v4.9.0

Added

• feat: Allow configuring transaction cookie maxAge #2245 (tusharpandey13)
• feat: Add flag to control parallel transactions #2244 (tusharpandey13)
• feat: add support for withApiAuthRequired helper #2230 (guabu)
• feat: add withPageAuthRequired for server #2207 (guabu)

Fixed

• bugfix: respect path configuration when deleting cookies #2250 (tusharpandey13)
• bugfix: Clear cookies with the correct path when basePath is used #2232 (tusharpandey13)
• bugfix: Fix clientAssertionSigningKey type mismatch #2243 (tusharpandey13)
• fix: correctly handle expired JWE's in cookies #2082 (frederikprijck)

Security

• chore: pin eslint-config-prettier and eslint-plugin-prettier versions to prevent malicious package installation #2239 (tusharpandey13)

v4.8.0

Added

• feat: Add alternate logout strategy #2203 (tusharpandey13)
• feat: add withPageAuthRequired for protecting pages client side #2193 (guabu)

Fixed

• Use max-age=0 to delete cookie #2200 (guabu)
• feat: update id_token when a new Access Token is fetched #2189 (tusharpandey13)

v4.7.0

Added

• feat: support basePath configuration #2167 (guabu)

Fixed

• fix: typo in warning message #2169 (J-Amberg)
• fix: handle authorization code grant request errors #2175 (guabu)
• fix: Properly configure SDK to be distributed as ESM #2171 (frederikprijck)
• fix: consistently treat returnTo parameter as an absolute path #2185 (guabu)

Changed

• Export filterDefaultIdTokenClaims and update beforeSessionSaved docs #2119 (frederikprijck)
• return a 204 from the profile endpoint when unauthenticated (opt-in) #2159 (guabu)
• remove unnecessary error logs #2179 (guabu)
• Bump msw from 2.7.5 to 2.9.0 #2139 (dependabot)
• Bump msw from 2.9.0 to 2.10.2 #2153 (dependabot)
• Bump oauth4webapi from 3.5.1 to 3.5.2 #2154 (dependabot)
• Bump oauth4webapi from 3.5.2 to 3.5.3 #2177 (dependabot)

v3.8.0

Full Changelog

Security

• Upgrade jose and openid-client to fix security vulnerabilities #2104
• refactor: use a single client assertion audience #2024

Changed

• Update JSDocs to mention idpLogout defaults to true #2083
• Update useUser example to use a tag instead of Link #2087
• Add storeIDToken to config params docs #2103

v4.6.1

Fixed

• Fixes CVE-2025-48947
• Fix Missing idToken during Session Migration from v3 to v4 #2116 #2120 (KentoMoriwaki)
• fix(session): prevent accidental deletion of legacy-named session cookie #2114 (nandan-bhat)
• fix(client): add type-safe return for getAccessToken #2115 (nandan-bhat)

v4.6.0

Added

• feature/conditionally update session handleAccessToken #2054 (tusharpandey13)
• Add missing support for legacy chunked cookies #2071 (tusharpandey13)

Changed

• Update middleware combination example to prevent unintended backend execution #2076 (tusharpandey13)
• Update deleteByLogoutToken arg type in EXAMPLES.md #2067 (ammubhave)

Fixed

• Usability upgrades to V4 Migration Guide #2095 (nandan-bhat)
• Bugfix: Add clockTolerance to cookie decryption #2097 (tusharpandey13)
• Fix stacking transaction cookies #2077 (tusharpandey13)

v4.5.1

Security

• fix: Ensure JWE expires as expected #2040 (frederikprijck)

v4.5.0

Added

• Extensive Cookie Configuration #2059 (tusharpandey13)
• Allow refresh: true in getAccessToken() #2055 (tusharpandey13)
• Allow SWR mutation in useUser hook #2045 (tusharpandey13)

Changed

• Update README regarding access-token endpoint #2044 (frederikprijck)

Fixed

• Update tests for getAccessToken refresh flow #2068 (tusharpandey13)
• fix: make configuration validation not throw #2034 (tusharpandey13)
• feat: ensure cookie path is configurable #2050 (frederikprijck)

v4.4.2

Revert

• revert: fix: Properly configure SDK to be distributed as ESM #2046 (frederikprijck)

Fixed

• fix: Add id_token_hint on logout #2041 (frederikprijck)

v4.4.1

Fixed

• fix: Properly configure SDK to be distributed as ESM #2028 (frederikprijck)
• Fix broken links in jsdocs #2031 (frederikprijck)
• fix: Throw ConfigurationError when invalid Auth0Client configuration #2026 (tusharpandey13)