Releases: logto-io/logto
v1.9.1
Fixes
- fix a bug that prevents user from customizing i18n translations in sign-in experience config
- add more intuitive code samples and fix mistakes in express api guide
v1.9.0
New feature: Password policy

Summary
This newly introduced feature empowers you to customize a range of password policies specific to your Logto tenant:
- Minimum password length (default: 8)
- Minimum character types (default: 1)
- Prevention of breached passwords (default: Enabled)
- Restriction of repetitive or sequential characters (default: Enabled)
- Restriction of user information in passwords (default: Enabled)
- Custom restricted words (default: None specified)
To begin configuring these settings, simply navigate to the Logto Console under "Sign-in experience" and select "Password policy".
Note
New to password policy? Check out our blog post Design your password policy to master this feature!
For Logto Cloud users, or if you are upgrading Logto from a previous version, please take note that we are committed to ensuring a smooth upgrade. As such, we will maintain your existing password policy as follows:
- Minimum length: 8 characters
- Minimum character types: 2
- Please be aware that, with the implementation of the new policy, combining lowercase and uppercase letters will no longer be considered as a single character type.
- Prevention of breached passwords: Disabled
- Restriction of repetitive or sequential characters: Disabled
- Restriction of user information in passwords: Disabled
- Custom restricted words: None specified
Should you wish to update your password policy manually, you can do so within the Logto Console as described above.
Impact on users
- All new users will be subject to the new policy immediately upon creation.
- Existing users will not be affected by the updated policy until they choose to change their password.
Management API changes
We have removed password restrictions for adding or updating users via the Management API.
CLI improvements
- Support
region
option for s3 storage (#4439). - Keep original untranslated mark when syncing translate keys (#4443).
Refactoring
- Rename
@logto/ui
to@logto/experience
. - Rename
@logto/phrases-ui
to@logto/phrases-experience
.
These renames do not affect Logto product, so we didn't mark them as breaking changes.
Fixes
- Fix the app crash when inputting verification code in Console profile page.
- Align cli output for a better looking.
v1.8.0
Note
We are busily building MFA, Organizations, Enterprise SSO, and more security features. Subscribe to our newsletter so you won't miss any updates!
Feature updates
New app guides design
The app guides have been completely redesigned for an even more streamlined experience. Now when you create an app, you can search for your favorite framework or integration, and enjoy the tailored interactive tutorial.

New SDKs
We've crafted four new official SDKs: Python, PHP, ASP.NET Core, and CapacitorJS.
Don't hesitate to let us know if your favorite framework is missing. :-)
Mailgun connector
We added a dedicated connector to make sending emails via Mailgun easier. It also supports Mailgun email templates.
Specify algorithm when rotating keys
The CLI command to rotate OIDC private keys now supports specifying the key type. While the default key type ec
may not work in legacy platforms, you can use --type rsa
to prepend a new RSA key, for example:
logto db config rotate oidc.privateKey --type rsa
Improvements
v1.7.0
It has been a busy month, and we just launched Logto Cloud! Meanwhile, we also improved our OSS with some new features:
Feature updates
- Added
translate sync-keys
command in CLI. This command is helpful for syncing keys from one language to another. See Translation for details. - Added SMSAero connector (credit @evist0).
- Allow editing refresh token time-to-live (TTL) for applications except machine-to machine.
We are gradually shifting resources back to OSS and we'll bring more exciting features this year. Stay tuned.
v1.6.0
Features
Application details page in Console
- Added OpenID Provider configuration endpoint display
- Added application "Rotate Refresh Token" toggle
- Added application "Refresh Token TTL" configuration
Fixes
- Fix interaction issues of sign-in experience preview in Console
v1.5.0
Security update
Enabled Content Security Policy (CSP) header check
Removed the report-only
flag from the Content Security Policy (CSP) header for both Console and Sign-in Experience. Ensure your endpoints are configured correctly and see no CSP error in the browser's console before upgrading, otherwise frontend may break in this version.
Feature updates
Webhook in Console
We're thrilled to introduce the new Webhook feature in Logto Console, making integration and real-time event notifications a breeze. Here's what's new:
- Easy Configuration: Configure webhooks effortlessly by multi-selecting events like user registration, sign-in, and password reset. One-click testing of payload delivery ensures smooth setup.
- Enhanced Security: Each webhook is assigned an auto-generated Signing Key, ensuring the authenticity of payload data from Logto. Customize headers to add extra context.
- Monitor Webhook Health: Keep an eye on webhook performance with success rates and request times in the last 24 hours. Access independent logs of recent requests for easy troubleshooting.

