FusionAuth
Developer-focused authentication, authorization, and user management platform available self-hosted or cloud-hosted
FusionAuth is in security-hardening mode, tightening API-key and OAuth boundaries
◆Recent moves
- 3d ago
Version 1.68.0 (Intelligent Kamfa) #
The 1.68.0 release; the crawled entry captured only the standard upgrade boilerplate, so no specific changes are visible in the feed. Cadence continues but the substance isn't here.
View source ↗ - 25d ago
Version 1.67.1 #
A 1.67.1 patch release; like 1.68.0, only the generic upgrade notice was captured, leaving the actual fixes unstated in the feed.
View source ↗ - 1mo ago
RFC 8707 OAuth resource scoping for tokens
Adds RFC 8707 resource indicators — applications define valid resource URIs and tokens carry them in the aud claim — plus a userId field in the generic messenger payload. A standards-driven enhancement to the OAuth surface.
View source ↗ - 1mo ago
Webhook endpoints now require global API keys (breaking)
A breaking change extends earlier key-hardening to webhook endpoints: they now reject tenant-scoped keys and the X-FusionAuth-TenantId header. Part of the ongoing credential-scope tightening.
View source ↗ - 2mo ago
Breaking: IdP linking strategy locked, tenant-key access narrowed
Two breaking security changes: an enabled identity provider's linking strategy becomes immutable, and tenant-scoped keys lose access to installation-wide endpoints like key generation. Hardening trust boundaries.
View source ↗ - 3mo ago
Fixes password breach detection and a form consent dropdown
Bug fixes: restores data-breach detection during password changes and addresses a spurious consent dropdown in the Admin UI. Maintenance, not new capability.
View source ↗