Skip to content

release: version packages#8454

Open
silverhand-bot wants to merge 1 commit intomasterfrom
changeset-release/master
Open

release: version packages#8454
silverhand-bot wants to merge 1 commit intomasterfrom
changeset-release/master

Conversation

@silverhand-bot
Copy link
Collaborator

@silverhand-bot silverhand-bot commented Mar 10, 2026
edited
Loading

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated.

Releases

@logto/core-kit@2.8.0

Minor Changes

  • 74c993a: introduce new UserScope.Sessions scope

    This change introduces a new urn:logto:scope:sessions user scope to the Logto system.

    This new scope does not issue any additional user claims, but serves as a permission marker for accessing session-related endpoints in the user account API. By including this scope in the user's permissions, applications can enable features such as session management and session revocation for that user.

@logto/cli@1.38.0

Patch Changes

  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0
    • @logto/schemas@1.38.0

@logto/connector-twilio-sms@1.4.2

Patch Changes

  • 9041f6e: fix twilio sms To formatting by normalizing non-E.164 numbers to include a leading +.

@logto/create@1.38.0

Patch Changes

  • @logto/cli@1.38.0

@logto/phrases-experience@1.12.3

Patch Changes

  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0

@logto/schemas@1.38.0

Patch Changes

  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0
    • @logto/phrases-experience@1.12.3

@logto/translate@0.2.11

Patch Changes

  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0
    • @logto/phrases-experience@1.12.3

@logto/tunnel@0.3.6

Patch Changes

  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0

@logto/api@1.38.0

@logto/account@0.3.0

Minor Changes

  • 4ab0497: support overriding the out-of-the-box account center language with the ui_locales URL parameter.

@logto/console@1.35.0

Minor Changes

  • a023a97: add a new MFA onboarding page for users to explicitly enable optional MFA

    For users who are not required to set up MFA, we added a new page after credential verification in the sign-in flow to explicitly ask whether they want to enable optional MFA for better account security.

    This is especially important when the passkey sign-in feature is available, since passkeys can be used for both sign-in and MFA verification, and users who set up a passkey for sign-in might not want to enable it as an MFA factor at the same time.

  • a023a97: support passkey sign-in authentication method

    Summary

    Passkey sign-in provides a faster, passwordless sign-in experience that reduces friction for end users and helps improve account security. It removes repeated password entry for returning users, works with platform authenticators users already trust (for example Face ID, Touch ID, Windows Hello), and offers a smoother path from account creation to subsequent sign-ins.

    Bind passkey for sign-in

    After passkey sign-in is enabled, new users are prompted to bind a passkey during registration. Existing users who have not bound a passkey (WebAuthn) factor yet can be guided to bind one in a later sign-in flow. If a user already has a WebAuthn credential from MFA setup, that credential can be reused directly for passkey sign-in without requiring another registration step.

    Various sign-in flows to support different user journeys and preferences

    1. Passkey sign-in button: When Show passkey sign-in button is enabled, users can click Continue with passkey on the sign-in page to immediately trigger the browser passkey chooser and complete sign-in.
    2. Identifier-first flow (button hidden): When Show passkey sign-in button is disabled, sign-in follows an identifier-first flow. Users first enter an identifier (for example email or username) on the first screen. On the next step, the flow prioritizes passkey and prompts users to Verify via passkey before falling back to password or verification code when needed.
    3. Allow autofill: When Allow autofill is enabled, supported browsers can show passkey suggestions directly from the identifier input on the sign-in page. Users can select a previously saved passkey from the autofill popup and sign in with minimal extra input.

    Check out our documentation for more details.

  • 74c993a: introduce user session management in Console.

    Account center settings:

    • Added a new session permission control for account API access, with off, readOnly, and edit options.

    User sessions page:

    • Added an Active sessions section on the user details page, listing the user's active sessions.
    • Allow navigation to session details from the Manage button or a session entry.

    User session details page:

    • Added a session details page with a revoke action in the top bar.
    • Revoking the session removes the sign-in session and revokes associated first-party app grants.
    • Previously issued opaque access tokens and refresh tokens for those apps become invalid, and new auth requests require reauthentication.

@logto/core@1.38.0

Minor Changes

  • a023a97: add a new MFA onboarding page for users to explicitly enable optional MFA

    For users who are not required to set up MFA, we added a new page after credential verification in the sign-in flow to explicitly ask whether they want to enable optional MFA for better account security.

    This is especially important when the passkey sign-in feature is available, since passkeys can be used for both sign-in and MFA verification, and users who set up a passkey for sign-in might not want to enable it as an MFA factor at the same time.

