English

release
WebAuthn
Passkey
jwt

Logto product updates

🎉 Introducing our June release: Account API for Passkeys, access user interaction details in custom JWT, and more updates!

Sijie

Developer

6/27/2025less than a minute read

Stop wasting weeks on user auth

Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.

Get started

Account API for WebAuthn (passkeys)

You can now manage WebAuthn passkeys in Account API, including:

Binding a WebAuthn passkey to the user's account through your website.
Manage the passkeys in the user's account.

We have implemented Related Origin Requests so that you can manage the WebAuthn passkeys on your website which has a different domain from the Logto's sign-in page.

To learn more, check out the documentation.

Access user interaction details in custom JWT

User interaction data is now accessible through the context.interaction when generating custom token claims:

Property	Description	Type
`interactionEvent`	The interaction event of the current user interaction	`SignIn` or `Register`
`userId`	The user id of the current user interaction	`string`
`verificationRecords`	A list of verification records submitted by the user to identify and verify their identity during interactions.	`VerificationRecord[]`

Example Use Case:

Read the verification records from the interaction context. If an Enterprise SSO verification record is present, include the corresponding user profile from the Enterprise SSO identities as additional token claims.

See custom token claims context for more details.

Improvements

Updated timestamp tracking for SSO: Added updated_at field to user_sso_identities table
Changed user password digest length to 256, supporting Legacy hashing algorithm such as SHA512
Mask TOTP secret from audit log
Support flexible size in Turnstile widget, allowing the widget to scale responsively and fill the available space.

Bug fixes

Fixed SAML application callback API to properly handle RelayState parameter in authentication responses
Made access_token optional for Azure OIDC SSO connector, previously, the Azure OIDC connector strictly required an access token in the token response, which caused issues with Azure B2C applications that only return ID tokens.
Fixed potential WebAuthn registration errors by specifying the displayName. For example, when using Chrome on Windows 11 with the "Use other devices" option (scanning QR code), an empty displayName will cause the registration to fail.
Fixed an issue where the payment page could not open in iOS Safari.

Account API for WebAuthn (passkeys)

You can now manage WebAuthn passkeys in Account API, including:

Binding a WebAuthn passkey to the user's account through your website.

Manage the passkeys in the user's account.

We have implemented Related Origin Requests so that you can manage the WebAuthn passkeys on your website which has a different domain from the Logto's sign-in page.

To learn more, check out the documentation.

Access user interaction details in custom JWT

User interaction data is now accessible through the context.interaction when generating custom token claims:

Property	Description	Type
`interactionEvent`	The interaction event of the current user interaction	`SignIn` or `Register`
`userId`	The user id of the current user interaction	`string`
`verificationRecords`	A list of verification records submitted by the user to identify and verify their identity during interactions.	`VerificationRecord[]`

Example Use Case:

Improvements

Updated timestamp tracking for SSO: Added updated_at field to user_sso_identities table

Changed user password digest length to 256, supporting Legacy hashing algorithm such as SHA512

Mask TOTP secret from audit log

Support flexible size in Turnstile widget, allowing the widget to scale responsively and fill the available space.

Bug fixes

Fixed SAML application callback API to properly handle RelayState parameter in authentication responses

Made access_token optional for Azure OIDC SSO connector, previously, the Azure OIDC connector strictly required an access token in the token response, which caused issues with Azure B2C applications that only return ID tokens.

Fixed potential WebAuthn registration errors by specifying the displayName. For example, when using Chrome on Windows 11 with the "Use other devices" option (scanning QR code), an empty displayName will cause the registration to fail.

Fixed an issue where the payment page could not open in iOS Safari.

Account API for WebAuthn (passkeys)#

Access user interaction details in custom JWT#

Improvements#

Bug fixes#

Account API for WebAuthn (passkeys)#

Access user interaction details in custom JWT#

Improvements#

Bug fixes#

Account API for WebAuthn (passkeys)

Access user interaction details in custom JWT

Improvements

Bug fixes

Account API for WebAuthn (passkeys)

Access user interaction details in custom JWT

Improvements

Bug fixes