tag:github.com,2008:https://github.com/logto-io/logto/releases

Release notes from logto

2026-04-30T02:26:47Z tag:github.com,2008:Repository/378310716/v1.39.0 2026-04-30T03:05:42Z

v1.39.0

<a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/36393111/585788902-0df96833-fdf4-4644-9931-11a5db796d06.webp?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3Nzk3MTUwMjksIm5iZiI6MTc3OTcxNDcyOSwicGF0aCI6Ii8zNjM5MzExMS81ODU3ODg5MDItMGRmOTY4MzMtZmRmNC00NjQ0LTk5MzEtMTFhNWRiNzk2ZDA2LndlYnA_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTI1JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUyNVQxMzEyMDlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jZGYxZWZlYWI0N2U0MWJmN2I0ZWNhYzNlODk5YWYzMDA5NWUxZWU4ZmEyYTA4YTQ0MzIyM2ViMmNiYjczMjAyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZ3ZWJwIn0.vApc6nG124jVm94k7DNzqlHoQWvfc0APp-hW1LpWUMs"><img width="2000" height="1125" alt="logto-changelog-2026-04" src="https://private-user-images.githubusercontent.com/36393111/585788902-0df96833-fdf4-4644-9931-11a5db796d06.webp?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3Nzk3MTUwMjksIm5iZiI6MTc3OTcxNDcyOSwicGF0aCI6Ii8zNjM5MzExMS81ODU3ODg5MDItMGRmOTY4MzMtZmRmNC00NjQ0LTk5MzEtMTFhNWRiNzk2ZDA2LndlYnA_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjYwNTI1JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI2MDUyNVQxMzEyMDlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jZGYxZWZlYWI0N2U0MWJmN2I0ZWNhYzNlODk5YWYzMDA5NWUxZWU4ZmEyYTA4YTQ0MzIyM2ViMmNiYjczMjAyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZyZXNwb25zZS1jb250ZW50LXR5cGU9aW1hZ2UlMkZ3ZWJwIn0.vApc6nG124jVm94k7DNzqlHoQWvfc0APp-hW1LpWUMs" content-type-secured-asset="image/webp" style="max-width: 100%; height: auto; max-height: 1125px;"></a> <h2>Highlights</h2> <ul> <li><strong>Private signing key rotation grace period</strong>: Logto now supports a grace period when rotating private signing keys, helping clients refresh cached JWKS without downtime.</li> <li><strong>Custom JWT script error handling</strong>: Access token and client credentials JWT customization can now block token issuance when scripts fail.</li> <li><strong>Account Center security page</strong>: End users can now manage social account linking, MFA, and account deletion from the Account Center.</li> <li><strong>WhatsApp connector</strong>: A new WhatsApp SMS connector is available through the Meta Cloud API.</li> <li><strong>Security and compatibility fixes</strong>: Forgot-password verification responses are now unified to reduce account enumeration risk, and in-app browser social / SSO redirects are more resilient.</li> </ul> <h2>New features & enhancements</h2> <h3>Private signing key rotation grace period</h3> <p>Logto now supports a grace period during private signing key rotation.</p> <p>This can be configured through:</p> <ul> <li>The <code>PRIVATE_KEY_ROTATION_GRACE_PERIOD</code> environment variable.</li> <li>The <code>--gracePeriod</code> CLI option.</li> </ul> <p>During the grace period:</p> <ul> <li>The newly generated signing key is marked as <strong>Next</strong>.</li> <li>The existing signing key remains active as <strong>Current</strong>.</li> <li>Clients have time to refresh cached JWKS before the new key becomes active.</li> </ul> <p>After the grace period ends:</p> <ul> <li>The new private signing key transitions to <strong>Current</strong>.</li> <li>The old signing key is marked as <strong>Previous</strong>.</li> </ul> <p>This provides a smoother key rotation process and helps avoid authentication failures caused by stale JWKS caches.</p> <p>Documentation: <a href="https://docs.logto.io/logto-oss/using-cli/rotate-signing-keys" rel="nofollow">https://docs.logto.io/logto-oss/using-cli/rotate-signing-keys</a></p> <h3>Custom JWT script error handling</h3> <p>Logto now supports configurable error handling for custom JWT scripts used in access token and client credentials flows.</p> <p>Included changes:</p> <ul> <li>Custom JWT scripts can now block token issuance when execution fails.</li> <li><code>api.denyAccess()</code> is preserved as an <code>access_denied</code> response.</li> <li>Other blocking-mode script failures are returned as localized <code>invalid_request</code> responses.</li> <li>Console adds a dedicated <strong>Error handling</strong> tab for configuring the behavior.</li> <li>Newly created scripts default <code>blockIssuanceOnError</code> to enabled.</li> <li>Existing scripts without a saved value keep the legacy disabled behavior.</li> <li>Related Console guidance, phrases, schemas, and integration coverage are updated.</li> </ul> <p>This helps developers choose whether token customization failures should fail open or fail closed depending on their security requirements.</p> <h3>Account Center security page</h3> <p>This release adds a new security page to the out-of-the-box Account Center.</p> <p>End users can now manage account security from <code>/account/security</code>, including:</p> <ul> <li>Social account linking and unlinking.</li> <li>MFA 2-step verification.</li> <li>Account deletion.</li> </ul> <p>Console support:</p> <ul> <li>The sign-in experience Account Center settings now expose the delete-account URL field.</li> <li>Console surfaces Account Center and social prebuilt UI entries.</li> </ul> <h3>WhatsApp connector via Meta Cloud API</h3> <p>A new WhatsApp connector is added for sending messages through the Meta Cloud API.</p> <p>This enables WhatsApp-based SMS / verification-code delivery scenarios using the official Meta Cloud API integration.</p> <h3>Organization assignment API response bodies</h3> <p>Organization user and role assignment APIs now return response bodies.</p> <p>Updated endpoints:</p> <ul> <li><code>POST /organizations/:id/users</code> now returns <code>{ userIds: string[] }</code>, echoing the user IDs sent in the request.</li> <li><code>POST /organizations/:id/users/:userId/roles</code> now returns <code>{ organizationRoleIds: string[] }</code>, containing the final deduplicated role IDs assigned to the user, including IDs resolved from provided role names.</li> </ul> <h3>Console theme token update</h3> <p>Console themes now include the missing <code>--color-overlay-primary-subtle</code> token for both light and dark modes.</p> <h2>Bug fixes & stability</h2> <h3>Forgot-password verification enumeration protection</h3> <p>Forgot-password verification now returns a unified <code>verification_code.code_mismatch</code> error.</p> <p>This prevents the flow from exposing whether an email or phone number exists through different error responses.</p> <h3>Social and SSO redirects in in-app browsers</h3> <p>Improved social and SSO redirect reliability in in-app browsers such as Instagram, Facebook, and LINE.</p> <p>Some in-app browsers open OAuth identity provider pages in a new WebView, which can cause <code>sessionStorage</code> to be lost after redirecting back.</p> <p>This release adds a <code>localStorage</code> fallback:</p> <ul> <li>Redirect state is still stored in <code>sessionStorage</code>.</li> <li>A fallback redirect context bundle is also stored in <code>localStorage</code>.</li> <li>On callback, Logto restores state from <code>localStorage</code> if <code>sessionStorage</code> is missing.</li> <li>Fallback entries are consumed on read and automatically swept after 10 minutes.</li> <li>If both storage locations are empty, the user sees an error toast.</li> </ul> <h3>Verification code connector request IP</h3> <p>Fixed an issue where the request IP was not passed to connectors when sending verification codes.</p> <p>This allows connectors to receive the correct request context for verification-code delivery.</p> <h2>Contributors</h2> <p>Thanks to everyone who contributed to this release:</p> <ul> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/konlanx/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/konlanx">@konlanx</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4230312593" data-permission-text="Title is private" data-url="https://github.com/logto-io/logto/issues/8626" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8626/hovercard" href="https://github.com/logto-io/logto/pull/8626">#8626</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/makisekuris/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/makisekuris">@makisekuris</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4212115103" data-permission-text="Title is private" data-url="https://github.com/logto-io/logto/issues/8616" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8616/hovercard" href="https://github.com/logto-io/logto/pull/8616">#8616</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/MrMardel/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/MrMardel">@MrMardel</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4051973515" data-permission-text="Title is private" data-url="https://github.com/logto-io/logto/issues/8458" data-hovercard-type="pull_request" data-hovercard-url="/logto-io/logto/pull/8458/hovercard" href="https://github.com/logto-io/logto/pull/8458">#8458</a></li> </ul> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/tunnel@0.3.7 2026-04-30T02:26:53Z

