Security
- fix for CVE-2025-69720
Internal improvements and maintenance updates.
Features
- Added email subaddress support for major providers: addresses like
user+tag@gmail.comare now accepted for supported domains - Added throwaway email blocking: signups from known disposable email providers are now automatically blocked
- Added custom blocked domains: app owners can define additional blocked email domains via the dashboard
- Throwaway email blocking is now off by default and can be enabled in your app settings
- The built-in list of blocked disposable email domains is now viewable in the dashboard
- Clarified that email blocking applies to email-based login only โ social and OAuth logins are not affected
- Fixed a security vulnerability in the login cleanup process
- Updated dependencies to address security vulnerabilities
Bug fixes
- Fixed login issues that could occur when connecting through certain third-party applications
- Updated dependencies to address security vulnerabilities
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Improvements
- Token exchange configuration now allows HTTP URLs for localhost addresses during local development, following OAuth 2.0 best practices (RFC 8252)
- JWKS URI validation now enforces HTTPS-only for improved security, with an exception for localhost development
- Fixed an issue where user analytics profiles could become fragmented, improving the accuracy of user identification
- Updated dependencies to address known security vulnerabilities
- Updated framework dependencies to resolve published security advisories
Improvements
- Updated authentication dependencies to improve compatibility and security
- Fixed an issue where some users could encounter an unexpected error during login
Features
- Apps can now be configured to control access to specific OAuth scopes, giving administrators more granular permission management
- Authorization requests with unsupported scopes now return a clear error instead of silently ignoring them
- Reduced latency on repeated configuration lookups for faster authentication flows
Features
- Added programmatic account creation API, allowing apps to create Civic Auth accounts automatically via API
- Added token exchange configuration endpoints for programmatic app setup
- Added account selector to the dashboard header for users who belong to multiple accounts
- Improved authentication reliability and error handling
- Reduced performance overhead of application monitoring
- Fixed an issue where account creation could fail due to certain ID formats
- Fixed a navigation issue that caused incorrect URLs in the dashboard
Features
- Added support for MCP (Model Context Protocol) clients, enabling proper OAuth authorization for tools like Gemini CLI
- Fixed an error that could occur when MCP clients attempted to connect via OAuth authorization
Features
- Added support for
civic_accountandcivic_profileclaims in token exchange requests - When both legacy and new claim formats are present, the new
civic_*claims now take priority
Features
- Added support for
civic_accountandcivic_profileclaims in token exchange
Bug fixes
- Fixed an issue where custom logo uploads were not displaying correctly
- Fixed an issue preventing cleanup of previously uploaded files when replacing them
- Updated dependencies to address known vulnerabilities
Bug Fixes
- Fixed federated token exchange
subclaim to use the correct account identifier - Fixed federated token exchange userinfo endpoint to return proper OIDC claims
- Extracted standard OIDC claims (name, email, picture, etc.) from external tokens during federated token exchange
- Dependency upgrade to address a high-severity vulnerability
Improvements
- Internal infrastructure and analytics improvements
Improvements
- Next.js 16 compatibility updates
- Fixed SSR hydration mismatches in useUser hook and login app
- Fixed cross-origin SecurityError in MessageHandler logging
Security
- Security hardening and vulnerability fixes across the authentication infrastructure
Improvements
- Added support for
mcp:toolsscope in Dynamic Client Registration, enabling MCP tool authorization through the/regendpoint
- Addressed security vulnerabilities to improve platform safety
๐ Dynamic Client Registration support
Connect Civic auth to any AI server or MCP server with our new Dynamic Client Registration support. Perfect for modern, flexible authentication flows.๐ OAuth client-credentials flow
Now supporting the OAuth client-credentials flow for secure server-to-server authentication scenarios.โก Major session refresh improvements
The Civic Auth SDK brings significant API improvements with faster session refreshes. Sessions now refresh quickly on page load and automatically in the background when users navigate back to protected pages.๐จ Enhanced UserButton UI
Improved the UserButton component with better visual design and user experience.
๐ Token exchange (RFC 8693)
Exchange one access token for another with different permissions or audience. Perfect for delegating access between services while maintaining security.๐ Enhanced cross-origin security
Added COEP and CORP headers for better security and compatibility with modern web standards.
๐ Passkey login is here!
We now support passkey as a login method! After enabling passkey, you can prompt users to create a passkey to login to your site, making login faster and more secure. Say goodbye to passwords and hello to the future of authentication.
๐ Mix and match React with any backend
New React SDK feature lets you use React on the frontend with any backend technology. Whether youโre running Node.js, Python, Go, or something else entirely, our React components now work seamlessly with your existing auth setup.Perfect for teams that want Reactโs user experience with the flexibility to choose their backend stack.
โก Smarter auth middleware
Refactored authentication middleware with better utilities and improved token refresh prioritization. Sessions now handle cleanup and replenishment more reliably.๐ ๏ธ URL parameter cleanup
Fixed issues with code parameter handling and improved session cleanup processes. Login flows are now more robust across different scenarios.๐ง Enhanced session reliability
Better session management ensures users stay authenticated properly and reduces unexpected logouts during normal usage.
๐ Client secrets for the enterprise crowd
We kept hearing from enterprise customers that they needed client secrets for their confidential applications. So we built it. You can now choose PKCE + client secret for maximum security, or go with client secrets only if youโre working with legacy systems that need it.Check out our authentication flows guide to see how it works.๐ฑ Mobile login that actually works
Remember those tiny login buttons that were impossible to tap on mobile? Yeah, we fixed that. Login buttons now look good and load fast on phones. No more squinting at your screen trying to hit the right spot.๐ ๏ธ Vanilla JavaScript plays nice with everything
Our vanilla JavaScript integration now works smoothly with Express, Fastify, Hono, or whatever backend youโre running. Same simple code, any framework.๐ Bug fixes and improvements
Weโve been busy polishing the experience:
- Various login flow improvements
- Enhanced mobile display quality
- Better handling of edge cases across different auth methods
๐ฑ React Native support is here
Your React Native apps can now use Civic Auth. Works on both iOS and Android with solid performance.๐ฆ Pure JavaScript, no frameworks required
Want to integrate Civic Auth without any frameworks? Now you can. Plain JavaScript integration that just works.
๐ Speaking Spanish and German
Login screens now support Spanish and German with complete translations. Your international users will feel right at home.๐ธ Google profile pictures show up
Fixed the bug where Google profile pictures wouldnโt load. No more broken image icons.
๐ Billing dashboard shows real numbers
The billing dashboard was showing incorrect data. Charts now display accurate usage information.๐ฏ Fewer annoying banners
App banners now only appear for production applications, not during development. Less noise while youโre building.
โก One redirect, not three
Next.js apps were doing multiple redirects after login. Fixed it so thereโs just one clean redirect like there should be.
๐ Billing dashboard improvements
Usage charts now show the right data with clearer visuals. No more guessing what your actual usage is.
๐ก Find your plan info easily
Subscription details and usage limits are now easy to find. No more hunting through multiple screens.๐ Better custom domain support
Improved how the SDK handles custom URLs and domains. More reliable and flexible.
๐ Production setup works again
Fixed the errors that were happening when setting up production applications. Should be smooth sailing now.
๐จ Know before you hit the limit
Added dashboard and email alerts when youโre approaching your plan limits. No more surprise overages.