Note
If you were using Webhooks via Management API, some API details are changed with backward compatibility so you can safely upgrade to this version.
Support setting default API Resource from Console and API
Logto leverages RFC 8707: Resource Indicators for OAuth 2.0 to implement Role-Based Access Control (RBAC). While it is one of the features of OAuth 2.0, it is not yet widely supported.
In Logto's implementation, every user-defined permission (scope) must be associated with an API Resource. Otherwise, it will be treated as an OpenID Connect (or OAuth) permission. Generally, this doesn't affect your authorization process. However, when integrating with third-party apps that lack support for RFC 8707 (e.g., ChatGPT plugins), it can pose challenges since the initial authorization request may not include a resource parameter. Consequently, Logto will always issue Opaque Access Tokens.
To address this issue, now you can designate an API Resource as the tenant-level default resource by heading to the details page of an API Resource:

See the documentation to learn what will be affected after turning it on.
Support updating sign-in identifiers in user details form
Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.
Fixes
- Reset password webhooks will be correctly triggered
- Bumped oidc-provider version to v8.2.2. This version fixes a bug that prevented the revoked scopes from being removed from the access token.
v1.4.0
This version brings us one step closer to resolving issue #3344. We are actively working on a backward-compatible solution for authorization.
Below are some articles that demonstrate how to use Logto as an OAuth or OIDC Identity Provider:
- Streamline OAuth and OIDC Authentication with Logto
- Implement ChatGPT plugins user authentication with Logto
- Simplify Outline authentication with Logto
Feature updates
Introducing the "Always issue Refresh Token" configuration for web apps

Turning on this toggle ensures that Refresh Tokens are always issued, regardless of whether prompt=consent
was included in the authorization request or if offline_access
was specified in the scope.
Patch updates
- Improved compatibility by parsing requests with
application/json
content-type for/oidc
APIs. - Automated synchronization of trusted social email and phone information for newly registered users, irrespective of the sign-up identifier configuration.
- For example: Previously, if the "email" was not set as a sign-up identifier (meaning a valid email connector had to be configured and enabled) and Google sign-in was added, the emails from new users would not be synchronized.
- Starting from v1.4.0, this requirement has been removed, as "social sign-in only" scenarios are not uncommon in real-world cases.
v1.3.1
Patch update
- Disable PKCE requirement for Traditional Web apps. Now Logto should be able to integrated with most projects that support OAuth identity providers such as ChatGPT plugins.
We'll post some tutorials soon.
v1.3.0
Note
Our brand new blog just landed. Let's enjoy the new design and beautiful illustrations by @Rany0101.
Feature updates
-
Provide Management APIs to help link social identities to user
- POST
/users/:userId/identities
to link a social identity to a user - POST
/connectors/:connectorId/authorization-uri
to get the authorization URI for a connector
- POST
Improvements
- Except interaction APIs, API response schemas and status codes are now available in
/api/swagger.json
. Also available in https://docs.logto.io/api/.

Bug fix
- SAML connector: Should ignore empty number input box when parsing connector config form.
v1.2.3
Connectors
- Alipay (web), Discord, Facebook, GitHub, Google, WeChat (web) connectors now support custom
scope
. - Use node resolution to support
crypto.getRandomValues
in connectors, fixes an error in the AWS SES connector.