  • 6dbafe5: support access token exchange for service-to-service delegation

    The standard subject_token_type value urn:ietf:params:oauth:token-type:access_token now supports access token exchange. This allows services to exchange access tokens (both opaque and JWT formats) issued by Logto for new access tokens with different audiences, enabling service-to-service delegation scenarios.

    Token validation order:

    1. If token starts with sub_ prefix, treat as legacy impersonation token (backward compatibility)
    2. Try to find as opaque access token via oidc-provider
    3. Fallback to JWT verification using the issuer's JWK set

    Access tokens are not consumption-tracked, allowing the same token to be exchanged multiple times (e.g., by different services).

    Additionally, a new urn:logto:token-type:impersonation_token type has been added for explicit impersonation token handling.

  • a023a97: support passkey sign-in authentication method

    Summary

    Passkey sign-in provides a faster, passwordless sign-in experience that reduces friction for end users and helps improve account security. It removes repeated password entry for returning users, works with platform authenticators users already trust (for example Face ID, Touch ID, Windows Hello), and offers a smoother path from account creation to subsequent sign-ins.

    Bind passkey for sign-in

    After passkey sign-in is enabled, new users are prompted to bind a passkey during registration. Existing users who have not bound a passkey (WebAuthn) factor yet can be guided to bind one in a later sign-in flow. If a user already has a WebAuthn credential from MFA setup, that credential can be reused directly for passkey sign-in without requiring another registration step.

    Various sign-in flows to support different user journeys and preferences

    1. Passkey sign-in button: When Show passkey sign-in button is enabled, users can click Continue with passkey on the sign-in page to immediately trigger the browser passkey chooser and complete sign-in.
    2. Identifier-first flow (button hidden): When Show passkey sign-in button is disabled, sign-in follows an identifier-first flow. Users first enter an identifier (for example email or username) on the first screen. On the next step, the flow prioritizes passkey and prompts users to Verify via passkey before falling back to password or verification code when needed.
    3. Allow autofill: When Allow autofill is enabled, supported browsers can show passkey suggestions directly from the identifier input on the sign-in page. Users can select a previously saved passkey from the autofill popup and sign in with minimal extra input.

    Check out our documentation for more details.

  • 74c993a: introduce session management endpoints for account and management APIs, with optional grants revocation and richer session context.

    Account APIs:

    • List active user sessions: GET /my-account/sessions.
    • Revoke a user session by ID: DELETE /my-account/sessions/:sessionId.
      • Optional query param revokeGrantsTarget: all revokes grants for all apps; firstParty revokes only first-party app grants.
      • When grants are revoked, previously issued opaque access tokens and refresh tokens for those grants will be invalidated.
    • Add a new account center permission setting session with off, readOnly, and edit to control access to the session management account APIs.
    • These endpoints are also gated by the urn:logto:scope:sessions user scope (UserScope.Sessions). Only tokens with this scope granted can access these endpoints.

    Management APIs:

    • List active user sessions: GET /users/:userId/sessions.
    • Get a single active user session: GET /users/:userId/sessions/:sessionId.
    • Revoke a user session by ID: DELETE /users/:userId/sessions/:sessionId.
      • Optional query param revokeGrantsTarget: all revokes grants for all apps; firstParty revokes only first-party app grants.
      • When grants are revoked, previously issued opaque access tokens and refresh tokens for those grants will be invalidated.

    Session context:

    • Record user IP, user agent, and GEO location (when available from injected-headers) in interaction submission data so it can be returned in session.lastSubmission.

Patch Changes

  • 413c602: support hex:-prefixed PBKDF2 salt values in legacy password verification during user import
  • Updated dependencies [74c993a]
  • Updated dependencies [a023a97]
  • Updated dependencies [4ab0497]
  • Updated dependencies [a023a97]
  • Updated dependencies [74c993a]
    • @logto/core-kit@2.8.0
    • @logto/experience@1.19.0
    • @logto/console@1.35.0
    • @logto/account@0.3.0
    • @logto/cli@1.38.0
    • @logto/demo-app@1.5.0
    • @logto/device-demo-app@0.1.0
    • @logto/phrases-experience@1.12.3
    • @logto/schemas@1.38.0

@logto/experience@1.19.0

Minor Changes

  • a023a97: add a new MFA onboarding page for users to explicitly enable optional MFA

    For users who are not required to set up MFA, we added a new page after credential verification in the sign-in flow to explicitly ask whether they want to enable optional MFA for better account security.

    This is especially important when the passkey sign-in feature is available, since passkeys can be used for both sign-in and MFA verification, and users who set up a passkey for sign-in might not want to enable it as an MFA factor at the same time.

  • a023a97: support passkey sign-in authentication method

    Summary

    Passkey sign-in provides a faster, passwordless sign-in experience that reduces friction for end users and helps improve account security. It removes repeated password entry for returning users, works with platform authenticators users already trust (for example Face ID, Touch ID, Windows Hello), and offers a smoother path from account creation to subsequent sign-ins.

