CHANGELOG.md

Change Log

v4.0.2 (2025-02-19)

Full Changelog

Changed

• Update API DOCs link on the README.md #1914 (nandan-bhat)
• Updating API DOCs #1913 (nandan-bhat)

Fixed

• fix: read and migrate v3 session format to v4 #1923 (guabu)
• fix/updateV4MigrationGuide #1925 (tusharpandey13)

v4.0.1 (2025-02-12)

Full Changelog

Fixed

• fix: sanitize the returnTo parameter to prevent open redirect vulnerabilities. #1897 (guabu)

v3.6.0 (2025-01-31)

This is a maintainance release for V3 of the SDK.
V4 supports Next.JS 15 and React 19 and is published on npm!
We will continue to add features and security upgrades in V4 going further. Please migrate to V4 for a better experience.

Security

• bump jshttp/cookie from 0.6.0 to 0.7.1

v4.0.0 (2024-01-30)

⚠️ BREAKING CHANGES.

Significant updates have been introduced in this release. Please refer to the V3 → V4 MIGRATION GUIDE for details on upgrading.

Fixed

• chore: add telemetry and options to disable in #1864
• chore: reduce session lifetime defaults in #1869
• fix: persist access token scope in tokenset in #1870
• chore: in-memory cache for authorization server metadata in #1871

v4.0.0-beta.14 (2024-01-06)

Fixed

• fix: propagate session data updates within the same request (fixes: #1841)
• chore: export SessionDataStore and LogoutToken types (closes: #1852)
• feat: add generateSessionCookie testing helper (closes: #1857)

v4.0.0-beta.13 (2024-12-20)

Fixed

• chore: refresh the token set when calling getAccessToken instead of the middleware (fixes: #1851 and #1841)
• feat: add idToken to beforeSessionSaved hook (closes: #1840)
• fix: ensure builds succeed without AUTH0_DOMAIN set (closes: #1849)
• chore: allow specifying client assertion config via env vars

v4.0.0-beta.12 (2024-12-18)

Fixed

• chore: add note about RP-Initiated logout
• chore: warn instead of throwing error when using insecure requests flag in prod (closes: #1846)
• chore: remove warning for prod env with non-https (closes: #1847)

v4.0.0-beta.11 (2024-12-17)

• feat: introduce updateSession helper (closes: #1836)
• feat: private_key_jwt authentication method
• fix: peerDependencies for React 19 (closes: #1844)
• chore: allowInsecureRequests for mock OIDC server during development (closes: #1846)

v4.0.0-beta.10 (2024-12-10)

Fixed

• chore: add more description in error log on discovery errors (closes: #1832)
• chore: migration guide
• chore: include typeVersions for type resolution (fixes: #1816)
• fix: only dist files should be published (fixes: #1825)
• feat: add PAR support
• feat: allow customizing auth routes (closes: #1834)
• chore: set secure cookie attribute based on app base URL protocol (closes: #1821)

v4.0.0-beta.9 (2024-12-03)

Fixed

• fix: clear session before redirecting to /v2/logout (closes #1826)
• feature: add Auth0Provider to pass initialUser (closes: #1823)
• fix: getAccessToken types should not return null (closes: #1831)

v4.0.0-beta.8 (2024-11-25)

Fixed

• Fixes documentation for allowed logout URL
• Falls back to /v2/logout endpoint when the end_session_endpoint is not enabled for a tenant
• Adds docs about default claims from ID token populated in the user object
• Prevent revalidation when user is not authenticated in useUser() hook
• Fix error handling in useUser() hook (closes #1817)
• Export types under /types sub-module (closes #1824 and #1810)
• Exports errors under /errors sub-module
• getAccessToken() method throws an error when an access token could not be obtained to allow handling by the caller (closes #1820 and #1819)
• Add warning when cookie size exceeds 4096 bytes

v4.0.0-beta.7 (2024-11-19)

Fixed

• Updated README.md
• Bumped up the version

v4.0.0-beta.5 (2024-11-19)

Fixed

• Bumping up the version

v4.0.0-beta.4 (2024-11-19)

Fixed

• Adds e2e tests.
• Removes error on env vars when undefined during build.

v4.0.0-beta.3 (2024-11-14)

Fixed

• Bug fixes
• Addressing the following customer issues.
  • #1797
  • #1795
  • #1794

v4.0.0-beta.2 (2024-11-11)

