2026-04-21.0

Highlights

• Usage alerts for project owners. Set soft limits on your Authgear usage and get alerted before you hit a hard cap. When a threshold is crossed, Authgear emails the project owner and fires a usage.alert.triggered webhook. Catch runaway SMS, email, or MAU costs before they become billing surprises.
• Authflow session-scoped cooldowns. Cooldowns on OTP retries used to reset when users changed the target phone number or email mid-flow. Now the cooldown sticks to the whole authflow session. Closes a real abuse vector.
• Non-ASCII sender names in custom SMTP. Custom SMTP now accepts sender names in Chinese, Japanese, and other non-Latin scripts.
• Smaller portal improvements. Clearer social login setup flow. The Endpoint field now shows up for OIDC and SAML app types, not just OAuth.

2026-03-17.0

Highlights

Customize your welcome and password email templates

You can now customize the welcome email and admin-triggered password emails directly from the Authgear Portal. This covers two new templates: the account setup email that delivers a user's temporary password when an admin creates their account, and the notification email sent when an admin updates a user's password. Teams can now tailor the copy, branding, and tone of these messages without touching config files or redeploying.

Easier debugging with error tracking IDs

Error pages now display a tracking ID. When a user hits an error, they can share this ID with your support team, who can look it up in logs immediately. This removes the guesswork from diagnosing production issues.

Broader CORS support for metadata and OAuth endpoints

Authgear's metadata and OAuth static file endpoints now accept requests from any origin. This removes a common friction point when integrating Authgear into web apps that fetch discovery documents or JWKS from the browser.

v1 Auth UI removed

The legacy v1 Auth UI has been fully retired. All flows now run on the v2 UI, which is faster and more customizable.

Other changes

• Fixed an issue where the phone/email verification button in user settings was disabled when verification wasn't required
• Fixed recovery code page buttons remaining disabled after clicking Download
• Fixed search bar in the audit log page crashing on input
• Updated the IP blocklist testing UI in the portal
• Advanced user fields are now always visible on the Add User screen
• Portal now shows your configured disposable/free email domain list instead of the upstream repo defaults
• Updated GeoIP database for more accurate location-based features
• Updated disposable email domain list

authgear-once/1.2.0

Deploy 2c0328461b5d to us, hk, hk-b

2026-01-08.0

• ⏳ Added support for configuring an account valid period directly in the Portal.
• 🛡️ Introduced IP blocklist support for faster response to spam and malicious attacks.
• 🔑 Enabled generating Temporary Access Tokens for the Admin API in the Portal to support quick testing.
• ⏸️ Added temporary account blocking (suspension) capability for better user management.
• 📝 Added support for specifying a reason when blocking or deleting a user account.
• 🎨 Supported displaying different logos in AuthUI for different application clients.
• 🐞 Misc bug fixes and stability improvements.

2025-11-26.0

• 🔐 Returned authenticators owned by the user in UserInfo for easier visibility and integration.
• 🆔 Made it easier to copy the Project ID directly from the Portal.
• 🚫 Added the ability to block disposable email domains to improve account quality.
• 📤 Included created_at and account status in user export for better auditing.
• 🌐 Fixed an issue where AuthUI links did not fall back to the default language when unset.
• 🙅‍♂️ Allowed users with a username to have no password for more flexible authentication flows.

2025-10-31.0

• 🕒 Added support for account valid period in both the Admin API and Import API, giving you more control over account lifecycles.
• 🔓 You can now create users without a password directly from the portal, perfect for passwordless setups.
• 🚫 Reserved project IDs that start with "xx-" (e.g. "us-", "hk-", "ab-") to avoid conflicts with system prefixes.
• 🐛 Miscellaneous bug fixes and improvements to keep things running smoothly.

2025-10-14.0

• 🪪 Added oidc.id_token.pre_create hooks for mutation on ID Tokens. See docs for tutorial: https://docs.authgear.com/integration/add-custom-fields-to-a-jwt-access-token#mutation-on-id-tokens
• 📖 Added "Authentication Blocked" audit log events when a user is blocked from login during the auth flow.
• 🔗 Support WhatsApp Cloud API for phone passwordless logins

2025-08-25.0

• 🔐 Support Machine-to-machine authorization (M2M Token):
  • Powered by OAuth 2.0 Client Credentials flow. Register your API Resources and M2M applications to secure service-to-service communications. Get Started: https://docs.authgear.com/get-started/m2m-applications

2025-07-23.0

What's new:

• 🔐 A new set of blocking events is introduced authentication.pre_initialize, authentication.post_identified, authentication.pre_authenticated:
  • Allows users to add logic to block users login/signup based on an array of signals, such as email, roles, date/time, GeoIP.
  • Beyond simple allow/block, you can also prompt CAPTCHA, trigger 2FA, or rate-limit specific users.
  • See common use cases in: https://docs.authgear.com/customization/events-hooks/examples-common-use-cases
• ✨ Support "Do not ask again" in passkey upsell screen
• ✨ Add a cancel button to bot protection dialog
• 🔐 Allow creating passwords in the portal when the user has no password
• ✨ Hide deprecated "Post Login URIs" in application settings
• 🐞 Other misc bug fixes

authgear-once/1.1.0

Tag authgear-once/1.1.0