    Bind passkey for sign-in

    After passkey sign-in is enabled, new users are prompted to bind a passkey during registration. Existing users who have not bound a passkey (WebAuthn) factor yet can be guided to bind one in a later sign-in flow. If a user already has a WebAuthn credential from MFA setup, that credential can be reused directly for passkey sign-in without requiring another registration step.

    Various sign-in flows to support different user journeys and preferences

    1. Passkey sign-in button: When Show passkey sign-in button is enabled, users can click Continue with passkey on the sign-in page to immediately trigger the browser passkey chooser and complete sign-in.
    2. Identifier-first flow (button hidden): When Show passkey sign-in button is disabled, sign-in follows an identifier-first flow. Users first enter an identifier (for example email or username) on the first screen. On the next step, the flow prioritizes passkey and prompts users to Verify via passkey before falling back to password or verification code when needed.
    3. Allow autofill: When Allow autofill is enabled, supported browsers can show passkey suggestions directly from the identifier input on the sign-in page. Users can select a previously saved passkey from the autofill popup and sign in with minimal extra input.

    Check out our documentation for more details.

@logto/integration-tests@1.20.0

Minor Changes

  • a023a97: add a new MFA onboarding page for users to explicitly enable optional MFA

    For users who are not required to set up MFA, we added a new page after credential verification in the sign-in flow to explicitly ask whether they want to enable optional MFA for better account security.

    This is especially important when the passkey sign-in feature is available, since passkeys can be used for both sign-in and MFA verification, and users who set up a passkey for sign-in might not want to enable it as an MFA factor at the same time.

  • a023a97: support passkey sign-in authentication method

    Summary

    Passkey sign-in provides a faster, passwordless sign-in experience that reduces friction for end users and helps improve account security. It removes repeated password entry for returning users, works with platform authenticators users already trust (for example Face ID, Touch ID, Windows Hello), and offers a smoother path from account creation to subsequent sign-ins.

    Bind passkey for sign-in

    After passkey sign-in is enabled, new users are prompted to bind a passkey during registration. Existing users who have not bound a passkey (WebAuthn) factor yet can be guided to bind one in a later sign-in flow. If a user already has a WebAuthn credential from MFA setup, that credential can be reused directly for passkey sign-in without requiring another registration step.

    Various sign-in flows to support different user journeys and preferences

    1. Passkey sign-in button: When Show passkey sign-in button is enabled, users can click Continue with passkey on the sign-in page to immediately trigger the browser passkey chooser and complete sign-in.
    2. Identifier-first flow (button hidden): When Show passkey sign-in button is disabled, sign-in follows an identifier-first flow. Users first enter an identifier (for example email or username) on the first screen. On the next step, the flow prioritizes passkey and prompts users to Verify via passkey before falling back to password or verification code when needed.
    3. Allow autofill: When Allow autofill is enabled, supported browsers can show passkey suggestions directly from the identifier input on the sign-in page. Users can select a previously saved passkey from the autofill popup and sign in with minimal extra input.

    Check out our documentation for more details.

@github-actions
Copy link

github-actions bot commented Mar 10, 2026
edited
Loading

COMPARE TO master

Total Size Diff 📈 +9.6 KB

Diff by File
Name Diff
.changeset/fluffy-dancers-sing.md 📈 +471 Bytes
.changeset/friendly-crews-ring.md 📈 +643 Bytes
.changeset/gold-sloths-hope.md 📈 +130 Bytes
.changeset/kind-eels-march.md 📈 +907 Bytes
.changeset/soft-ways-switch.md 📈 +1.96 KB
.changeset/spotty-bobcats-guess.md 📈 +753 Bytes
.changeset/thin-squids-sit.md 📈 +136 Bytes
.changeset/tidy-bananas-jog.md 📈 +124 Bytes
.changeset/two-steaks-invite.md 📈 +1.52 KB
packages/account/CHANGELOG.md 📈 +141 Bytes
packages/account/package.json 0 Bytes
packages/api/CHANGELOG.md 📈 +11 Bytes
packages/api/package.json 0 Bytes
packages/cli/CHANGELOG.md 📈 +119 Bytes
packages/cli/package.json 0 Bytes
packages/connectors/connector-twilio-sms/CHANGELOG.md 📈 +134 Bytes
packages/connectors/connector-twilio-sms/package.json 0 Bytes
packages/console/CHANGELOG.md 📈 +3.17 KB
packages/console/package.json 0 Bytes
packages/core/CHANGELOG.md 📈 +5.4 KB
packages/core/package.json 0 Bytes
packages/create/CHANGELOG.md 📈 +51 Bytes
packages/create/package.json 0 Bytes
packages/experience/CHANGELOG.md 📈 +2.44 KB
packages/experience/package.json 0 Bytes
packages/integration-tests/CHANGELOG.md 📈 +2.44 KB
packages/integration-tests/package.json 0 Bytes
packages/phrases-experience/CHANGELOG.md 📈 +93 Bytes
packages/phrases-experience/package.json 0 Bytes
packages/schemas/CHANGELOG.md 📈 +130 Bytes
packages/schemas/alterations/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.ts 📈 +793 Bytes
packages/schemas/alterations/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.ts 📈 +758 Bytes
packages/schemas/alterations/next-1772615848-add-oidc-model-instances-grant-id-partial-index.ts 📈 +793 Bytes
packages/schemas/alterations/next-1772619963-tune-oidc-model-instances-autovacuum.ts 📈 +758 Bytes
packages/schemas/package.json 0 Bytes
packages/toolkit/core-kit/CHANGELOG.md 📈 +485 Bytes
packages/toolkit/core-kit/package.json 0 Bytes
packages/translate/CHANGELOG.md 📈 +130 Bytes
packages/translate/package.json 0 Bytes
packages/tunnel/CHANGELOG.md 📈 +92 Bytes
packages/tunnel/package.json 0 Bytes
pnpm-lock.yaml 📈 +1.36 KB

