Skip to main content

Changelog

April 23, 2026

apps-0.2.99

Internal improvements and maintenance updates.

April 22, 2026

auth-server-1.2.31

Bug fixes

  • Fixed authentication failures when using custom protocol redirect URLs (e.g., cursor://)
  • Fixed an issue where OAuth authorization server discovery URLs were not resolved correctly

April 22, 2026

apps-0.2.98

Features

  • Added support for user data deletion requests in compliance with data privacy regulations

Improvements

  • Improved performance of user data processing operations
  • Applied security updates to address potential vulnerabilities

Bug fixes

  • Fixed an issue where user account deletion could fail in certain cases

April 20, 2026

apps-0.2.97

Bug fixes

  • Fixed an issue where login redirects failed for applications using custom protocol schemes (e.g. desktop apps), causing authentication errors

April 01, 2026

auth-server-1.2.30

Security

  • fix for CVE-2025-69720

March 27, 2026

auth-server-1.2.29

Internal improvements and maintenance updates.

March 27, 2026

apps-0.2.94

Features

  • Added email subaddress support for major providers: addresses like user+tag@gmail.com are now accepted for supported domains
  • Added throwaway email blocking: signups from known disposable email providers are now automatically blocked
  • Added custom blocked domains: app owners can define additional blocked email domains via the dashboard

Improvements

  • Throwaway email blocking is now off by default and can be enabled in your app settings
  • The built-in list of blocked disposable email domains is now viewable in the dashboard
  • Clarified that email blocking applies to email-based login only β€” social and OAuth logins are not affected

Bug fixes

  • Fixed a security vulnerability in the login cleanup process
  • Updated dependencies to address security vulnerabilities

March 27, 2026

auth-server-1.2.28

Bug fixes

  • Fixed login issues that could occur when connecting through certain third-party applications

Improvements

  • Updated dependencies to address security vulnerabilities

March 25, 2026

apps-0.2.93

Internal improvements and maintenance updates.

March 25, 2026

auth-server-1.2.27

Internal improvements and maintenance updates.

March 20, 2026

apps-0.2.92

Improvements

  • Token exchange configuration now allows HTTP URLs for localhost addresses during local development, following OAuth 2.0 best practices (RFC 8252)
  • JWKS URI validation now enforces HTTPS-only for improved security, with an exception for localhost development

Bug fixes

  • Fixed an issue where user analytics profiles could become fragmented, improving the accuracy of user identification
  • Updated dependencies to address known security vulnerabilities

Security

  • Updated framework dependencies to resolve published security advisories

March 19, 2026

auth-server-1.2.26

Improvements

  • Updated authentication dependencies to improve compatibility and security

Bug fixes

  • Fixed an issue where some users could encounter an unexpected error during login

March 17, 2026

auth-server-1.2.25

Features

  • Apps can now be configured to control access to specific OAuth scopes, giving administrators more granular permission management

Bug fixes

  • Authorization requests with unsupported scopes now return a clear error instead of silently ignoring them

Improvements

  • Reduced latency on repeated configuration lookups for faster authentication flows

March 17, 2026

apps-0.2.90

Features

  • Added programmatic account creation API, allowing apps to create Civic Auth accounts automatically via API
  • Added token exchange configuration endpoints for programmatic app setup
  • Added account selector to the dashboard header for users who belong to multiple accounts

Improvements

  • Improved authentication reliability and error handling
  • Reduced performance overhead of application monitoring

Bug fixes

  • Fixed an issue where account creation could fail due to certain ID formats
  • Fixed a navigation issue that caused incorrect URLs in the dashboard

March 11, 2026

auth-server-1.2.24

Features

  • Added support for MCP (Model Context Protocol) clients, enabling proper OAuth authorization for tools like Gemini CLI

Bug fixes

  • Fixed an error that could occur when MCP clients attempted to connect via OAuth authorization

March 10, 2026

auth-server-1.2.23

Features

  • Added support for civic_account and civic_profile claims in token exchange requests
  • When both legacy and new claim formats are present, the new civic_* claims now take priority

March 10, 2026

apps-0.2.89

Features

  • Added support for civic_account and civic_profile claims in token exchange

March 06, 2026

apps-0.2.88

Bug fixes

  • Fixed an issue where custom logo uploads were not displaying correctly
  • Fixed an issue preventing cleanup of previously uploaded files when replacing them

Security

  • Updated dependencies to address known vulnerabilities

February 13, 2026

Auth Server v1.2.21

Bug Fixes

  • Fixed federated token exchange sub claim to use the correct account identifier
  • Fixed federated token exchange userinfo endpoint to return proper OIDC claims
  • Extracted standard OIDC claims (name, email, picture, etc.) from external tokens during federated token exchange

Security

  • Dependency upgrade to address a high-severity vulnerability

February 9, 2026

Auth Server v1.2.20

Improvements

  • Internal infrastructure and analytics improvements

February 9, 2026

Apps v0.2.82

Improvements

  • Next.js 16 compatibility updates

Bug Fixes

  • Fixed SSR hydration mismatches in useUser hook and login app
  • Fixed cross-origin SecurityError in MessageHandler logging

February 4, 2026

Auth Server v1.2.19

Security

  • Security hardening and vulnerability fixes across the authentication infrastructure

February 2, 2026

Auth Server v1.2.18

Improvements

  • Added support for mcp:tools scope in Dynamic Client Registration, enabling MCP tool authorization through the /reg endpoint

Security

  • Addressed security vulnerabilities to improve platform safety

September 26th, 2025

OAuth 2.0 Enhancements & Session Improvements

πŸ”„ Dynamic Client Registration support Connect Civic auth to any AI server or MCP server with our new Dynamic Client Registration support. Perfect for modern, flexible authentication flows.

