English
  • release

Logto product updates

Logto v1.40.0 brings a time-range picker for audit logs, richer organization membership webhook payloads, big performance wins for large organizations, and several self-hosting quality-of-life improvements.

Yijun
Yijun
Developer

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

Logto v1.40.0 is a platform-hardening release. It makes audit logs practical at scale, tells you exactly what changed in organization membership webhooks, speeds up organization queries on large tenants, and removes a couple of long-standing friction points for self-hosted deployments. Three new connectors land too. Here's what's new.

Audit logs you can actually scope

Audit logs are most useful when something just happened — but until now the Console fetched an unbounded window, which got slow on tenants with very large log volumes.

This release adds a time-range picker to the audit logs page, defaulting to the last 7 days. You get preset windows (Last 1 hour, Last 24 hours, Last 7 days, Last 30 days) and a custom date range, and older logs stay reachable by simply widening the window (#8810).

Under the hood, the Management API gains start_time and end_time query parameters on GET /api/logs and GET /api/hooks/{id}/recent-logs (exclusive bounds in unix milliseconds), so you can scope log queries programmatically too (#8806). For the very largest tenants, a new enableCap=true parameter short-circuits the count query at ~10,000 rows and returns a Total-Number-Is-Capped: true header, trading an exact total for a response that won't hit statement_timeout; the Console falls back to a Prev/Next layout when the cap is reached (#8796, #8802). Default behavior without the parameter is unchanged.

Organization membership webhooks now tell you what changed

The Organization.Membership.Updated webhook used to tell you that membership changed, but not what changed. It now carries explicit delta fields — addedUserIds / removedUserIds and addedApplicationIds / removedApplicationIds — across the membership endpoints, plus addedUserIds on invitation accept and just-in-time provisioning (email-domain and enterprise SSO JIT) (#8840).

This is fully additive and non-breaking: empty deltas are omitted, and each array is capped at 5000 entries for bulk operations (reconcile via GET /organizations/:id/users or .../applications when you exceed that). See the webhook reference for the full contract. This work supersedes an earlier community proposal — credit to @chiche84 (#8752).

While we were in the sessions code, GET /api/my-account/sessions also gained an isCurrent flag on every entry, so session-management UIs can mark the "This device" row and avoid revoking the caller's own session (#8731).

Organizations that stay fast as they grow

Several changes target tenants with very large organizations:

  • GET /organizations/:id/users now aggregates roles through a LATERAL subquery, so LIMIT prunes the user set before role lookups run — instead of materializing the entire members × roles join on every paginated request (#8826).
  • Two new secondary indexes accelerate reverse lookups: one on organization_user_relations (tenant_id, user_id), hit on every sign-in and by the membership middleware (#8818), and one on organization_role_user_relations (tenant_id, organization_id, user_id), hit by getUserScopes and per-user role joins (#8819).
  • PUT /organizations/:id/users switches to a new delta-based query that writes only the rows that actually changed, instead of rewriting every membership row on each call — and it preserves role assignments for members who survive the update (#8820).

Account Center and sign-in fixes

  • Terms on sign-in-to-registration. When the agreement policy is "require checkbox agreement on registration only," signing in with an unregistered email or phone and then choosing "create a new account" now prompts the terms agreement before the account is created — matching the dedicated registration and social/SSO flows (#8835).
  • Initial password setup. Users with no password, email, or phone can now set their first password through the Account API without a verification record (#8746).
  • Silent re-authentication. On a user-info error — for example a stale access token after switching users in the same browser — Account Center re-authenticates with prompt=none instead of bouncing to the login screen, thanks to @taka-guevara (#8785).
  • Cleaner session expiry and social callbacks. Expired Account Center sessions redirect without flashing the manual sign-in error (#8830), the social linking callback now reads connectorId correctly (#8758), and the 2-step verification toggle label is clearer (#8792).
  • i18n. Corrected the Chinese translation of "Passkey" in the MFA phrases, thanks to @rotempasharel1 (#8870).

New and improved connectors

This release adds three connectors and improves several more — several of them from the community:

  • MailJunky email connector for transactional auth emails, contributed by @devadarshh (#8638).
  • SMSBao SMS connector for domestic SMS verification, contributed by @wintbiit (#8871).
  • Aliyun SMS authentication service connector, contributed by @CertStone (#8385).
  • Aliyun Direct Mail now supports configuring the Direct Mail region (#8892).
  • WeCom fetches richer user profile details via additional API calls, contributed by @liyujun-dev (#8191).
  • SMTP auth may now omit user and pass, so relays that authorize by source (e.g. IP/VLAN) work without forging credentials (#8888).
  • Connector Kit tightened email branding URL detection to avoid false positives on dotted abbreviations, thanks to @aayushbaluni (#8747).

For self-hosted users

A couple of changes specifically smooth out OSS deployments:

Air-gapped admin setup. The install and db seed commands now accept a --dapc flag (alias --disable-admin-pwned-password-check). The admin tenant's seeded password policy enables the Have I Been Pwned breach check by default, which calls api.pwnedpasswords.com on every admin password submission — and hangs the first admin sign-up when that endpoint is unreachable. Passing --dapc seeds the policy with the breach check disabled, so admin sign-up no longer depends on outbound network access. (Credit @darcyYe, #8859)

Admin signing keys from the database. OSS deployments now read the admin tenant signing keys directly from the database, removing the extra host/DNS mappings that previously let the Logto container fetch its own admin tenant OIDC configuration through the externally configured endpoint (#8869).

Migration required. v1.40.0 ships database schema alterations (the new organization-relation indexes and additional internal columns). After pulling the new version, run the database alteration step before starting the server. See the upgrade guide.

Get started

Ready to upgrade? Check out our upgrade guide for step-by-step instructions.

For the complete list of changes, see the GitHub release page.

Have questions or feedback? Join us on Discord or open an issue on GitHub.