All changes, fixes, and updates

🚀 Features

• Add disableImplicitLinking to accountLinking –
• Mark /forget-password/email-otp as deprecation –
• device-authorization:
  • Add user id checks –
• one-tap:
  • Add button mode for Google sign-in –
• sso:
  • Support multi-domain providers –
  • Add provider list and detail endpoints –

🐞 Bug Fixes

• Correctly handle OAuth callback and Apple email field –
• Centralize cookie parsing and handle Expires dates correctly –
• Refresh account_data cookie when session is refreshed –
• Remove duplicate secondary storage writes from setSessionCookie –
• Set default logger level to "warn" –
• Respect the explicitly set sendOnSignUp option –
• Handle serial and false cases in generateId –
• Log error when misconfigured –
• Update google oauth endpoints –
• Consistent api version for facebook provider –
• Check jsconfig.json in getPathAliases –
• 2fa:
  • Server-side trust device expiration and configurable maxAge –
• anonymous:
  • Export types –
• cli:
  • Use inkeep remote mcp url –
  • Update MCP URL from Chonkie to Inkeep –
• core:
  • Consolidate rateLimit table schema definition –
• email-otp:
  • Add stricter default rate limits for password reset endpoints –
• expo:
  • Prevent null cookie key when redirect URL has no cookie param –
  • Prevent duplicate listener notifications in FocusManager and OnlineManager –
• github:
  • Surface OAuth token exchange errors –
• mcp:
  • Remove local mpc –
• multi-session:
  • Prevent duplicate cookies when same user signs in multiple times –
• oauth-provider:
  • Properly handle metadata field in client registration –
• okta:
  • Userinfo route mismatch –
• organization:
  • Filter returned: false fields from API responses –
• saml:
  • IdP-Initiated Callback Routing –
• session:
  • Skip invalid sessions in list –
• stripe:
  • Allow billing interval change for same plan –
  • Find active subscription correctly when upgrading –

🏎 Performance

• Fix infinite typecheck –

    View changes on GitHub

🚀 Features

• two-factor: Add twoFactorCookieMaxAge as a separate option –

🐞 Bug Fixes

• Set default ipv6 subnet to 64 –
• cookies: Fallback to isProduction when baseURL is not set –
• db: Only exclude returned: false fields from output schemas –
• stripe: Allow re-subscribing to the same plan when subscription has expired –
• two-factor: Improve OTP comparision during hashed and encrypted values –

    View changes on GitHub

🚀 Features

• admin: Make password field optional on create user –

🐞 Bug Fixes

• oauth: Set account cookie on re-login when updateAccountOnSignIn is false –
• organization: Missing activeTeamId field when dynamic access control is enabled –
• rate-limit: Support IPv6 address normalization and subnet –

    View changes on GitHub

🐞 Bug Fixes

• Update TanStack imports to use server subpath –
• client: Deep merge plugin actions to preserve all methods –

    View changes on GitHub

🚀 Features

• Add skipTrailingSlashes option to advanced config –
• stripe: Add support for locale option to upgradeSubscription –

🐞 Bug Fixes

• TanStack Start cookie plugins for React and Solid.js –
• Centralize schema parsing for API responses –
• Update Figma provider default scope and oauth endpoints –
• Allow empty name on email sign-up –

    View changes on GitHub

🚀 Features

• core: Add version in AuthContext –
• integrations: Support both react and solid flavors of tanstack-start –
• mcp: Add setup_auth tool –
• organization: Allow rejecting expired invites and filter pending invitations –
• scim: Add Microsoft Entra ID SCIM Compatibility –

🐞 Bug Fixes

• Should return dates for expiration fields –
• Preserve attributes when expiring cookies –
• expo: Fix cookie-based OAuth state with expo-authorization-proxy –
• organization: Infer endpoints when dynamic ac and teams enabled –
• stripe: Add generic return type to getSchema for proper field inference –

    View changes on GitHub

🚀 Features

• oauth: Add custom authorizationEndpoint option –

🐞 Bug Fixes

• anonymous: Define delete-anonymous-user path method –
• client: Add refetch to useSession for all clients –
• core: Remove dual module warning –
• session: Prevent duplicate tokens in active sessions list –

    View changes on GitHub

🚀 Features

• Add auth.api.verifyPassword –
• anonymous: Delete anonymous user endpoint –
• generic-oauth: Add Gumroad login support –
• saml: Reject SAML responses containing multiple assertions –
• stripe: Enhance stripe plugin with organization customer support –

🐞 Bug Fixes

• Filter null values from dynamic trusted origins –
• Call hooks on change-email-verification flow –
• Clean up expired rate-limit entries on memory storage –
• Set Location header on redirected responses –
• anonymous:
  • Prevent Convex cleanup from deleting fresh sessions –
• api-key:
  • Remove strict length pre-check in verifyApiKey –
  • Remove double stringify/parse of metadata field –
  • Log key verification errors –
• core:
  • Detect dual module error –
  • Separate CSRF and origin checks –
• docs:
  • Correct tos and policy types in oauth-provider –
• email-otp:
  • Call afterEmailVerification hook on verification –
• email-verification:
  • Sending email verification of another user fails with EMAIL_ALREADY_VERIFIED –
• mcp:
  • Restore ctx.query from cookie in OAuth flow –
• one-tap:
  • Respect user dismiss actions in prompt retry logic –
• open-api:
  • Correctly infer type for ZodDefault fields –
• organization:
  • Use opts pattern to enable hook injection –
• passkey:
  • Add error logs during client verification error –
• prisma-adapter:
  • Lift eq AND conditions to root so update detects unique where field –
• stripe:
  • Improve error handling and subscriptionSuccess route –
  • Pass metadata to subscription object in upgrade method –
  • Prevent duplicate subscription creation when a subscription already exists –
• two-factor:
  • Prisma issue –
  • Add missing POST endpoints to client pathMethods –

    View changes on GitHub

🚀 Features

• Support form data for email sign-in/sign-up and fallback to checking fetch Metadata for first login –
• expo:
  • Add webBrowserOptions to openAuthSessionAsync –
• saml:
  • Add XML parser hardening with configurable size limits –
• stripe:
  • Flexible subscription cancellation and termination management –
  • Handle customer.subscription.created webhook event –
  • Add disableRedirect option for subscription and billing –

🐞 Bug Fixes

• Correct accountLinking default to true –
• Add supportsArrays to memory and mongodb adapters –
• Sync updateSession changes to secondary storage and active-sessions list –
• admin:
  • Custom role type inference –
  • UserId check in /has-permission –
• anonymous:
  • Missing path breaks anonymous hooks –
• api:
  • Chain plugin onRequest hooks properly –
• client:
  • Prevent duplicate signal processing in atom listeners –
  • Apply rate limit focus refetch regardless of session state –
• expo:
  • Improve parseSetCookieHeader –
• oauth-provider:
  • Support jwksPath –
  • Only session db store currently supported –
• oauth-proxy:
  • Point provider requests to production and fix cookie handling in non-HTTPS environments –
• organization:
  • Remove unnecessary type re-export –
• passkey:
  • Use data.id instead of challengeId in deleteVerificationValue –
• stripe:
  • Add 'subscription/restore' to pathMethods –
  • Prevent trial abuse by checking all user subscriptions –

    View changes on GitHub