English
  • release

Logto product updates

Logto v1.36 brings wildcard redirect URI support for preview deployments, app-level token exchange control, trust unverified email option for OIDC connectors, and the ability to skip identifier collection for social sign-in.

Sijie
Sijie
Developer

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

Logto v1.36 is here. This release brings wildcard redirect URI support, app-level token exchange control, and the ability to trust unverified emails in OIDC connectors.

Wildcard redirect URIs

Thanks to community contributor @Arochka, you can now use wildcard patterns (*) in redirect URIs. This is especially useful for dynamic environments like preview
deployments where URLs are generated on the fly.

Rules for web applications:

  • Wildcards work in the hostname and pathname of http/https URIs
  • Wildcards are not allowed in scheme, port, query, or hash
  • Hostname patterns must include at least one dot to prevent overly broad matches

Token exchange with app-level control

Token exchange is now available for machine-to-machine applications, and you have fine-grained control over which apps can use it.

  • New allowTokenExchange setting in application configuration
  • New apps have token exchange disabled by default
  • Existing first-party apps (Traditional, Native, SPA) keep it enabled for backward compatibility
  • Third-party apps cannot use token exchange
  • Console shows a risk warning when enabling for public clients

Trust unverified email for OIDC connectors

Some identity providers don't return email_verified or return it as false even when the email is valid. You can now configure OIDC social connectors and enterprise SSO connectors to sync emails
regardless of verification status.

Enable trustUnverifiedEmail in your connector config (default is false). This option is available in the Admin Console for OIDC and Azure AD SSO connectors.

Skip identifier collection for social sign-in

Apple App Store guidelines require that "Sign in with Apple" doesn't ask for additional information beyond what Apple provides. To help with this, we've added a new option to skip mandatory identifier
collection during social sign-in.

Find the "Require users to provide missing sign-up identifier" checkbox in the Social sign-in section of your sign-in experience settings.

API improvements

User role APIs now return results

  • POST /users/:userId/roles returns { roleIds, addedRoleIds } showing which roles were newly assigned
  • PUT /users/:userId/roles returns { roleIds } confirming the final state

New createApiClient function in @logto/api

Create a type-safe API client with your own token retrieval logic for custom authentication flows.

Bug fixes

  • Postgres timeout: Set DATABASE_STATEMENT_TIMEOUT=DISABLE_TIMEOUT for PgBouncer/RDS Proxy compatibility
  • Enterprise SSO error: Fixed error code when SSO account doesn't exist
  • JIT email domains: Removed pagination limit so all domains show in Console
  • Direct sign-in: Fixed repeated auto sign-in requests
  • Audit log filters: Fixed typos causing empty filter results