← Back to all sparks
F

FusionAuth

DEVOPS
Velocity5.0

Developer-focused authentication, authorization, and user management platform available self-hosted or cloud-hosted

FusionAuth is in security-hardening mode, tightening API-key and OAuth boundaries

identityauthenticationoauthsecurity-hardeningbreaking-changesstandards
Current state
FusionAuth's recent releases center on security hardening and standards support: OAuth resource scoping (RFC 8707), and a series of breaking changes that lock down API-key scope on webhook and installation-wide endpoints. Interspersed are routine point releases and bug fixes; the two most recent tags captured only boilerplate upgrade text, not substantive notes.
Where it's heading
The throughline is shrinking the blast radius of credentials — tenant-scoped keys can no longer reach installation-wide operations, and webhook endpoints now demand global keys. FusionAuth is prioritizing correctness and standards compliance over headline features, consistent with an identity vendor managing trust.
Prediction
Expect continued standards adoption (OAuth/OIDC RFCs) and further API-key scoping refinements; the cadence suggests steady point releases rather than a large feature launch.

Recent moves

  1. 3d ago

    Version 1.68.0 (Intelligent Kamfa) #

    The 1.68.0 release; the crawled entry captured only the standard upgrade boilerplate, so no specific changes are visible in the feed. Cadence continues but the substance isn't here.

    View source ↗
  2. 25d ago

    Version 1.67.1 #

    A 1.67.1 patch release; like 1.68.0, only the generic upgrade notice was captured, leaving the actual fixes unstated in the feed.

    View source ↗
  3. 1mo ago

    RFC 8707 OAuth resource scoping for tokens

    Adds RFC 8707 resource indicators — applications define valid resource URIs and tokens carry them in the aud claim — plus a userId field in the generic messenger payload. A standards-driven enhancement to the OAuth surface.

    View source ↗
  4. 1mo ago

    Webhook endpoints now require global API keys (breaking)

    A breaking change extends earlier key-hardening to webhook endpoints: they now reject tenant-scoped keys and the X-FusionAuth-TenantId header. Part of the ongoing credential-scope tightening.

    View source ↗
  5. 2mo ago

    Breaking: IdP linking strategy locked, tenant-key access narrowed

    Two breaking security changes: an enabled identity provider's linking strategy becomes immutable, and tenant-scoped keys lose access to installation-wide endpoints like key generation. Hardening trust boundaries.

    View source ↗
  6. 3mo ago

    Fixes password breach detection and a form consent dropdown

    Bug fixes: restores data-breach detection during password changes and addresses a spurious consent dropdown in the Admin UI. Maintenance, not new capability.

    View source ↗