English
  • release

Logto product updates

Logto v1.35 is here. This release adds reCAPTCHA domain customization and checkbox mode for Enterprise, expands third-party app support to SPA and Native applications, and includes client IP tracking for passwordless connectors.

Yijun
Yijun
Developer

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

We're excited to announce Logto v1.35.0, our December 2025 release! This update brings enhanced reCAPTCHA customization options, expanded support for third-party applications, and improved security features for passwordless authentication.

reCAPTCHA Gets More Flexible

Use reCAPTCHA Anywhere with Domain Customization

One of the most requested features has been the ability to use reCAPTCHA in regions where Google's default domain may be inaccessible. With v1.35.0, you can now customize the reCAPTCHA domain to use alternatives like recaptcha.net, ensuring your bot protection works seamlessly for users worldwide.

Choose Your Verification Style with Checkbox Mode

reCAPTCHA Enterprise users now have a choice between two verification modes:

  • Invisible mode: The default score-based verification that runs silently in the background, providing a frictionless user experience while still protecting against bots.

  • Checkbox mode: The classic "I'm not a robot" widget that many users are familiar with. This mode provides explicit user interaction and can be useful when you want users to consciously acknowledge the verification step.

Simply ensure your verification mode matches your reCAPTCHA key type configured in Google Cloud Console, and you're ready to go.

Third-party Apps: Now for SPA and Native Too

Previously, only traditional web applications could be designated as third-party apps in Logto. This release removes that limitation, allowing you to create third-party single-page applications (SPA) and native applications.

This enhancement opens up more flexible OAuth/OIDC integration scenarios, whether you're building a partner ecosystem, enabling third-party integrations, or managing multiple client applications with different trust levels.

Enhanced Security for Passwordless Authentication

Client IP Tracking

For organizations that need additional security controls around passwordless authentication, we've added client IP address tracking to the connector message payload. The SendMessageData type now includes an optional ip field that HTTP email and SMS connectors can utilize for:

  • Rate limiting: Prevent abuse by limiting requests from specific IP addresses
  • Fraud detection: Identify suspicious patterns based on IP geolocation or reputation
  • Audit logging: Maintain comprehensive logs for security compliance

Smarter Email/SMS Template Handling

We've improved the template fallback logic for email and SMS connectors. If a usage-specific template isn't found, the system now gracefully falls back to the generic template. This includes checking the generic template with the default locale when locale-specific templates are unavailable, ensuring your users always receive properly formatted messages.

Bug Fixes

SAML Integration Improvements

  • Extended relay state support: The relay state column now supports up to 512 characters (previously 256), fixing integration issues with service providers like Firebase that generate longer relay state values.
  • Better error messages: SAML authentication flow APIs now provide more straightforward error messages, making troubleshooting easier.

API Parameter Fix

Fixed a parameter naming issue in the SAML app creation API that could cause filter and paywall calculation errors.

Get Started

Ready to upgrade? Check out our upgrade guide for step-by-step instructions.

For the complete list of changes, see the GitHub release page.

Have questions or feedback? Join us on Discord or open an issue on GitHub.