@logto/tunnel@0.3.7

<p>@logto/tunnel@0.3.7</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/translate@0.2.12 2026-04-30T02:26:53Z

@logto/translate@0.2.12

<p>@logto/translate@0.2.12</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/shared@3.4.0 2026-04-30T02:26:52Z

@logto/shared@3.4.0

<p>@logto/shared@3.4.0</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/phrases-experience@1.13.1 2026-04-30T02:26:52Z

@logto/phrases-experience@1.13.1

<p>@logto/phrases-experience@1.13.1</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/phrases@1.28.0 2026-04-30T02:26:52Z

@logto/phrases@1.28.0

<p>@logto/phrases@1.28.0</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/integration-tests@1.21.0 2026-04-30T02:26:51Z

@logto/integration-tests@1.21.0

<p>@logto/integration-tests@1.21.0</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/experience@1.19.1 2026-04-30T02:26:51Z

@logto/experience@1.19.1

<p>@logto/experience@1.19.1</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/core-kit@2.9.0 2026-04-30T02:26:53Z

@logto/core-kit@2.9.0

<p>@logto/core-kit@2.9.0</p> silverhand-bot tag:github.com,2008:Repository/378310716/@logto/core@1.39.0 2026-04-30T02:26:46Z

@logto/core@1.39.0

<p>@logto/core@1.39.0</p> silverhand-bot