Releases

Explore the latest updates, features, and improvements to Thunder.

---

v0.22.0

📅 Published on February 13, 2026 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Update auth assertion callback URL
• Add support for configuring separate attributes for OIDC userinfo
• Introduce a new /design API to replace /branding API

✨ Improvements

• Add MCP authorization
• Disable registration flow in Develop App
• Reorganize JWT/JWE into JOSE package structure
• Added copilot instructions for documentation and vale rules for style checks
• Update Passkey Authentication Atomic APIs
• Add Passkey as an authentication option and dynamically construct the authentication flow graphs at Application Creation
• Add user info config view to application edit
• Add claims locales parameter support in authorize request
• Group service context propagation and transection usage
• Implement Organization Unit Tree UI
• Remove Session Cleanup of WebAuthn Session Data Table
• Add claims support to OIDC discovery
• Add offset limit support to composite store
• Added a style guide for human authors and improved agent instructions
• Make appId, idpId, senderId available for flow context
• Improve handling credential inputs in authentication flows
• Cert service context propagation and transection usage
• Add declarative resource support for themes and layouts
• Refactor MCP package
• Add support to store a Logo URL & Design Preferences (Theme / Layout) per OU
• Introduce a Releases page in Thunder documentation

🐛 Bug Fixes

• Stop browsers from caching index.html files
• Fix incorrect registration flow inference for passkey on-the-fly registration flows
• Add openid scope validation for userinfo endpoint
• Fix on the fly passkey registration ending up in infinite loops because of unnecessary onFailure options.
• Fix unique attribute conflict with same user when updating
• Fix child OU save bug
• Add foreign key pragma configs for sqlite
• Add registration graph for default-basic-passkey-flow

---

v0.21.0

📅 Published on February 6, 2026 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Rename application root level token config to assertion

🚀 Features

• Implement JWE service
• Username-less passkey authentication

✨ Improvements

• Add unit tests for thunder-gate app
• refactor: migrate from UUIDv4 to UUIDv7 across all resources
• Add required_attributes support for OAuth and auth assertion executor
• Unify passkey authentication and registration flow graph handles
• Role service context propagation and transection usage
• Generate separate key pair for digital signatures
• Introduce claims support for OAuth flows

🐛 Bug Fixes

• Fix run command issues on Windows Platforms
• Add an option to copy the client secret of confidential apps

---

v0.20.0

📅 Published on January 30, 2026 • View on GitHub ↗

Contributors

⚠️ Breaking Changes

• Rename from immutable resources to declarative resources
• Improve Passkey Authentication by Enabling Attribute-Based User Identification
• Improve default attributes handling in flows and oauth

🚀 Features

• Add passkey support for the React Vanilla Sample App
• Introduce Thunder Documentation
• Implement OU management UI

✨ Improvements

• Add passkey template and components to the login flow builder
• Onboard i18n support to flow builder UI components and improve test coverage in thunder-develop app
• Add step-up auth via SMS OTP to react-api-based-sample
• Bump SDK version for react-sdk-sample app
• Improve UI support for passkey executor in react-vanilla-sample app
• Bump to @asgardeo/react v0.9.2 with auto-login after signup support
• Add passkey registration for login flow templates and improvements to flow-builder UI
• Optimize user store calls in BasicAuth and SMSAuth executors
• Refactor user service to use transactions
• Add shared testing utilities for Thunder applications
• Improve prompt nodes to auto select single actions
• Support k8s secrets for db passwords

🐛 Bug Fixes

• Fix bootstrap scripts to fetch OUs by handle instead of picking first from list
• Fix auto-login after self-registration
• Add leeway for time claims in token validation
• Fix the ID Token Validation issues due to invalid Issuer configured in the SDK

---

v0.19.0

📅 Published on January 23, 2026 • View on GitHub ↗

Contributors

🚀 Features

• Introduce initial MCP setup with application and flow tools
• Add admin-initiated user registration flow support
• Onboard application editing capabilities
• Introduce User Invite feature
• Add passkey executor support for flow execution