πŸ” OAuth client-credentials flow Now supporting the OAuth client-credentials flow for secure server-to-server authentication scenarios.

⚑ Major session refresh improvements The Civic Auth SDK brings significant API improvements with faster session refreshes. Sessions now refresh quickly on page load and automatically in the background when users navigate back to protected pages.

🎨 Enhanced UserButton UI Improved the UserButton component with better visual design and user experience.

October 2025

Token Exchange & Security

πŸ”„ Token exchange (RFC 8693) Exchange one access token for another with different permissions or audience. Perfect for delegating access between services while maintaining security.

πŸ”’ Enhanced cross-origin security Added COEP and CORP headers for better security and compatibility with modern web standards.

August 21st, 2025

Passkey Authentication

πŸ”‘ Passkey login is here! We now support passkey as a login method! After enabling passkey, you can prompt users to create a passkey to login to your site, making login faster and more secure. Say goodbye to passwords and hello to the future of authentication.

August 6th, 2025

React Frontend + Any Backend Support

πŸ”— Mix and match React with any backend New React SDK feature lets you use React on the frontend with any backend technology. Whether you're running Node.js, Python, Go, or something else entirely, our React components now work seamlessly with your existing auth setup.

Perfect for teams that want React's user experience with the flexibility to choose their backend stack.

July 30th, 2025

Auth Middleware Improvements & Session Management

⚑ Smarter auth middleware Refactored authentication middleware with better utilities and improved token refresh prioritization. Sessions now handle cleanup and replenishment more reliably.

πŸ› οΈ URL parameter cleanup Fixed issues with code parameter handling and improved session cleanup processes. Login flows are now more robust across different scenarios.

πŸ”§ Enhanced session reliability Better session management ensures users stay authenticated properly and reduces unexpected logouts during normal usage.

July 14th, 2025

Enterprise Security & Mobile Excellence

πŸ” Client secrets for the enterprise crowd We kept hearing from enterprise customers that they needed client secrets for their confidential applications. So we built it. You can now choose PKCE + client secret for maximum security, or go with client secrets only if you're working with legacy systems that need it.

Check out our authentication flows guide to see how it works.

πŸ“± Mobile login that actually works Remember those tiny login buttons that were impossible to tap on mobile? Yeah, we fixed that. Login buttons now look good and load fast on phones. No more squinting at your screen trying to hit the right spot.

πŸ› οΈ Vanilla JavaScript plays nice with everything Our vanilla JavaScript integration now works smoothly with Express, Fastify, Hono, or whatever backend you're running. Same simple code, any framework.

πŸ› Bug fixes and improvements We've been busy polishing the experience:

  • Various login flow improvements
  • Enhanced mobile display quality
  • Better handling of edge cases across different auth methods

June 5th, 2025

Going Native & Vanilla

πŸ“± React Native support is here Your React Native apps can now use Civic Auth. Works on both iOS and Android with solid performance.

🍦 Pure JavaScript, no frameworks required Want to integrate Civic Auth without any frameworks? Now you can. Plain JavaScript integration that just works.

June 3rd, 2025

Β‘Hola mundo! Guten Tag authentication!

🌍 Speaking Spanish and German Login screens now support Spanish and German with complete translations. Your international users will feel right at home.

πŸ“Έ Google profile pictures show up Fixed the bug where Google profile pictures wouldn't load. No more broken image icons.

May 22nd, 2025

Dashboard polish & production focus

πŸ“Š Billing dashboard shows real numbers The billing dashboard was showing incorrect data. Charts now display accurate usage information.

🎯 Fewer annoying banners App banners now only appear for production applications, not during development. Less noise while you're building.

May 3rd, 2025

Next.js gets snappier

⚑ One redirect, not three Next.js apps were doing multiple redirects after login. Fixed it so there's just one clean redirect like there should be.

April 30th, 2025

Dashboard makeover & account fixes

πŸ“ˆ Billing dashboard improvements Usage charts now show the right data with clearer visuals. No more guessing what your actual usage is.

April 29th, 2025

Visibility & flexibility upgrades

πŸ’‘ Find your plan info easily Subscription details and usage limits are now easy to find. No more hunting through multiple screens.

πŸ”— Better custom domain support Improved how the SDK handles custom URLs and domains. More reliable and flexible.

April 17th, 2025

Production launch made easy

πŸš€ Production setup works again Fixed the errors that were happening when setting up production applications. Should be smooth sailing now.

April 16th, 2025

Never get surprised by limits again

🚨 Know before you hit the limit Added dashboard and email alerts when you're approaching your plan limits. No more surprise overages.