@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch 2 times, most recently from da024ec to 28fb5f5 Compare March 10, 2026 05:35
@github-actions github-actions bot added size/s and removed size/s labels Mar 10, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 28fb5f5 to 783544e Compare March 10, 2026 05:53
@github-actions github-actions bot added size/s and removed size/s labels Mar 10, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 783544e to 5de51e9 Compare March 10, 2026 05:53
@github-actions github-actions bot added size/s and removed size/s labels Mar 10, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 5de51e9 to 2cc344b Compare March 10, 2026 07:50
@github-actions github-actions bot added size/s and removed size/s labels Mar 10, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 2cc344b to e695b85 Compare March 10, 2026 09:30
@github-actions github-actions bot added size/s and removed size/s labels Mar 10, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from e695b85 to 833188f Compare March 11, 2026 07:48
@github-actions github-actions bot added size/s and removed size/s labels Mar 11, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 833188f to 7e2a939 Compare March 11, 2026 08:13
@github-actions github-actions bot added size/s and removed size/s labels Mar 11, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 7e2a939 to d18979b Compare March 11, 2026 12:33
@github-actions github-actions bot removed the size/s label Mar 11, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from d18979b to 054a186 Compare March 11, 2026 12:33
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 6f4593b to 960476e Compare March 11, 2026 15:32
@github-actions github-actions bot added size/s and removed size/s labels Mar 11, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 960476e to cf2e3c5 Compare March 12, 2026 06:24
@github-actions github-actions bot added size/s and removed size/s labels Mar 12, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from cf2e3c5 to bd9668f Compare March 12, 2026 07:44
@github-actions github-actions bot added size/s and removed size/s labels Mar 12, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from bd9668f to 9509811 Compare March 12, 2026 08:16
@github-actions github-actions bot added size/s and removed size/s labels Mar 12, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 9509811 to 2168246 Compare March 12, 2026 10:39
@github-actions github-actions bot added size/s and removed size/s labels Mar 12, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 2168246 to afbbf55 Compare March 13, 2026 01:04
@github-actions github-actions bot added size/s and removed size/s labels Mar 13, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from afbbf55 to c2c2093 Compare March 13, 2026 03:08
@github-actions github-actions bot added size/s and removed size/s labels Mar 13, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from c2c2093 to 342c915 Compare March 13, 2026 04:53
@github-actions github-actions bot added size/s and removed size/s labels Mar 13, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from 342c915 to f92c9e2 Compare March 13, 2026 07:45
@github-actions github-actions bot added size/s and removed size/s labels Mar 13, 2026
@silverhand-bot silverhand-bot force-pushed the changeset-release/master branch from f92c9e2 to d72ebee Compare March 13, 2026 11:04
@github-actions github-actions bot removed the size/s label Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darcyYe darcyYe Awaiting requested review from darcyYe darcyYe is a code owner

@gao-sun gao-sun Awaiting requested review from gao-sun gao-sun is a code owner

@wangsijie wangsijie Awaiting requested review from wangsijie wangsijie is a code owner

@charIeszhao charIeszhao Awaiting requested review from charIeszhao charIeszhao is a code owner

@xiaoyijun xiaoyijun Awaiting requested review from xiaoyijun xiaoyijun is a code owner

@simeng-li simeng-li Awaiting requested review from simeng-li simeng-li is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@silverhand-bot silverhand-bot

Labels

size/l

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@silverhand-bot