release: version packages

[silverhand-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated.

Releases

@logto/connector-smtp2go-email@1.1.0

Minor Changes

• e7b6e9d: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API

  Export shared SMTP mailbox parsing and formatting utilities from @logto/connector-kit, and adopt them in the MailJunky connector

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/phrases@1.29.0

Minor Changes

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• c73d32b: support passkeys (WebAuthn) as an MFA factor for native apps using Logto's native SDKs

  Logto's native SDKs (Android and iOS) now sign users in through the system's default browser, where passkeys (WebAuthn) are available. Upgrade to Android SDK v3 or iOS SDK v2 to enable it.

• 67b99bb: add username policy management to the sign-in experience advanced options

  Operators can configure the tenant username policy — case sensitivity, length bounds, and allowed character types — from Console → Sign-in experience → Sign-up and sign-in → Advanced options. Switching to case-insensitive proactively detects existing usernames that differ only by case and blocks the save until the conflicts are resolved.

Patch Changes

• 413b7ec: map custom UI asset Azure Blob transport failures to retryable storage download errors

@logto/phrases-experience@1.14.0

Minor Changes

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• 67b99bb: apply the tenant username policy in sign-in experience and account center username forms

  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.

Patch Changes

• Updated dependencies [e1fadfb]
• Updated dependencies [a884136]
  • @logto/core-kit@2.11.0

@logto/schemas@1.41.0

Minor Changes

• a305713: expose the target organization to the access token JWT customizer for organization (API resource) tokens

  When Logto issues an organization access token (a token requested with both organization_id and resource), the access token JWT customizer now receives a context.organization object with the target organization's id, name, description and customData. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the organization_id claim is only injected after the customizer runs.

  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in organization.customData) without embedding a map of every organization the user belongs to into every token.

• c7f17d6: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients

  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, /me, organization invitations, and the legacy interaction API), emits a Message.RateLimited webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The Message.RateLimited event is now selectable in the Console webhook settings.

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• 67b99bb: add per-tenant username policy enforcement and mirror preferred_username from username by default

  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and /me. Admin (Management API) writes keep the always-on baseline rules only.

  Switching usernames to case-insensitive is guarded: PATCH /api/sign-in-exp is rejected with a 409 while usernames that differ only by case exist, and the new GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts endpoint reports such conflicts.

  For deployments using the legacy CASE_SENSITIVE_USERNAME environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing CASE_SENSITIVE_USERNAME=false setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring usernamePolicy.caseSensitive per tenant instead.

  The OIDC preferred_username claim now falls back to the user's username when profile.preferredUsername is unset, so standards-compliant clients receive a usable value out of the box.

• eb45edb: allow customizing verification code settings

  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.

Patch Changes

• 72820ac: prevent theme flash in sign-in experience and account center

  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.

• Updated dependencies [e7b6e9d]

• Updated dependencies [413b7ec]

• Updated dependencies [d41082b]

• Updated dependencies [c2016a0]

• Updated dependencies [c73d32b]

• Updated dependencies [b7386a5]

• Updated dependencies [67b99bb]

• Updated dependencies [67b99bb]

• Updated dependencies [e1fadfb]

• Updated dependencies [67b99bb]

• Updated dependencies [a884136]

  • @logto/connector-kit@5.1.0
  • @logto/phrases@1.29.0
  • @logto/phrases-experience@1.14.0
  • @logto/core-kit@2.11.0
  • @logto/shared@3.4.1

@logto/connector-kit@5.1.0

Minor Changes

• e7b6e9d: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API

  Export shared SMTP mailbox parsing and formatting utilities from @logto/connector-kit, and adopt them in the MailJunky connector

Patch Changes

• b7386a5: fix a runtime crash on iOS 15 and older Safari when loading the experience or demo apps

  urlRegEx used a lookbehind assertion ((?<![\w.])), which Safari < 16.4 cannot parse. Because the regex is a top-level literal bundled into the experience app, loading the app threw SyntaxError: Invalid regular expression: invalid group specifier name before any code ran. The boundary now uses a (?:^|[^\w.]) group, which is behaviorally equivalent for .test() and parses on all supported browsers.

