Added

• feat: allow-list auth0-client header for forwarding #2668 (tusharpandey13)
• feat(passwordless): passwordless example #2634 (Piyush-85)
• feat(passwordless): add client-side passwordless module #2633 (Piyush-85)
• feat(passwordless): Add Next.js route handlers for passwordless flows #2608 (Piyush-85)
• feat(passwordless): add passwordlessStart and passwordlessVerify to AuthClient #2607 (Piyush-85)
• feat(passwordless): add error classes and types for passwordless authentication #2606 (Piyush-85)
• feat(passwordless): add connection, screen_hint, login_hint to AuthorizationParameters #2605 (Piyush-85)

Fixed

• fix(cookies): include Secure/SameSite/HttpOnly on deletion Set-Cookie… #2651 (Piyush-85)

Added

• feat: support customizing profile and accessToken routes #2451 (eliw00d)

Fixed

• fix: stale session reuse on proxy DPoP nonce retry #2582 (nandan-bhat)
• fix: move NextResponse-dependent buildEnrollOptions to server-only module #2643 (sleitor)
• fix: delete v3 appSession cookie on logout #2552 (gmurphey)
• fix: respect allowInsecureRequests option in AuthClientProvider domain validation #2630 (sleitor)

v4.19.0 (2026-04-22)

Added

• feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login #2524 (tusharpandey13)

Fixed

• fix: MFA http contract parity fixes #2555 (tusharpandey13)
• fix: skip MCD session backfill in static mode #2618 (tusharpandey13)

Added

• Reapply feat: add optional update() to SessionDataStore (#2590) #2616 (Piyush-85)

Fixed

• fix: DPoP nonce retry race issue #2580 (nandan-bhat)

Fixed

• fix: defer AuthClientProvider construction when AUTH0_DOMAIN not set at build time #2604 (sleitor)
• fix: Next.js edge runtime build error for crypto module #2564 (Piyush-85)

Release v4.17.0 (minor release)

Added

• feat: MCD (Multiple Custom Domains) Support #2545 (tusharpandey13)

Fixed

• fix: prevent rolling session from re-creating a deleted session on concurrent logout #2530 (sleitor)

Fixed

• fix: Middleware should not throw ERR_JWE_INVALID #2546 (crob)
• fix: preserve error details from HTTP 5xx OAuth responses #2533 (sleitor)

Security

• chore(deps): update eslint to fix flatted vulnerability #2575 (Piyush-85)

Documentation

• docs: clarify getAccessToken req/res usage in Route Handlers with custom cookies #2577 (Piyush-85)

Fixed

• fix: make withPageAuthRequired generic to support PageProps/LayoutProps types #2529 (sleitor)
• fix: enable full generic type inference for withPageAuthRequired to correctly propagate PageProps and LayoutProps #2550 (Piyush-85)

Added

• feat: added tokenRefreshBuffer for early access‑token refreshes #2508 (nandan-bhat)
• feat: support allow list for dynamic APP_BASE_URL configuration #2538 (frederikprijck)
• feat: Add dynamic app base URL handling #2528 (nandan-bhat)

Fixed

• fix: do not strip falsey values from authorization params #2526 (frederikprijck)

v4.15.0

Added

• feat: MFA APIs #2502 (tusharpandey13)
• feat: Base MFA support #2480 (tusharpandey13)
• Add TTL to /auth/access-token and optional full client response #2505 (nandan-bhat)