v4.20.0

Added

• feat: support customizing profile and accessToken routes #2451 (eliw00d)

Fixed

• fix: stale session reuse on proxy DPoP nonce retry #2582 (nandan-bhat)
• fix: move NextResponse-dependent buildEnrollOptions to server-only module #2643 (sleitor)
• fix: delete v3 appSession cookie on logout #2552 (gmurphey)
• fix: respect allowInsecureRequests option in AuthClientProvider domain validation #2630 (sleitor)

v4.19.0

v4.19.0 (2026-04-22)

Added

• feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login #2524 (tusharpandey13)

Fixed

• fix: MFA http contract parity fixes #2555 (tusharpandey13)
• fix: skip MCD session backfill in static mode #2618 (tusharpandey13)

v4.18.0

Added

• Reapply feat: add optional update() to SessionDataStore (#2590) #2616 (Piyush-85)

Fixed

• fix: DPoP nonce retry race issue #2580 (nandan-bhat)

v4.17.1

Fixed

• fix: defer AuthClientProvider construction when AUTH0_DOMAIN not set at build time #2604 (sleitor)
• fix: Next.js edge runtime build error for crypto module #2564 (Piyush-85)

v4.17.0

Release v4.17.0 (minor release)

Added

• feat: MCD (Multiple Custom Domains) Support #2545 (tusharpandey13)

Fixed

• fix: prevent rolling session from re-creating a deleted session on concurrent logout #2530 (sleitor)

v4.16.2

Fixed

• fix: Middleware should not throw ERR_JWE_INVALID #2546 (crob)
• fix: preserve error details from HTTP 5xx OAuth responses #2533 (sleitor)

Security

• chore(deps): update eslint to fix flatted vulnerability #2575 (Piyush-85)

Documentation

• docs: clarify getAccessToken req/res usage in Route Handlers with custom cookies #2577 (Piyush-85)

v4.16.1

Fixed

• fix: make withPageAuthRequired generic to support PageProps/LayoutProps types #2529 (sleitor)
• fix: enable full generic type inference for withPageAuthRequired to correctly propagate PageProps and LayoutProps #2550 (Piyush-85)

v4.16.0

Added

• feat: added tokenRefreshBuffer for early access‑token refreshes #2508 (nandan-bhat)
• feat: support allow list for dynamic APP_BASE_URL configuration #2538 (frederikprijck)
• feat: Add dynamic app base URL handling #2528 (nandan-bhat)

Fixed

• fix: do not strip falsey values from authorization params #2526 (frederikprijck)

v4.15.0

v4.15.0

Added

• feat: MFA APIs #2502 (tusharpandey13)
• feat: Base MFA support #2480 (tusharpandey13)
• Add TTL to /auth/access-token and optional full client response #2505 (nandan-bhat)

v4.14.1

Fixed

• fix: do not throw ERR_JWE_DECRYPTION_FAILED, but catch it and ignore the cookie. #2487 (frederikprijck)
• fix: avoid headers.append error when using getAccessToken with refresh in Next.js 16 proxy #2495 (nandan-bhat)
• fix: removed un-intended class/type exports from the SDK #2475 (nandan-bhat)