• The previous NPM publish missed including the build files. We are now bumping the version and releasing an updated version with the latest build.

v4.0.0-beta.1 (2024-11-11)

Fixed

• ESM imports for Pages router

v4.0.0-beta.0 (2024-11-05)

• Expands unit test coverage
• Implements Back-Channel Logout
• Adds sample with shadcn
• Refer README.md for more details.

v4.0.0-alpha.0 (2024-10-23)

• This is an experimental alpha release, and we encourage users to test it thoroughly in their development environments before upgrading in production.
• Review the breaking changes carefully to ensure a smooth transition.
• Refer README.md for more details.

v3.5.0 (2023-12-06)

Full Changelog

Added

• Add Pushed Authorization Requests #1598 (ewanharris)

v3.4.0 (2023-12-04)

Full Changelog

Added

• [SDK-4719] Back-Channel Logout #1590 (adamjmcgrath)

Fixed

• Should get instance of Session in RSCs #1565 (adamjmcgrath)

v3.3.0 (2023-11-13)

Full Changelog

Added

• Bail out of static rendering for pages and routes in app dir #1541 (adamjmcgrath)

Fixed

• Fix wrong response type in AfterRefreshPageRoute #1523 (thutter)

v3.2.0 (2023-10-05)

Full Changelog

Added

• Add support for passing a custom http agent #1447 (ryanolson-aumni)
• fix: add missing touchSession for exported function #1461 (benevbright)

Fixed

• withApiAuthRequired callback can return just Response #1476 (adamjmcgrath)

v3.1.0 (2023-08-08)

Full Changelog

Added

• Add option to override transaction cookie name and config #1346 (adamjmcgrath)
• Add support for customizing returnTo in middleware #1342 (adamjmcgrath)

Changed

• Move state cookies to under a single cookie #1343 (adamjmcgrath)

Fixed

• Fix for edge cookies delete not supporting domain or path #1341 (adamjmcgrath)

v3.0.1 (2023-07-31)

Full Changelog

Fixed

• Fix auth handler types when using custom handlers #1327 (adamjmcgrath)

v3.0.0 (2023-07-25)

Full Changelog

Added

• Support for the App Router
• Support for Edge Runtime
• Support for Responses in Middleware

⚠️ BREAKING CHANGES

• Support for EOL Node versions 12 and 14 has been removed. See the V3_MIGRATION_GUIDE.md for more details.

v2.7.0 (2023-07-19)

Full Changelog

Added

• Support Organization Name #1291 (frederikprijck)

Fixed

• Clean up erroneous cookies when chunk size decreases #1300 (adamjmcgrath)

v3.0.0-beta.3 (2023-06-28)

Full Changelog

Added

• [SDK-4319] Add support for Edge runtime #1269 (adamjmcgrath)
• [SDK-4318] Enable responses from custom middleware #1265 (adamjmcgrath)

v2.6.3 (2023-06-26)

Full Changelog

Fixed

• Fix for setting custom cookies in withMiddlewareAuthRequired #1263 (adamjmcgrath)

v3.0.0-beta.2 (2023-06-16)

Full Changelog

Fixed

• Fix issue where api wrapper was overwriting session update in api #1255 (adamjmcgrath)

v3.0.0-beta.1 (2023-06-13)

Full Changelog

Fixed

• Fix request check in node 16 #1250 (adamjmcgrath)

v2.6.2 (2023-06-09)

Full Changelog

Fixed

• Fix for handling chunked cookies in edge runtime #1236 (adamjmcgrath)

v3.0.0-beta.0 (2023-06-08)

Full Changelog

Added

• Support for the App Router.

⚠️ BREAKING CHANGES

• Support for EOL Node versions 12 and 14 has been removed. See the V3_MIGRATION_GUIDE.md for more details.

v2.6.1 (2023-06-06)

Full Changelog

Fixed

• [SDK-4113] Lock down open ended auth route #1212 (adamjmcgrath)

v2.6.0 (2023-05-12)

Full Changelog

Added

• Add prefixed url env for preview deploys on middleware #1198 (adamjmcgrath)

v2.5.0 (2023-04-18)

Full Changelog

Added

• feat: add optional session param to genId function #1158 (PSoltes)

v2.4.0 (2023-03-27)

Full Changelog

Added

• Add autoSave/touchSession for rolling session expiry management #1116 (aovens-quantifi)

v2.3.1 (2023-03-17)