@logto/core-kit@2.11.0

Minor Changes

• e1fadfb: add a shared username policy type, Zod guard, and default value
• a884136: add a shared username policy validator

Patch Changes

• Updated dependencies [67b99bb]
  • @logto/shared@3.4.1

@logto/cli@1.41.0

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [a305713]
• Updated dependencies [c7f17d6]
• Updated dependencies [d41082b]
• Updated dependencies [c2016a0]
• Updated dependencies [72820ac]
• Updated dependencies [b7386a5]
• Updated dependencies [e1fadfb]
• Updated dependencies [67b99bb]
• Updated dependencies [a884136]
• Updated dependencies [eb45edb]
  • @logto/connector-kit@5.1.0
  • @logto/schemas@1.41.0
  • @logto/core-kit@2.11.0
  • @logto/shared@3.4.1

@logto/connector-alipay-native@1.4.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-alipay-web@1.6.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-aliyun-dm@1.6.1

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-aliyun-sms@1.5.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-aliyun-sms-mas@1.1.1

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1

@logto/connector-amazon@0.3.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-apple@1.6.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1

@logto/connector-aws-ses@1.5.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-azuread@1.6.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-dingtalk-web@0.4.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-discord@1.6.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-facebook@1.6.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-feishu-web@1.4.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-gatewayapi-sms@1.2.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-github@1.7.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-gitlab@1.2.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1
  • @logto/connector-oauth@1.7.7

@logto/connector-google@1.8.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-http-email@0.4.3

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-huggingface@0.4.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0
  • @logto/connector-oauth@1.7.7

@logto/connector-kakao@1.4.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-kook@0.4.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0
  • @logto/connector-oauth@1.7.7

@logto/connector-line@0.3.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-linkedin@0.3.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-logto-email@1.3.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-logto-social-demo@1.3.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-mailgun@1.5.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-mailjunky@1.6.1

Patch Changes

• e7b6e9d: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API

  Export shared SMTP mailbox parsing and formatting utilities from @logto/connector-kit, and adopt them in the MailJunky connector

• Updated dependencies [e7b6e9d]

• Updated dependencies [b7386a5]

  • @logto/connector-kit@5.1.0

@logto/connector-mock-email@3.0.2

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-mock-standard-email@3.0.2

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-mock-sms@3.0.2

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-mock-social@1.5.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-naver@1.4.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-oauth@1.7.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1

@logto/connector-oidc@1.7.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1
  • @logto/connector-oauth@1.7.7

@logto/connector-patreon@1.2.7

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0
  • @logto/connector-oauth@1.7.7

@logto/connector-postmark@1.2.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-qq@1.1.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-saml@1.3.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-sendgrid-email@1.5.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-slack@0.3.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-smsaero@1.5.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-smsbao-sms@1.1.1

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-smtp@1.5.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-tencent-sms@1.4.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-twilio-sms@1.4.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-vonage-sms@0.2.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-wechat-native@1.4.6

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-wechat-web@1.6.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-wecom@0.6.1

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
• Updated dependencies [67b99bb]
  • @logto/connector-kit@5.1.0
  • @logto/shared@3.4.1

@logto/connector-whatsapp-sms@1.0.3

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-x@0.4.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-xiaomi@1.2.5

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/connector-yunpian-sms@1.2.4

Patch Changes

• Updated dependencies [e7b6e9d]
• Updated dependencies [b7386a5]
  • @logto/connector-kit@5.1.0

@logto/create@1.41.0

Patch Changes

• @logto/cli@1.41.0

@logto/shared@3.4.1

Patch Changes

• 67b99bb: add per-tenant username policy enforcement and mirror preferred_username from username by default

  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and /me. Admin (Management API) writes keep the always-on baseline rules only.

