin:
  • Respect cookie prefix for impersonate admin cookies –
• api-key:
  • Rate limits not working –
• apple:
  • Correctly map email verification status from profile –
  • Response type should be set to idToken code to get full user profile data –
• cli:
  • Missing dependency @babel/core –
• demo:
  • Avoid page refresh on session termination –
• magic-link:
  • URI-encode magic link callbackURL –
• mongo-adapter:
  • Fix incorrect transformation of findOneAndX outputs –
• oidc-provider:
  • Consent should be able to be accepted if state is empty –
  • Authorize post-auth flow –
• prisma:
  • "eq" invalid argument OR clause –
• stripe:
  • Inconsistency preventing subscription upgrades –
  • Use the stripeSubscriptionId from the fetched subscription instead of the one from the request –

    View changes on GitHub

May 16, 2025

v1.2.8

May 16, 2025

🚀 Features

---

• Make update account on signin optional –
• Add getAccessToken api for oauth accounts –
• getActions from client plugins to include clientOptions in get user client config –
• Add one time token generator –
• adapter:
  • Allow providing id in create method –
• anonymous:
  • Custom anonymous names –
• api-key:
  • Disable hashing API Keys –
• custom-session:
  • Add ctx on custom session callback fn –
• generic-oauth:
  • Support same provider account linking –
  • Authorization request headers –
• stripe:
  • Migrate to stripe sdk v18.0.0 –

🐞 Bug Fixes

---

• Username empty field on update guard –
• Docs on oauth refresh token fn –
• MapProfileToUser getting called twice during idToken login –
• Awaitable calls –
• Enforce override user info on oauth signin –
• Join waitlist banner styling –
• Fields for custom schema should be optional –
• UpdateAt field on banning/unbanning users –
• Improve signin builder and tabs functionality –
• Add a default value for generated fields –
• Resolve type error caused by incorrect plugin import –
• Resolve custom ts config path –
• Core schema model name definition on api-key –
• Username error code export –
• Resolve logo assets redirection and toaster styling issues –
• Remove unnecessary password hashing –
• Revoke session on password reset –
• Added password hashing to prevent timing attacks –
• Add default refreshAccessToken for microsoft provider –
• Pass context into createVerificationValue –
• Origin check failing when there is symbol in a query param –
• Remove userInfoUrl check to allow using custom function without url –
• getAccessToken should be available on the client –
• admin:
  • Handle redirecting banned users properly –
• api-key:
  • Pass real rateLimitvalue from ctx.body –
• create-adapter:
  • Get default model ingetModelname –
• drizzle-adapter:
  • Missing operators –
• generic-oauth:
  • On link account make sure to match provider Id before updating existing account –
  • Include missing tokens in account linking –
• open-api:
  • Misplaced requires properties –
• organization:
  • Incorrect delete team error message –
• passkey:
  • Add userDisplayName to the simplewebauthn generateRegistrationOptions call –
• stripe:
  • Include priceId on list active subscriptions –
  • Reactivate subcrition filtering to only active or trialing subscription –
• two-factor:
  • Verification deletion on otp should use the correct ID –

    View changes on GitHub