English

release

Logto product updates

Logto v1.36 brings wildcard redirect URI support for preview deployments, app-level token exchange control, trust unverified email option for OIDC connectors, and the ability to skip identifier collection for social sign-in.

Sijie

Developer

1/30/2026less than a minute read

Stop wasting weeks on user auth

Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.

Get started

Logto v1.36 is here. This release brings wildcard redirect URI support, app-level token exchange control, and the ability to trust unverified emails in OIDC connectors.

Wildcard redirect URIs

Thanks to community contributor @Arochka, you can now use wildcard patterns (*) in redirect URIs. This is especially useful for dynamic environments like preview
deployments where URLs are generated on the fly.

Rules for web applications:

Wildcards work in the hostname and pathname of http/https URIs
Wildcards are not allowed in scheme, port, query, or hash
Hostname patterns must include at least one dot to prevent overly broad matches

Token exchange with app-level control

Token exchange is now available for machine-to-machine applications, and you have fine-grained control over which apps can use it.

New allowTokenExchange setting in application configuration
New apps have token exchange disabled by default
Existing first-party apps (Traditional, Native, SPA) keep it enabled for backward compatibility
Third-party apps cannot use token exchange
Console shows a risk warning when enabling for public clients

Trust unverified email for OIDC connectors

Some identity providers don't return email_verified or return it as false even when the email is valid. You can now configure OIDC social connectors and enterprise SSO connectors to sync emails
regardless of verification status.

Enable trustUnverifiedEmail in your connector config (default is false). This option is available in the Admin Console for OIDC and Azure AD SSO connectors.

Apple App Store guidelines require that "Sign in with Apple" doesn't ask for additional information beyond what Apple provides. To help with this, we've added a new option to skip mandatory identifier
collection during social sign-in.

Find the "Require users to provide missing sign-up identifier" checkbox in the Social sign-in section of your sign-in experience settings.

API improvements

User role APIs now return results

POST /users/:userId/roles returns { roleIds, addedRoleIds } showing which roles were newly assigned
PUT /users/:userId/roles returns { roleIds } confirming the final state

New createApiClient function in @logto/api

Create a type-safe API client with your own token retrieval logic for custom authentication flows.

Bug fixes

Postgres timeout: Set DATABASE_STATEMENT_TIMEOUT=DISABLE_TIMEOUT for PgBouncer/RDS Proxy compatibility
Enterprise SSO error: Fixed error code when SSO account doesn't exist
JIT email domains: Removed pagination limit so all domains show in Console
Direct sign-in: Fixed repeated auto sign-in requests
Audit log filters: Fixed typos causing empty filter results

Wildcard redirect URIs

Rules for web applications:

Wildcards work in the hostname and pathname of http/https URIs

Wildcards are not allowed in scheme, port, query, or hash

Hostname patterns must include at least one dot to prevent overly broad matches

Token exchange with app-level control

Token exchange is now available for machine-to-machine applications, and you have fine-grained control over which apps can use it.

New allowTokenExchange setting in application configuration

New apps have token exchange disabled by default

Existing first-party apps (Traditional, Native, SPA) keep it enabled for backward compatibility

Third-party apps cannot use token exchange

Console shows a risk warning when enabling for public clients

Trust unverified email for OIDC connectors

Enable trustUnverifiedEmail in your connector config (default is false). This option is available in the Admin Console for OIDC and Azure AD SSO connectors.

API improvements

User role APIs now return results

POST /users/:userId/roles returns { roleIds, addedRoleIds } showing which roles were newly assigned

PUT /users/:userId/roles returns { roleIds } confirming the final state

New createApiClient function in @logto/api

Create a type-safe API client with your own token retrieval logic for custom authentication flows.

Bug fixes

Postgres timeout: Set DATABASE_STATEMENT_TIMEOUT=DISABLE_TIMEOUT for PgBouncer/RDS Proxy compatibility

Enterprise SSO error: Fixed error code when SSO account doesn't exist

JIT email domains: Removed pagination limit so all domains show in Console

Direct sign-in: Fixed repeated auto sign-in requests

Audit log filters: Fixed typos causing empty filter results

Wildcard redirect URIs#

Token exchange with app-level control#

Trust unverified email for OIDC connectors#

Skip identifier collection for social sign-in#

API improvements#

Bug fixes#

Wildcard redirect URIs#

Token exchange with app-level control#

Trust unverified email for OIDC connectors#

Skip identifier collection for social sign-in#

API improvements#

Bug fixes#

Wildcard redirect URIs

Token exchange with app-level control

Trust unverified email for OIDC connectors

Skip identifier collection for social sign-in

API improvements

Bug fixes

Wildcard redirect URIs

Token exchange with app-level control

Trust unverified email for OIDC connectors

Skip identifier collection for social sign-in

API improvements

Bug fixes