  Switching usernames to case-insensitive is guarded: PATCH /api/sign-in-exp is rejected with a 409 while usernames that differ only by case exist, and the new GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts endpoint reports such conflicts.

  For deployments using the legacy CASE_SENSITIVE_USERNAME environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing CASE_SENSITIVE_USERNAME=false setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring usernamePolicy.caseSensitive per tenant instead.

  The OIDC preferred_username claim now falls back to the user's username when profile.preferredUsername is unset, so standards-compliant clients receive a usable value out of the box.

@logto/translate@0.2.15

Patch Changes

• Updated dependencies [413b7ec]
• Updated dependencies [d41082b]
• Updated dependencies [c2016a0]
• Updated dependencies [c73d32b]
• Updated dependencies [67b99bb]
• Updated dependencies [67b99bb]
• Updated dependencies [e1fadfb]
• Updated dependencies [67b99bb]
• Updated dependencies [a884136]
  • @logto/phrases@1.29.0
  • @logto/phrases-experience@1.14.0
  • @logto/core-kit@2.11.0
  • @logto/shared@3.4.1

@logto/tunnel@0.3.9

Patch Changes

• Updated dependencies [e1fadfb]
• Updated dependencies [67b99bb]
• Updated dependencies [a884136]
  • @logto/core-kit@2.11.0
  • @logto/shared@3.4.1

@logto/api@1.41.0

@logto/account@0.5.0

Minor Changes

• 3d38ae2: add account center session management

  Users can now configure and use the account center Sessions page to review active sessions and connected third-party applications.

• c1ff0c1: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates

  The collect-user-profile sign-up flow now respects the explicit signUpProfileFields list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.

• bcd517b: add independent Account Center passkey controls for passkey sign-in

  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.

• 67b99bb: apply the tenant username policy in sign-in experience and account center username forms

  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.

Patch Changes

• 72820ac: prevent theme flash in sign-in experience and account center

  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.

@logto/console@1.38.0

Minor Changes

• a305713: expose the target organization to the access token JWT customizer for organization (API resource) tokens

  When Logto issues an organization access token (a token requested with both organization_id and resource), the access token JWT customizer now receives a context.organization object with the target organization's id, name, description and customData. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the organization_id claim is only injected after the customizer runs.

  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in organization.customData) without embedding a map of every organization the user belongs to into every token.

• c7f17d6: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients

  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, /me, organization invitations, and the legacy interaction API), emits a Message.RateLimited webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The Message.RateLimited event is now selectable in the Console webhook settings.

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• 3d38ae2: add account center session management

  Users can now configure and use the account center Sessions page to review active sessions and connected third-party applications.

• c1ff0c1: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates

  The collect-user-profile sign-up flow now respects the explicit signUpProfileFields list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.

• bcd517b: add independent Account Center passkey controls for passkey sign-in

  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• c73d32b: support passkeys (WebAuthn) as an MFA factor for native apps using Logto's native SDKs

  Logto's native SDKs (Android and iOS) now sign users in through the system's default browser, where passkeys (WebAuthn) are available. Upgrade to Android SDK v3 or iOS SDK v2 to enable it.

• 67b99bb: add username policy management to the sign-in experience advanced options

  Operators can configure the tenant username policy — case sensitivity, length bounds, and allowed character types — from Console → Sign-in experience → Sign-up and sign-in → Advanced options. Switching to case-insensitive proactively detects existing usernames that differ only by case and blocks the save until the conflicts are resolved.

• eb45edb: allow customizing verification code settings

  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.

Patch Changes

• 92560f6: fix Console username update returning 401 by redirecting to Account Center

  The Account API requires identity verification for username changes, which the
  Console profile page does not implement. Redirect username editing to the
  Account Center's /account/username page (same pattern as MFA) where the full
  verification flow is already implemented.

@logto/core@1.41.0

Minor Changes

• a923dcb: Make POST /api/applications/:applicationId/roles idempotent: role IDs already attached to the application are silently ignored instead of causing the request to fail with 422 application.role_exists. The response is now 201 with body { roleIds, addedRoleIds }, matching the response shape of POST /api/users/:userId/roles.