Full Changelog

Fixed

• Update stateful session cookie expiry on set #1115 (aovens-quantifi)

v2.3.0 (2023-03-16)

Full Changelog

Added

• Add AUTH0_LOGOUT env var #1113 (adamjmcgrath)

v2.2.3 (2023-03-13)

Full Changelog

Fixed

• [SDK-3887] Always honor auth0Logout config #1104 (adamjmcgrath)

v2.2.2 (2023-03-02)

Full Changelog

Fixed

• Fix issue where storeIDToken config not used by getAccessToken #1091 (adamjmcgrath)

v2.2.1 (2023-01-27)

Full Changelog

Fixed

• Remove type from export in d.ts files #1037 (ewanharris)

v2.2.0 (2023-01-24)

Full Changelog

Added

• [SDK-3862] Add support for JWT client authentication #1029 (ewanharris)

Fixed

• withMiddlewareAuthRequired returnTo should be a relative url #1028 (adamjmcgrath)
• Infer user exists if WithPageAuthRequired page is rendered #1014 (adamjmcgrath)

v2.1.0 (2023-01-11)

Full Changelog

Added

• SDK-3807 Add custom session stores #993 (adamjmcgrath)

v2.0.1 (2022-12-09)

Full Changelog

Fixed

• afterCallback return type fix #954 (alexmalev)
• fix/rerenders: useMemo to avoid unnecessary rerenders #945 (stavros-liaskos)

v2.0.0 (2022-12-01)

Full Changelog

⚠️ BREAKING CHANGES

• Refactor session lifecycle #787 (adamjmcgrath)

• Rearrange exports for RSC and add experimental RSC route to example #913 (adamjmcgrath)

• Improved callback errors #835 (adamjmcgrath)

• Prevent mixing named exports and own instances #825 (adamjmcgrath)

• Allow to override the user prop in server-side rendered pages #800 (Widcket)

• Return 204 from /api/auth/me when logged out #791 (Widcket)

  Added

• Next.js Middlware support #815 (adamjmcgrath)

• Add testing utility for generating session cookies #816 (Widcket)

• Add updateUser #855 (adamjmcgrath)

• Add support for configuring the built-in handlers #826 (Widcket)

• Add support for configuring the default handlers #840 (Widcket)

• Add logout options #877 (adamjmcgrath)

• At error cause to AT error when it's from a failed grant #878 (adamjmcgrath)

• Add option to not store ID Token in session #809 (Widcket)

• Default error handler #823 (adamjmcgrath)

• Allow response customization in afterCallback #838 (adamjmcgrath)

• Improve API docs #796 (Widcket)

• Improve errors #782 (Widcket)

See V2 Migration Guide for full details.

v2.0.0-beta.4 (2022-11-18)

Full Changelog

⚠️ BREAKING CHANGES

• Rearrange exports for RSC and add experimental RSC route to example #913 (adamjmcgrath)

Fixed

• WithMiddlewareAuthRequired should return 401 for /api routes #909 (adamjmcgrath)

v2.0.0-beta.3 (2022-11-08)

Full Changelog

Fixed

• Fix edge cookie support for Next < 13.0.1 #900 (adamjmcgrath)

v2.0.0-beta.2 (2022-11-02)

Full Changelog

Added

• At error cause to AT error when it's from a failed grant #878 (adamjmcgrath)
• Add logout options #877 (adamjmcgrath)

Fixed

• Fix for new req.cookie interface #894 (adamjmcgrath)

v2.0.0-beta.1 (2022-10-21)

Full Changelog

Fixed

• status getter is not enumerable so needs to be added to NextResponse #875 (adamjmcgrath)

v2.0.0-beta.0 (2022-10-11)

Full Changelog

• Change updateUser to updateSession #855 (adamjmcgrath)
• Add support for configuring the default handlers #840 (Widcket)
• Allow response customization in afterCallback #838 (adamjmcgrath)
• Improved callback errors #835 (adamjmcgrath)
• Add support for configuring the built-in handlers #826 (Widcket)
• Prevent mixing named exports and own instances #825 (adamjmcgrath)
• Default error handler #823 (adamjmcgrath)
• Fix intermittent build issues #818 (adamjmcgrath)
• Add testing utility for generating session cookies #816 (Widcket)
• Next.js Middlware support #815 (adamjmcgrath)
• Fix v1 cookie tests #810 (adamjmcgrath)
• Do not store the ID token by default #809 (Widcket)
• Allow to override the user prop in server-side rendered pages #800 (Widcket)
• Improve API docs #796 (Widcket)
• Return 204 from /api/auth/me when logged out #791 (Widcket)
• Refactor session lifecycle #787 (adamjmcgrath)
• Improve errors #782 (Widcket)

