Changed

• Update API DOCs link on the README.md #1914 (nandan-bhat)
• Updating API DOCs #1913 (nandan-bhat)

Fixed

• fix: read and migrate v3 session format to v4 #1923 (guabu)
• fix/updateV4MigrationGuide #1925 (tusharpandey13)

Fixed

• fix: sanitize the returnTo parameter to prevent open redirect vulnerabilities. #1897 (guabu)

v3.6.0 (2025-01-31)

This is a maintainance release for V3 of the SDK.
V4 supports Next.JS 15 and React 19 and is published on npm!
We will continue to add features and security upgrades in V4 going further. Please migrate to V4 for a better experience.

Security

• bump jshttp/cookie from 0.6.0 to 0.7.1

🛠️ Changes

⚠️ This is a major release with breaking changes.

• Significant updates have been introduced in this release. Please refer to the V3 → V4 MIGRATION GUIDE for details on upgrading.

What's Changed

• SDK v4 by @guabu in #1781
• Release v4.0.0-alpha.0 by @gyaneshgouraw-okta in #1784
• Updating LICENSE and package-lock.json by @nandan-bhat in #1786
• Release v4.0.0-beta.0 by @guabu in #1788
• fix: ESM imports for Pages router by @guabu in #1798
• Bumping up the version | Resolving NPM package issue by @nandan-bhat in #1799
• 4.0.0-beta.3 by @guabu in #1800
• 4.0.0-beta.4 by @guabu in #1807
• 4.0.0-beta.8 by @guabu in #1811
• 4.0.0-beta.9 by @guabu in #1827
• 4.0.0-beta.10 by @guabu in #1833
• 4.0.0-beta.11 by @guabu in #1845
• 4.0.0-beta.12 by @guabu in #1848
• 4.0.0-beta.13 by @guabu in #1850
• 4.0.0-beta.14 by @guabu in #1858
• chore: add telemetry and options to disable by @guabu in #1864
• chore: reduce session lifetime defaults by @guabu in #1869
• fix: persist access token scope in tokenset by @guabu in #1870
• chore: in-memory cache for authorization server metadata by @guabu in #1871
• Release 4.0.0 by @nandan-bhat in #1873

New Contributors

• @guabu made their first contribution in #1781
• @gyaneshgouraw-okta made their first contribution in #1784
• @nandan-bhat made their first contribution in #1786

Full Changelog: v3.5.0...v4.0.0

🛠️ Changes

• fix: propagate session data updates within the same request (fixes: #1841)
• chore: export SessionDataStore and LogoutToken types (closes: #1852)
• feat: add generateSessionCookie testing helper (closes: #1857)

🛠️ Changes

• chore: refresh the token set when calling getAccessToken instead of the middleware (fixes: #1851 and #1841)
• feat: add idToken to beforeSessionSaved hook (closes: #1840)
• fix: ensure builds succeed without AUTH0_DOMAIN set (closes: #1849)
• chore: allow specifying client assertion config via env vars

🛠️ Changes

• chore: add note about RP-Initiated logout
• chore: warn instead of throwing error when using insecure requests flag in prod (closes: #1846)
• chore: remove warning for prod env with non-https (closes: #1847)

🛠️ Changes

• feat: introduce updateSession helper (closes: #1836)
• feat: private_key_jwt authentication method
• fix: peerDependencies for React 19 (closes: #1844)
• chore: allowInsecureRequests for mock OIDC server during development (closes: #1846)

🛠️ Changes

• chore: add more description in error log on discovery errors (closes: #1832)
• chore: migration guide
• chore: include typeVersions for type resolution (fixes: #1816)
• fix: only dist files should be published (fixes: #1825)
• feat: add PAR support
• feat: allow customizing auth routes (closes: #1834)
• chore: set secure cookie attribute based on app base URL protocol (closes: #1821)

🛠️ Changes

• fix: clear session before redirecting to /v2/logout (closes #1826)
• feature: add Auth0Provider to pass initialUser (closes: #1823)
• fix: getAccessToken types should not return null (closes: #1831)