  Closes POST /api/applications/:id/roles returns 422 on duplicate role; the symmetric user endpoint silently no-ops #8900.

• a305713: expose the target organization to the access token JWT customizer for organization (API resource) tokens

  When Logto issues an organization access token (a token requested with both organization_id and resource), the access token JWT customizer now receives a context.organization object with the target organization's id, name, description and customData. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the organization_id claim is only injected after the customizer runs.

  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in organization.customData) without embedding a map of every organization the user belongs to into every token.

• c7f17d6: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients

  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, /me, organization invitations, and the legacy interaction API), emits a Message.RateLimited webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The Message.RateLimited event is now selectable in the Console webhook settings.

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• c1ff0c1: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates

  The collect-user-profile sign-up flow now respects the explicit signUpProfileFields list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.

• bcd517b: add independent Account Center passkey controls for passkey sign-in

  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• 67b99bb: add per-tenant username policy enforcement and mirror preferred_username from username by default

  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and /me. Admin (Management API) writes keep the always-on baseline rules only.

  Switching usernames to case-insensitive is guarded: PATCH /api/sign-in-exp is rejected with a 409 while usernames that differ only by case exist, and the new GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts endpoint reports such conflicts.

  For deployments using the legacy CASE_SENSITIVE_USERNAME environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing CASE_SENSITIVE_USERNAME=false setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring usernamePolicy.caseSensitive per tenant instead.

  The OIDC preferred_username claim now falls back to the user's username when profile.preferredUsername is unset, so standards-compliant clients receive a usable value out of the box.

• eb45edb: allow customizing verification code settings

  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.

Patch Changes

• 413b7ec: map custom UI asset Azure Blob transport failures to retryable storage download errors

• 209fa0a: escape HTML attribute values in the SAML IdP auto-submit form

  When Logto acts as a SAML IdP, the auto-submit form posted to the SP's ACS interpolated SAMLResponse, RelayState and the action URL into HTML attributes without escaping. If a value contained a double quote, the browser truncated the attribute at that quote.

  This broke SPs that send a JSON string as RelayState: the SP received only { instead of the full value, losing the post-login context. The values are now HTML-escaped, so quotes and other markup characters round-trip intact (this also closes a reflected-markup injection vector in the interstitial page).

  In addition, the form action URL is now restricted to the http/https schemes before rendering. Escaping the attribute value alone does not neutralize a scriptable scheme such as javascript:, which the browser would execute on submission, so such URLs are now rejected.

• 37999f7: fix a flash of built-in styles on the hosted sign-in experience when custom CSS is configured

  Custom CSS was injected on the client via react-helmet, which mutates <head> asynchronously after the page had already painted with the built-in styles. The server-rendered experience HTML now inlines the configured custom CSS into <head>, so it is part of the cascade on the first paint. The </style> sequence in custom CSS is escaped so it cannot terminate the style element early, and the SSR data embedded in the inline <script> is now serialized with HTML-significant characters escaped to prevent script breakout.

• 9de4020: fix identifier-lockout sentinel misfiring because count(*) was treated as a string

  Postgres returns count(*) as a bigint that Slonik surfaces as a string. The sentinel added 1 to this value to decide whether to lock an identifier, so '10' + 1 evaluated to '101' and the failed-attempt threshold (default 100) tripped far too early — roughly at 10 failed attempts. The count is now coerced to a number so the threshold is compared numerically.

• 5b5005d: fix custom UI asset upload timeout caused by Azure blob existence checks

• 9847dfd: fix one-time token consent handling for switch-account sign-in flows

• c984038: reject null bytes in OIDC request bodies and strip them from audit logs so malformed input returns a clean 400 instead of a 500

  A null byte (U+0000) in an application/x-www-form-urlencoded body sent to /oidc/token previously surfaced as a 500 Internal Server Error. The actual cause was the audit log insert: PostgreSQL rejects null bytes in jsonb (error 22P05), and because the insert runs in a finally block, that failure masked the original clean error. The OIDC body parser now rejects null bytes with a 400 invalid_request, and audit log payloads are sanitized of null bytes before insert as defense in depth.

