Changelog

Updates, improvements, and fixes - every release documented.

v0.1.8Latest
May 10, 2026

Email Branding & Customisation

Major Features

  • Customise page — developers can now control exactly how auth emails look when their users receive them. Set your app name, choose light or dark theme, pick a button color, and add your logo URL. Changes apply instantly to all new OTP and magic link emails.
  • Live email preview — the dashboard shows a real-time preview of both OTP and magic link emails as you change settings. Switch between email types with one click and see exactly what your users will receive.
  • Send test email — two buttons let developers send a real test OTP or magic link email to their own inbox using the current settings. No guessing what it looks like in a real email client.
  • White-label support — free plan includes a 'Powered by threshold1' footer link. Paid plans remove it entirely. Emails look like they come from your app, not threshold1.

Improvements

  • Email subject lines now use the project app name — 'Your Innerpaige verification code' instead of 'Your threshold1 verification code'.
  • Email from display name shows the app name — users see who is contacting them.
  • Theme-aware email templates — light and dark variants with correct contrast for all text, buttons, and code blocks.
v0.1.7
May 10, 2026

Sentry Error Monitoring

Major Features

  • Sentry integrated across all three Next.js runtimes — client, server, and edge. Every unhandled error in production is now captured with full stack trace, request context, and environment.

Improvements

  • Error monitoring is production-only — no noise during local development.
  • Trace sampling set to 10% to keep performance overhead minimal.
  • Source maps disabled in production builds — stack traces are readable without exposing source code.
v0.1.6
May 10, 2026

Identity Bridge & Passkey Lifecycle

Major Features

  • External User ID support — developers can now pass their own user IDs (externalUserId) when registering or logging in. threshold1 acts as the passkey layer on top of the developer's existing identity system. onAfterAuth now returns the developer's own user ID so no mapping table is needed.
  • Passkey enrollment for existing users — auth.addPasskey() lets already-authenticated users add a passkey to their account without going through the full register flow. Works after OTP or magic link login.
  • Passkey management — auth.listPasskeys() returns all registered devices for the current user. auth.removePasskey(credentialId) removes a specific device. Users can now manage their passkeys from within your app.
  • Passkey-first login with no email — auth.login() with no arguments triggers a discoverable credential flow. The browser shows a passkey picker without asking for email upfront. If the user cancels or has no passkey, the error is thrown for the developer to handle.
  • Last passkey protection — the system blocks deletion of the last passkey when the user has no email recovery method, preventing permanent account lockout.

Improvements

  • identity_source column added to users table — threshold1 (managed by us) vs external (developer-managed). Makes debugging and analytics cleaner.
  • Email uniqueness now partial — only enforced for threshold1-managed users. External-identity users can share emails across accounts without conflict.
  • Admin passkey revoke — dashboard users page now shows all registered passkeys per user with a revoke button. Admins can remove lost device passkeys without user action.
  • Passkey adoption stats on Overview page — shows what percentage of your project users have at least one passkey registered, with a progress bar.
  • Tenant RP config now correctly resolved for SDK-scoped users via project lookup — enroll flow works correctly on ngrok and custom domains.
v0.1.5
May 8, 2026

Identity Isolation Fix

Major Features

  • SDK users and dashboard users with the same email are now completely separate identities — registering on an SDK app no longer blocks the same email from creating a dashboard account, and vice versa
  • Dashboard auth scope now correctly excludes SDK users by requiring project_id IS NULL on all dashboard user lookups
  • Both directions of isolation verified and tested

Improvements

  • buildDashboardUserFilter updated with project_id IS NULL guard across all auth services (passkey, OTP, magic)
v0.1.4
May 8, 2026

Projects Architecture

Major Features

  • Projects: developers can now create multiple isolated projects under one account — each project has its own API keys, users, sessions, passkeys, auth events, and webhooks
  • Project selector in dashboard header — switch between projects or create new ones without leaving the dashboard
  • Projects page as post-login landing — see all your projects at a glance, click to enter
  • Project settings page — rename or delete projects
  • Full identity isolation — SDK users belong to projects, dashboard users belong to the company account. Same email can exist independently in both

Improvements

  • MAU now counted from auth_events instead of sessions — accurate unique user tracking based on actual login activity
  • Magic link flow fixed — tokens now redirect correctly to developer app via resumeSession()
  • All dashboard pages and API routes are now project-scoped
  • Onboarding redirects to Projects page after company creation
v0.1.3
May 8, 2026

Risk Engine & Security Dashboard

Major Features

  • Risk Engine: Every login attempt is now scored in real time using five signals — new country (+30), new device (+20), recent failures (+25), frequency anomaly (+15), and time of day anomaly (+10). Score determines whether the login is allowed, challenged with step-up OTP, or blocked.
  • Risk Policy: Companies can configure how the risk engine responds - Monitor (flag only, no friction), Challenge (step-up OTP at 31-60, block at 61+), or Block (block at 61+, no challenge).
  • Security Dashboard: New Security section in the dashboard shows all flagged auth events with risk score, triggered signals, action taken, IP, country, and device.
  • auth.suspicious_login webhook: Fires automatically when any login scores above 30, with full risk context in the payload.