See V2 Migration Guide for full details.

v1.9.2 (2022-10-07)

Full Changelog

Added

• Fix updates to session not reflected in async getServerSideProps #843 (adamjmcgrath)

v1.9.1 (2022-06-16)

Full Changelog

Fixed

• Add Props and Query to GetServerSidePropsWrapper type #731 (adamjmcgrath)

v1.9.0 (2022-05-20)

Full Changelog

Added

• [SDK-3332] Constrain session lifecycle to withPageAuthrequired to avoid Next warning #664 (adamjmcgrath)

v1.8.0 (2022-05-04)

Full Changelog

Added

• Add some useful props to the callback error #625 (adamjmcgrath)
• Update to next 12 #612 (adamjmcgrath)

Fixed

• Fix Fast Refresh for WithPageAuthRequired #653 (adamjmcgrath)
• Handle request errors on useUser hook [SDK-3227] #639 (Widcket)
• Add default to PageRoute type parameter #632 (grantbdev)
• throw if you try to refresh with no rt #624 (adamjmcgrath)
• Should be able to set rollingDuration as false (when rolling is false) #623 (adamjmcgrath)
• Fix types in client-side withPageAuthRequired #574 (slaypni)

v1.7.0 (2022-01-06)

Full Changelog

Added

• Include message body in 302 responses #564 (michielvangendt)

Fixed

• Honor configured sameSite in transient cookies so you can login to iframe using 'none' #571 (adamjmcgrath)
• Cookies with samesite=none must have the secure attr set #570 (adamjmcgrath)
• Improve types in server-side withPageAuthRequired #554 (misoton665)

v1.6.2 (2021-12-16)

Full Changelog

Fixed

• Fix issue where error reporting wrong instanceof #543 (adamjmcgrath)

Security

• Enforce configured host on user supplied returnTo #557 (adamjmcgrath)

v1.6.1 (2021-10-13)

Full Changelog

Fixed

• [Snyk] Upgrade openid-client from 4.8.0 to 4.9.0 #518 (snyk-bot)

v1.6.0 (2021-10-11)

Full Changelog

Added

• [SDK-2818] Export error classes #508 (adamjmcgrath)
• [SDK-2529] Add ability to pass custom params to refresh grant and code exchange #507 (adamjmcgrath)
• [SDK-2813] Add afterRefresh hook #506 (adamjmcgrath)

Fixed

• Fix types in server-side withPageAuthRequired #512 (Widcket)

1.5.0 (2021-07-14)

Added

• Add IE11 support #432 (Widcket)

1.4.2 (2021-06-24)

Fixed

• Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)

1.4.0 (2021-06-03)

Added

• withPageAuthRequired CSR now adds user to wrapped component props #405 (adamjmcgrath)

Fixed

• env var substitutions now means you can define AUTH0_BASE_URL from VERCEL_URL in next.config.js #404 (adamjmcgrath)

1.3.1 (2021-05-05)

Fixed

• Use window.location.toString() as the default returnTo value #370 (Widcket)
• returnTo should be encoded as it contains url unsafe chars #365 (adamjmcgrath)

1.3.0 (2021-03-26)

Added

• Organizations support #343 (adamjmcgrath)

1.2.0 (2021-03-10)

Added

• Export UserContext for overriding default hook initialisation behaviour #325 (adamjmcgrath)

Fixed

• returnTo should respect application’s basePath configuration #317 (Widcket)

1.1.0 (2021-02-24)

Added

• Add redirect_uri option to callback handler #298 (mariano)

Fixed

• Chunked cookies should not exceed browser max #301 (adamjmcgrath)
• Cleanup unused cookies when switching between chunked and unchunked #303 (adamjmcgrath)
• New tokens should be applied to existing session after handleProfile #307 (adamjmcgrath)

1.0.0 (2021-02-15)

New features

• New suite of frontend tools:
  • useUser hook and UserProvider to simplify checking and managing the user’s logged in state on the client.
  • withPageAuthRequired higher order component to protect client side routes.
• New handleAuth feature to reduce the amount of boilerplate required to set up the server side authentication handlers.
• Simpler server side API where creation of an SDK instance is handled by the SDK.