  Closes bug: Null byte (\x00) in POST body to /oidc/token causes HTTP 500 instead of 400 #8990.

• 72820ac: prevent theme flash in sign-in experience and account center

  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.

• 17c5238: allow linking social identities in account center without password, email, or phone when the user has no legacy security verification methods

• Updated dependencies [e7b6e9d]

• Updated dependencies [413b7ec]

• Updated dependencies [92560f6]

• Updated dependencies [a305713]

• Updated dependencies [c7f17d6]

• Updated dependencies [d41082b]

• Updated dependencies [3d38ae2]

• Updated dependencies [c1ff0c1]

• Updated dependencies [bcd517b]

• Updated dependencies [c2016a0]

• Updated dependencies [72820ac]

• Updated dependencies [c73d32b]

• Updated dependencies [b7386a5]

• Updated dependencies [67b99bb]

• Updated dependencies [67b99bb]

• Updated dependencies [e1fadfb]

• Updated dependencies [67b99bb]

• Updated dependencies [a884136]

• Updated dependencies [eb45edb]

  • @logto/connector-kit@5.1.0
  • @logto/phrases@1.29.0
  • @logto/console@1.38.0
  • @logto/schemas@1.41.0
  • @logto/experience@1.20.0
  • @logto/phrases-experience@1.14.0
  • @logto/account@0.5.0
  • @logto/core-kit@2.11.0
  • @logto/shared@3.4.1
  • @logto/cli@1.41.0
  • @logto/demo-app@1.5.0
  • @logto/device-demo-app@0.1.0

@logto/experience@1.20.0

Minor Changes

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

• c2016a0: add a configurable per-tenant password expiration policy

  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.

  • Console: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
  • Core / API: the policy is stored on the sign-in experience (passwordExpiration) and enforced after password verification. PATCH /api/users/:userId/password/expiration lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
  • Experience: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.

  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.

• 67b99bb: apply the tenant username policy in sign-in experience and account center username forms

  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.

Patch Changes

• 72820ac: prevent theme flash in sign-in experience and account center

  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.

@logto/integration-tests@1.22.0

Minor Changes

• d41082b: add app-level access control for applications

  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.

  Supported custom control rules include:

  • User IDs
  • User roles
  • Organizations
  • Organization roles

  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control

Patch Changes

• 9847dfd: fix one-time token consent handling for switch-account sign-in flows

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +31.44 KB

Diff by File

Name	Diff
.changeset/add-smtp2go-email-connector.md	📈 +330 Bytes
.changeset/curly-bikes-travel.md	📈 +141 Bytes
.changeset/escape-saml-auto-submit-form.md	📈 +942 Bytes
.changeset/fix-console-username-update-401.md	📈 +383 Bytes
.changeset/fix-custom-css-flash.md	📈 +653 Bytes
.changeset/fix-sentinel-count-string.md	📈 +486 Bytes
.changeset/idempotent-application-roles.md	📈 +378 Bytes
.changeset/jwt-customizer-organization-context.md	📈 +925 Bytes
.changeset/message-send-rate-limit.md	📈 +727 Bytes
.changeset/moody-wasps-shout.md	📈 +103 Bytes
.changeset/new-cobras-perform.md	📈 +803 Bytes
.changeset/one-time-token-consent-guard.md	📈 +133 Bytes
.changeset/reject-null-bytes-in-oidc-request-body.md	📈 +677 Bytes
.changeset/release-account-center-session-management.md	📈 +227 Bytes
.changeset/release-account-profile-features.md	📈 +452 Bytes
.changeset/release-passkey-account-center-access-control.md	📈 +338 Bytes
.changeset/release-password-expiration.md	📈 +1.48 KB
.changeset/release-theme-flash-fix.md	📈 +342 Bytes
.changeset/social-link-without-legacy-verification.md	📈 +172 Bytes
.changeset/support-passkey-mfa-native.md	📈 +334 Bytes
.changeset/url-regex-no-lookbehind.md	📈 +537 Bytes
.changeset/username-policy-client.md	📈 +585 Bytes
.changeset/username-policy-console.md	📈 +482 Bytes
.changeset/username-policy-core-kit.md	📈 +98 Bytes
.changeset/username-policy-core.md	📈 +1.54 KB
.changeset/username-policy-validator.md	📈 +73 Bytes
.changeset/verification-code-policy.md	📈 +244 Bytes
packages/account/CHANGELOG.md	📈 +1.62 KB
packages/account/package.json	0 Bytes
packages/api/CHANGELOG.md	📈 +11 Bytes
packages/api/package.json	0 Bytes
packages/cli/CHANGELOG.md	📈 +526 Bytes
packages/cli/package.json	0 Bytes
packages/connectors/connector-alipay-native/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-alipay-native/package.json	0 Bytes
packages/connectors/connector-alipay-web/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-alipay-web/package.json	0 Bytes
packages/connectors/connector-aliyun-dm/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-aliyun-dm/package.json	0 Bytes
packages/connectors/connector-aliyun-sms-mas/CHANGELOG.md	📈 +190 Bytes
packages/connectors/connector-aliyun-sms-mas/package.json	0 Bytes
packages/connectors/connector-aliyun-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-aliyun-sms/package.json	0 Bytes
packages/connectors/connector-amazon/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-amazon/package.json	0 Bytes
packages/connectors/connector-apple/CHANGELOG.md	📈 +190 Bytes
packages/connectors/connector-apple/package.json	0 Bytes
packages/connectors/connector-aws-ses/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-aws-ses/package.json	0 Bytes
packages/connectors/connector-azuread/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-azuread/package.json	0 Bytes
packages/connectors/connector-dingtalk-web/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-dingtalk-web/package.json	0 Bytes
packages/connectors/connector-discord/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-discord/package.json	0 Bytes
packages/connectors/connector-facebook/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-facebook/package.json	0 Bytes
packages/connectors/connector-feishu-web/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-feishu-web/package.json	0 Bytes
packages/connectors/connector-gatewayapi-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-gatewayapi-sms/package.json	0 Bytes
packages/connectors/connector-github/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-github/package.json	0 Bytes
packages/connectors/connector-gitlab/CHANGELOG.md	📈 +223 Bytes
packages/connectors/connector-gitlab/package.json	0 Bytes
packages/connectors/connector-google/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-google/package.json	0 Bytes
packages/connectors/connector-http-email/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-http-email/package.json	0 Bytes
packages/connectors/connector-huggingface/CHANGELOG.md	📈 +164 Bytes
packages/connectors/connector-huggingface/package.json	0 Bytes
packages/connectors/connector-kakao/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-kakao/package.json	0 Bytes
packages/connectors/connector-kook/CHANGELOG.md	📈 +164 Bytes
packages/connectors/connector-kook/package.json	0 Bytes
packages/connectors/connector-line/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-line/package.json	0 Bytes
packages/connectors/connector-linkedin/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-linkedin/package.json	0 Bytes
packages/connectors/connector-logto-email/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-logto-email/package.json	0 Bytes
packages/connectors/connector-logto-social-demo/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-logto-social-demo/package.json	0 Bytes
packages/connectors/connector-mailgun/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-mailgun/package.json	0 Bytes
packages/connectors/connector-mailjunky/CHANGELOG.md	📈 +362 Bytes
packages/connectors/connector-mailjunky/package.json	0 Bytes
packages/connectors/connector-mock-email-alternative/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-mock-email-alternative/package.json	0 Bytes
packages/connectors/connector-mock-email/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-mock-email/package.json	0 Bytes
packages/connectors/connector-mock-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-mock-sms/package.json	0 Bytes
