English
  • release

Logto product updates

Logto v1.37.0 is here with a built-in Account Center app, richer JWT customization using application context, and configurable ID token claims. It also fixes custom-domain redirect issues and improves sign-up and social linking flow stability.

Darcy Ye
Darcy Ye
Developer

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

New features & enhancements

Built-in Account Center app

This release introduces the Account Center single-page app as a built-in Logto application for end users:

  • Supports profile updates for primary email, phone, username, and password, with verification flows.
  • Supports MFA management for TOTP, backup codes (download/regenerate), and passkeys (WebAuthn), including rename and delete actions.
  • Sensitive operations are gated by password/email/phone verification and include dedicated success screens.

Documentation: Account settings by Account API

Application context in JWT Customizer

Application context (for example app name, description, and custom data) is now available in JWT customizer scripts for:

  • Access token
  • Client credentials token

This enables app-aware JWT claim customization.

ID token claims configuration

You can now configure additional claims included in ID tokens via Console or Management API:

  • custom_data
  • identities
  • roles
  • organizations
  • organization_roles

Bug fixes & stability

Built-in app redirect URI fix for custom domains

Fixed an invalid_redirect_uri issue for built-in Account Center and Demo app under custom-domain requests.

  • Root cause: Built-in client metadata was generated from default tenant URLs only, while runtime redirect_uri could be based on a custom domain.
  • Fix: getTenantUrls now accepts an optional runtime endpoint. Built-in metadata generation for Account Center and Demo app now includes envSet.endpoint, so redirect/logout URIs automatically include the active custom domain.

"Tell us about yourself" section visibility fix

Fixed an issue where the "Tell us about yourself" section did not appear during sign-up when only optional custom profile fields were configured.

  • Previously only required fields were checked, so optional-only setups were skipped.
  • The check now includes optional fields and whether the extra profile form has been submitted, ensuring expected visibility.

Fixed a broken social account linking flow in this scenario:

  • username + email are both enabled as required sign-up identifiers.
  • "Require users to provide missing sign-up identifiers for social sign-in" is enabled.
  • The social IdP returns no verified email.
  • The user fulfills username, then enters an already-registered email.

Previously, the link_social parameter was not propagated after username fulfillment, causing link context to be lost before email verification. The flow now appends and preserves link_social so the expected link-and-sign-in behavior works correctly.