Breaking changes

For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md

1.0.0-beta.2 (2021-02-11)

Additions

• Added afterRefetch hook option to handleProfile to modify the session after refetching it.

1.0.0-beta.1 (2021-02-03)

Additions

• Added a new way to configure the custom profile url. Now it can be configured with an environment variable as well.

Changes

• The way to configure the custom login url has changed. Instead of passing it in every call to withPageAuthRequired now it can be configured with an environment variable.
• The Vercel configuration docs have been updated with the latest guidance.

Fixes

• Fixed a logout issue related to custom IdPs.

1.0.0-beta.0 (2021-01-14)

Install

npm install @auth0/nextjs-auth0@beta

New features

• New suite of frontend tools:
  • useUser hook and UserProvider to simplify checking and managing the user’s logged in state on the client.
  • withPageAuthRequired higher order component to protect client side routes.
• New handleAuth feature to reduce the amount of boilerplate required to set up the server side authentication handlers.
• Simpler server side API where creation of an SDK instance is handled by the SDK.

Breaking changes

For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md

Changes

• AggregateError#message from Issuer.discover includes stack trace #236 (adamjmcgrath)
• Prevent caching the /me request #233 (adamjmcgrath)
• Added error handling to useUser [SDK-2236] #229 (Widcket)
• Rename loading to isLoading #222 (Widcket)
• Prepare application to be deployable with Vercel #218 (frederikprijck)
• Added withCSRAuthRequired HOC [SDK-2120] #209 (Widcket)
• [SDK-2057] Express mw tests #191 (adamjmcgrath)
• Add withAuth HOC [SDK-2120] #189 (Widcket)
• Add frontend hook tests [SDK-2117] #188 (Widcket)
• Add frontend hook CH: Added #187 (Widcket)

v0.16.0 (2020-08-19)

• Updating dependencies with security issues
• Added the ability to force refreshing the access_token (#147)

v0.15.0 (2020-07-13)

• Improve redirect URI validation when double forward slashes are provided (commit)
• Fix double encoding issue of postLogoutRedirectUri when using a different OIDC IdP (#127)
• Keep previously set cookies in the callbackHandler (#133)

v0.14.0 (2020-07-08)

• Allow overriding the returnTo setting when signing out a user (in the logoutHandler)

v0.13.0 (2020-05-15)

• Updated handlers to use NextApiRequest and NextApiResponse
• Automatically redirect to what is provided in the redirectTo querystring parameter, eg: /api/login?redirectTo=/profile

v0.12.0 (2020-05-11)

• Support end_session_endpoint (#102)
• Allow full control over the state generation
• Allow full control over the session creation

v0.11.0 (2020-03-31)

• Make options optional in handlers (#78)
• Add domain when clearing cookie (#79)
• Add redirectTo support (#81)

v0.10.0 (2020-01-10)

• Add support to refetch the user in the profile handler.

v0.9.0 (2020-01-08)

• Make options on the login handler optional

v0.8.0 (2020-01-08)

• Improved TypeScript types
• Added support to automatically refresh access tokens

v0.7.0 (2019-12-18)

• Add support for SameSite and set to Lax by default to mitigate CSRF attacks.

v0.6.0 (2019-12-18)

• Add support for the cookieDomain option which allows you to share the session across subdomains.
• Fix the interface for the handleLogin method.
• Support sending a custom state to Auth0.

v0.5.0 (2019-10-14)

• Added support for custom authorization parameters in the Login handler

v0.4.0 (2019-10-10)

• Rename the httpClient to oidcClient setting to support more OIDC related settings.
• Added support for id_token leeway for when the time on your server is running behind on Auth0.
• Improve handling of Secure cookies. Don't force Secure cookies when running on localhost (to fix issues related to next start)

v0.3.0 (2019-10-09)

• Fixed issue related to audience not being passed to the /authorize request
• Rename useAuth0 to initAuth0 to clear any confusion about React Hooks (this SDK does not provide a hook)
• Added a new handler to require authentication on API routes.

v0.2.0 (2019-09-25)

• Added support for storeRefreshToken to persist the refresh_token in the session
• Added prettier
• Removed the need build time configuration

v0.1.0 (2019-09-17)

Initial release.