packages/connectors/connector-mock-social/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-mock-social/package.json	0 Bytes
packages/connectors/connector-naver/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-naver/package.json	0 Bytes
packages/connectors/connector-oauth2/CHANGELOG.md	📈 +190 Bytes
packages/connectors/connector-oauth2/package.json	0 Bytes
packages/connectors/connector-oidc/CHANGELOG.md	📈 +223 Bytes
packages/connectors/connector-oidc/package.json	0 Bytes
packages/connectors/connector-patreon/CHANGELOG.md	📈 +164 Bytes
packages/connectors/connector-patreon/package.json	0 Bytes
packages/connectors/connector-postmark/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-postmark/package.json	0 Bytes
packages/connectors/connector-qq/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-qq/package.json	0 Bytes
packages/connectors/connector-saml/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-saml/package.json	0 Bytes
packages/connectors/connector-sendgrid-email/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-sendgrid-email/package.json	0 Bytes
packages/connectors/connector-slack/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-slack/package.json	0 Bytes
packages/connectors/connector-smsaero/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-smsaero/package.json	0 Bytes
packages/connectors/connector-smsbao-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-smsbao-sms/package.json	0 Bytes
packages/connectors/connector-smtp/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-smtp/package.json	0 Bytes
packages/connectors/connector-smtp2go-email/CHANGELOG.md	📈 +414 Bytes
packages/connectors/connector-smtp2go-email/package.json	0 Bytes
packages/connectors/connector-tencent-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-tencent-sms/package.json	0 Bytes
packages/connectors/connector-twilio-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-twilio-sms/package.json	0 Bytes
packages/connectors/connector-vonage-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-vonage-sms/package.json	0 Bytes
packages/connectors/connector-wechat-native/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-wechat-native/package.json	0 Bytes
packages/connectors/connector-wechat-web/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-wechat-web/package.json	0 Bytes
packages/connectors/connector-wecom/CHANGELOG.md	📈 +190 Bytes
packages/connectors/connector-wecom/package.json	0 Bytes
packages/connectors/connector-whatsapp/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-whatsapp/package.json	0 Bytes
packages/connectors/connector-x/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-x/package.json	0 Bytes
packages/connectors/connector-xiaomi/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-xiaomi/package.json	0 Bytes
packages/connectors/connector-yunpian-sms/CHANGELOG.md	📈 +131 Bytes
packages/connectors/connector-yunpian-sms/package.json	0 Bytes
packages/console/CHANGELOG.md	📈 +5.6 KB
packages/console/package.json	0 Bytes
packages/core/CHANGELOG.md	⚠️ 📈 +10.46 KB
packages/core/package.json	0 Bytes
packages/create/CHANGELOG.md	📈 +51 Bytes
packages/create/package.json	0 Bytes
packages/experience/CHANGELOG.md	📈 +2.75 KB
packages/experience/package.json	0 Bytes
packages/integration-tests/CHANGELOG.md	📈 +765 Bytes
packages/integration-tests/package.json	0 Bytes
packages/phrases-experience/CHANGELOG.md	📈 +2.6 KB
packages/phrases-experience/package.json	0 Bytes
packages/phrases/CHANGELOG.md	📈 +2.83 KB
packages/phrases/package.json	0 Bytes
packages/schemas/CHANGELOG.md	📈 +5.93 KB
packages/schemas/alterations/1.41.0-1779864280-add-password-expiration-policy.ts	📈 +628 Bytes
packages/schemas/alterations/1.41.0-1779864281-add-is-password-expired-to-users.ts	📈 +454 Bytes
packages/schemas/alterations/1.41.0-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts	📈 +767 Bytes
packages/schemas/alterations/1.41.0-1780381219-add-username-policy.ts	📈 +1.21 KB
packages/schemas/alterations/1.41.0-1780643665-set-sign-up-profile-fields-default.ts	📈 +513 Bytes
packages/schemas/alterations/1.41.0-1780906060-add-verification-code-policy.ts	📈 +528 Bytes
packages/schemas/alterations/1.41.0-1781689400-add-sentinel-activities-created-at-index.ts	📈 +696 Bytes
packages/schemas/alterations/1.41.0-1782354362-set-admin-account-center-profile-fields.ts	📈 +755 Bytes
packages/schemas/alterations/1.41.0-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts	📈 +1.32 KB
packages/schemas/alterations/next-1779864280-add-password-expiration-policy.ts	📈 +628 Bytes
packages/schemas/alterations/next-1779864281-add-is-password-expired-to-users.ts	📈 +454 Bytes
packages/schemas/alterations/next-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts	📈 +767 Bytes
packages/schemas/alterations/next-1780381219-add-username-policy.ts	📈 +1.21 KB
packages/schemas/alterations/next-1780643665-set-sign-up-profile-fields-default.ts	📈 +513 Bytes
packages/schemas/alterations/next-1780906060-add-verification-code-policy.ts	📈 +528 Bytes
packages/schemas/alterations/next-1781689400-add-sentinel-activities-created-at-index.ts	📈 +696 Bytes
packages/schemas/alterations/next-1782354362-set-admin-account-center-profile-fields.ts	📈 +755 Bytes
packages/schemas/alterations/next-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts	📈 +1.32 KB
packages/schemas/package.json	0 Bytes
packages/shared/CHANGELOG.md	📈 +1.51 KB
packages/shared/package.json	0 Bytes
packages/toolkit/connector-kit/CHANGELOG.md	📈 +793 Bytes
packages/toolkit/connector-kit/package.json	0 Bytes
packages/toolkit/core-kit/CHANGELOG.md	📈 +239 Bytes
packages/toolkit/core-kit/package.json	0 Bytes
packages/translate/CHANGELOG.md	📈 +462 Bytes
packages/translate/package.json	0 Bytes
packages/tunnel/CHANGELOG.md	📈 +186 Bytes
packages/tunnel/package.json	0 Bytes
pnpm-lock.yaml	📈 +613 Bytes

