v3.8.0

Full Changelog

Security

• Upgrade jose and openid-client to fix security vulnerabilities #2104
• refactor: use a single client assertion audience #2024

Changed

• Update JSDocs to mention idpLogout defaults to true #2083
• Update useUser example to use a tag instead of Link #2087
• Add storeIDToken to config params docs #2103

v4.6.1

Fixed

• Fixes CVE-2025-48947
• Fix Missing idToken during Session Migration from v3 to v4 #2116 #2120 (KentoMoriwaki)
• fix(session): prevent accidental deletion of legacy-named session cookie #2114 (nandan-bhat)
• fix(client): add type-safe return for getAccessToken #2115 (nandan-bhat)

v4.6.0

Added

• feature/conditionally update session handleAccessToken #2054 (tusharpandey13)
• Add missing support for legacy chunked cookies #2071 (tusharpandey13)

Changed

• Update middleware combination example to prevent unintended backend execution #2076 (tusharpandey13)
• Update deleteByLogoutToken arg type in EXAMPLES.md #2067 (ammubhave)

Fixed

• Usability upgrades to V4 Migration Guide #2095 (nandan-bhat)
• Bugfix: Add clockTolerance to cookie decryption #2097 (tusharpandey13)
• Fix stacking transaction cookies #2077 (tusharpandey13)

v4.5.1

Security

• fix: Ensure JWE expires as expected #2040 (frederikprijck)

v4.5.0

Added

• Extensive Cookie Configuration #2059 (tusharpandey13)
• Allow refresh: true in getAccessToken() #2055 (tusharpandey13)
• Allow SWR mutation in useUser hook #2045 (tusharpandey13)

Changed

• Update README regarding access-token endpoint #2044 (frederikprijck)

Fixed

• Update tests for getAccessToken refresh flow #2068 (tusharpandey13)
• fix: make configuration validation not throw #2034 (tusharpandey13)
• feat: ensure cookie path is configurable #2050 (frederikprijck)

v4.4.2

Revert

• revert: fix: Properly configure SDK to be distributed as ESM #2046 (frederikprijck)

Fixed

• fix: Add id_token_hint on logout #2041 (frederikprijck)

v4.4.1

Fixed

• fix: Properly configure SDK to be distributed as ESM #2028 (frederikprijck)
• Fix broken links in jsdocs #2031 (frederikprijck)
• fix: Throw ConfigurationError when invalid Auth0Client configuration #2026 (tusharpandey13)

v4.4.0

Added

• Add note about access-token endpoint to README #2020 (frederikprijck)
• Add support for Connection Access Token #2010 (frederikprijck)

Fixed

• fix: Delete legacy cookie once v4 cookie is set #2019 (frederikprijck)
• fix: Ensure to delete cookies when switching from single to chunks and vica versa #2013 (frederikprijck)
• fix: Clean up cookie chunks when cookie size shrinks #2014 (frederikprijck)
• fix: use NEXT_PUBLIC_PROFILE_ROUTE in Auth0Provider #2021 (tusharpandey13)
• fix: Ensure to pass-through enableAccessTokenEndpoint #2015 (frederikprijck)
• fix: Remove obsolete warning about cookie-size #2012 (frederikprijck)

v4.3.0

Added

• Access Token Exposure Control #1979 (tusharpandey13)
• Cookie chunking support #1975 (tusharpandey13)
• Add idToken to TokenSet in SessionData #1978 (tusharpandey13)

v4.2.1

Changed

• Bump next in SDK as well as examples #1992 (frederikprijck)