English
  • release

Logto product updates

Logto v1.34 is here. This release introduces isolated cross-app authentication, a new Identifier.Lockout webhook event, and fixes to ensure refresh tokens correctly honor the full 180-day TTL.

Simeng
Simeng
Developer

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

Highlights

  • Cross-app authentication stability: Authentication callbacks are now isolated per application within the same browser session, eliminating interference caused by shared _interaction cookies.
  • New webhook event Identifier.Lockout: A new webhook event Identifier.Lockout is introduced, triggered when a user is locked out after repeated failed sign-in attempts.
  • Improved refresh token reliability: Refresh tokens now correctly honor the configured 180-day TTL, resolving an issue where they previously expired after 14 days.

New features & enhancements

Cross-app authentication

Multiple applications can now initiate authentication in the same browser session without affecting each other.

  • _interaction cookie now stores a structured mapping { [appId]: [interactionId] }.
  • appId is propagated via URL parameters or headers to maintain isolation.
  • Includes fallback logic for backward compatibility.

Webhooks

New webhook event: Identifier.Lockout

  • Triggered when a user is locked out due to repeated failed sign-in attempts, enhancing security observability and automation.

Bug fixes & stability

Refresh token TTL fix

Addressed an issue where refresh tokens expired after 14 days due to an internal provider grant TTL cap.

  • TTL now correctly aligns with the configured 180-day lifespan.
  • Supports refresh token validity up to 180 days as intended.

Correct email verification code template selection during multi-step sign-up

Fixed a bug where the system incorrectly switched to MFA binding templates during multi-step sign-up flows.

  • Sign-up templates are now selected correctly when email/phone identifiers are part of the ongoing sign-up process.

Case-insensitive SSO connectors domain matching

SSO connector domain matching is now case-insensitive, improving reliability during sign-in flows.

  • SSO connector domains are now normalized to lowercase upon insertion.
  • Prevents duplicate domain entries and ensures proper connector lookup.
  • Domain matching during sign-in is now robustly case-insensitive.