[Copilot]

Pull request overview

Automated Changesets release PR that bumps the fixed core release group (@logto/core, @logto/api, @logto/cli, @logto/create, @logto/schemas) from 1.40.1 to 1.41.0, consuming the idempotent-application-roles changeset.

Changes:

• Bump version of all 5 fixed-group packages to 1.41.0 and update internal @logto/create → @logto/cli workspace specifier.
• Append 1.41.0 entries to each package's CHANGELOG.md, with the minor release note attached to @logto/core.
• Remove the consumed .changeset/idempotent-application-roles.md.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Updates @logto/create's @logto/cli workspace specifier to ^1.41.0.
packages/schemas/package.json	Version bump to 1.41.0.
packages/schemas/CHANGELOG.md	Adds 1.41.0 heading.
packages/create/package.json	Version bump and internal dep bump to ^1.41.0.
packages/create/CHANGELOG.md	Adds 1.41.0 patch entry.
packages/core/package.json	Version bump to 1.41.0.
packages/core/CHANGELOG.md	Adds minor changelog for idempotent application-roles change.
packages/cli/package.json	Version bump to 1.41.0.
packages/cli/CHANGELOG.md	Adds 1.41.0 patch entry.
packages/api/package.json	Version bump to 1.41.0.
packages/api/CHANGELOG.md	Adds 1.41.0 heading.
.changeset/idempotent-application-roles.md	Removes consumed changeset.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 15 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 157 out of 164 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 157 out of 164 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 157 out of 164 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 158 out of 165 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 158 out of 165 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 160 out of 167 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 160 out of 167 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 168 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 168 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 168 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 168 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 169 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 169 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 169 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 169 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 161 out of 169 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 162 out of 170 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 162 out of 170 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 164 out of 172 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 165 out of 173 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 165 out of 173 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 165 out of 173 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 165 out of 173 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 165 out of 174 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 166 out of 175 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 166 out of 175 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 166 out of 175 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 167 out of 177 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

[Copilot]

Pull request overview

Copilot reviewed 167 out of 177 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file