Improvements

  • Risk score and signals now visible on the Activity page and User Detail auth history
  • Risk Policy settings page with clear outcome tables per score range
  • Risk engine never blocks auth flow on failure — always defaults to allow on error
v0.1.2
May 7, 2026

User Activity & Visibility

Major Features

  • Users Page: Full list of all end users authenticated through your integration — email, registered date, last login, total logins, and last method used. Searchable and paginated.
  • User Detail: Click any user to see their full profile, active sessions with per-session revoke, and complete auth event history.
  • Activity Page: Global feed of every auth event across your integration — method, result, IP, country, device. Filterable by period, method, result, and event type.
  • Auth Events Infrastructure: Every auth attempt now captured with IP address, country, device hint, method, and success/failure.

Improvements

  • Session revoke from dashboard — revoke individual sessions or all sessions for a user
  • Activity and User Detail pages show risk scores once Risk Engine is active
v0.1.1
May 4, 2026

Security Hardening & SDK 0.1.14

Major Features

  • Security audit complete — score raised from 3/10 to 8/10
  • SDK 0.1.14: Fixed onAfterAuth double-fire in passkeyNotFound flow. Added sendOtp() and verifyOtp() as separate methods for custom OTP UI — no more window.prompt().
  • Dual Domain Passkey RP: Each company sets a Production Domain and a Test Domain. rpId is automatically chosen based on request origin — no mode selector needed.
  • Per-company user isolation: Same email address creates completely separate users across different companies. Dashboard users and SDK users are fully isolated.

Improvements

  • JWT_SECRET throws at startup if not set — no insecure defaults
  • Session tokens stored as SHA-256 hashes — raw JWT never in database
  • API keys: SHA-256 hash + prefix, crypto.timingSafeEqual for comparison
  • OTP and magic tokens hashed in DB
  • SSRF protection on webhook URLs — blocks private IPs, redirect chains
  • Upstash Redis rate limiting — replaces in-memory, works across serverless
  • IP-based rate limiting: 10 req/min on public auth routes
  • Per-email rate limiting: 5 OTP/magic sends per 10 minutes
  • MAU tracking fixed — company_id now correctly written on every session
v0.1.0
April 30, 2026

Public Beta

Major Features

  • Passkey authentication via WebAuthn — biometric login with automatic browser support detection
  • Automatic fallback chain: passkey → OTP → magic link — one call handles everything
  • Magic link with resumeSession() — no callback page needed, token cleaned from URL automatically
  • ROR (Related Origin Requests) support via well-known WebAuthn endpoint — cross-domain passkeys
  • onAfterAuth hook — fires after every successful auth with user profile and method used
  • passkeyNotFound config — control what happens when a user has no passkey: fallback, register, or register-strict
  • SDK default baseUrl points to production — zero configuration needed beyond an API key

Improvements

  • SEO metadata and OG images on all marketing pages
  • SDK error messages improved for unauthenticated state
  • CORS configured for all /api/v1/* routes
  • Console logs and test routes removed from production
v0.0.3
April 1, 2026

Billing, Fallback & SDK 0.1.1

Major Features

  • Razorpay billing complete — subscriptions, plan upgrades, MAU-based limits enforced
  • SDK 0.1.1: Full fallback orchestration — register and login both fall through passkey → magic → OTP automatically
  • MAU states — near limit warnings, exceeded states, and restricted access across all dashboard pages

Improvements

  • Legal pages added — Privacy Policy, Terms of Service, Cookie Policy, Refund Policy
  • API Keys UX — dynamic limits, copy buttons, upgrade modal
  • Magic link and OTP email sending via Resend fully wired
v0.0.2
March 27, 2026

Dashboard & Auth Complete

Major Features

  • Dashboard fully wired to real data — Overview, API Keys, Webhooks, Usage, Billing, Authentication, Account pages all live
  • Full auth flow working — passkey, OTP, and magic link all functional for dashboard login
  • Webhook delivery infrastructure — register endpoints, view delivery history, manual retry
  • Onboarding flow — company creation, API key generation on signup

Improvements

  • RLS issues resolved — supabaseAdmin used for all server-side queries
  • Auth context wired — user and company data available across all dashboard pages
  • API key architecture — hashed keys, plan fields, MAU tracking table
v0.0.1
March 10, 2026

Initial Build

Major Features

  • SDK foundation — passkey registration and login via WebAuthn, magic link flow, OTP flow
  • Fallback orchestration — ordered auth fallback with dynamic logging
  • Dashboard UI built — all pages designed and functional
  • Backend infrastructure — Supabase Postgres, Next.js App Router, Vercel deployment