v3.0.0

3.0.0 (2026-03-25)

⚠ BREAKING CHANGES

• add OAuth state verification on callback to prevent CSRF attacks (#388)

Features

• add OAuth state verification on callback to prevent CSRF attacks (#388) (ebef6e7)
• middleware: add authkitProxy and handleAuthkitProxy aliases for proxy.ts (#384) (4c3f27b)

Bug Fixes

• actions: catch TokenRefreshError in refreshAccessTokenAction to prevent 500s (#383) (5c46c39)
• auth: return signInUrl from server actions to avoid CORS errors (#386) (7d52400)
• harden PKCE/CSRF for v3.0.0 release (#398) (8054829)

v2.17.0

2.17.0 (2026-03-13)

Features

• Automatically pass claim nonce for unclaimed environments (#389) (67dfc92)

v2.16.1

2.16.1 (2026-03-13)

Bug Fixes

• make PKCE opt-in to avoid breaking custom middleware proxies (#392) (9e09fcb)

v2.16.0

2.16.0 (2026-03-11)

Features

• add PKCE support for OAuth 2.1 compliance (#374) (de01c7f)

Bug Fixes

• improve compatibility with non-Next.js environments (#378) (734311a)
• resolve Dependabot security alerts (#380) (519dccf)

v2.15.0

2.15.0 (2026-02-25)

Features

• Add returnTo option to getSignInUrl and getSignUpUrl functions (#375) (fc75708)

v2.14.0

What's Changed

• chore: switch from npm to pnpm by @nicknisi in #360
• docs: add warning about catch-all middleware matcher breaking styles by @nicknisi in #355
• chore: migrate from Jest to Vitest by @nicknisi in #367
• chore: upgrade @workos-inc/node to v8 by @nicknisi in #368
• Add example app as pnpm workspace package by @nicknisi in #370
• v2.14.0 by @nicknisi in #369

Full Changelog: v2.13.0...v2.14.0

v2.13.0

What's Changed

• Add context7.json to repo by @nicknisi in #345
• feat: enable npm Trusted Publishers by @nicknisi in #346
• feat: add TokenRefreshError with userId and sessionId for debugging by @nicknisi in #349
• feat: add composable proxy/middleware helpers by @nicknisi in #348
• fix(tests): move window.location patching and restoration to beforeEach/afterEach by @sundaray in #350
• fix: avoid calling headers() in middleware context by @nicknisi in #354
• fix(test): restore document.querySelector mock in afterEach by @sundaray in #356
• fix(test): restore process.env after each test by @sundaray in #357
• v2.13.0 by @nicknisi in #358

New Contributors

• @sundaray made their first contribution in #350

Full Changelog: v2.12.2...v2.13.0

v2.12.2

What's Changed

• fix: bump Next.js dev dependency to patched version by @nickcollisson-workos in #343
• v2.12.2 by @nicknisi in #344

Full Changelog: v2.12.1...v2.12.2

v2.12.1

What's Changed

• Socket workflow integration by @nickcollisson-workos in #338
• Switch runner to ubuntu-latest for socket action by @nicknisi in #339
• fix: bump Next.js dev dependency to patched version by @nicknisi in #341
• fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #340
• fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #342

New Contributors

• @nickcollisson-workos made their first contribution in #338

Full Changelog: v2.12.0...v2.12.1

v2.12.0

What's Changed

• feat: Add initialAuth to AuthkitProvider by @danielr18 in #323

Full Changelog: v2.11.1...v2.12.0