✨ Improvements

• Add react-api-based-sample app to the release artifacts
• Allow defining meta for TASK_EXECUTION nodes
• Bump golang.org/x/crypto from 0.44.0 to 0.45.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1108
• Remove i18n keys from default flows
• Add i18n resolution support for the flow builder UI
• Add React SDK integration MCP tool
• Improve templated defaults in application MCP tools
• Improve thunder develop test coverage
• Update invite link for onboarding flow
• Change Internal Webauthn Wrapper Variables to Package Private and Replace Custom Mocks with Mockery
• Update default invite flow
• Update JWKS service to retrieve all certificates

🐛 Bug Fixes

• Fix setup.sh to run with bash
• Fix UserTypeResolver to return meta for the SDK UI rendering
• Fix SMS OTP executor to prompt mobile during registration
• Fix user schema export

---

v0.18.0

📅 Published on January 16, 2026 • View on GitHub ↗

Contributors

⚠️ Breaking Changes

• Introduce prompts to prompt nodes and improve input handling

🚀 Features

• Add Atomic API based Passkey Registration and Authentication Support
• Add transaction management infrastructure

✨ Improvements

• Modify prompt nodes to use prompts and improve input handling
• Improve server started log to indicate the startup time
• Refactor crypto services
• Move to Thunder branding
• Add Atomic API react sample app to thunder

🐛 Bug Fixes

• Fix i18n message overriding precedence

---

v0.17.0

📅 Published on January 9, 2026 • View on GitHub ↗

Contributors

⚠️ Breaking Changes

• Rename flow graph id to flow id
• Add config to change min TLS version
• Refactor: change credential storage from array to Map

🚀 Features

• Support multiple algorithms for JWT signing

✨ Improvements

• Update flow docs
• Integrate the thunder-logger
• Add immutable config support for I18n
• Update obtain Admin token documentation
• Improve logic in flow-builder UI and remove SCSS styling
• Introduce unit tests to the flow-builder
• Improve test coverage in develop app
• Bump golang.org/x/net from 0.19.0 to 0.38.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1050
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1051
• Update dockerfile UID&GID to 10001

🐛 Bug Fixes

• Remove outdated config from helm deployment yaml
• Fix duplicate SMS OTP issue in the assurance authenticator list
• Fix wildcard export for user-schemas and ou

---

v0.16.0

📅 Published on December 24, 2025 • View on GitHub ↗

Contributors

⚠️ Breaking Changes

• Improve flow definitions and execution API request/responses
• Define a generic START node for all flows
• Add dedicated start/end nodes and remove inferred executors
• Integrate role permission with resource definition
• Remove legacy flow mgt and migrate default flow definitions
• Change Immutable resource directory
• Introduce an executor mode to allow two path execution

🚀 Features

• Implement login flow builder UI
• Add the new flow management implementation
• Add initial i18n framework

✨ Improvements

• Add meta to flow definitions and introduce verbose flag
• Refactor immutable resources code
• Allow basic auth executor to be used with any attribute
• Add layout information to the flow definition
• Introduce immutable handle to the flow management service
• Address Windows PowerShell Compatibility issues
• Introduce token issuance observability and refactor authentication events
• Add immutable config support for OU
• Use component metadata from Flows API in Thunder Gate
• Composite store support for OU
• Reading deployment secrets from environment variables and file objects
• Add immutable resource support to flow graphs
• Allow provisioning executor to perform group and role assignment
• UX improvements to flow-builder UI
• Update flow UI definitions
• Add default prefix to bootstrap flow definitions
• Fix issues in flow export function
• Integrate Branding API in Gate
• Update validation notification styling
• Update notification-senders options
• Add autolayout for flows without positioning data
• Add comprehensive guide for observability with analytics dashboard
• Add support for showing React SDK integration guides
• Add glob-pattern-based public path matching
• Improve layout of the flow builder
• Update default flow input types

🐛 Bug Fixes

• Update branding resolve API CORS
• Fix vanilla sample application
• Fix system token generation in readme to match flow execution changes
• Remove auth_flow_graph_id for the Client Credential App

---

v0.15.0

📅 Published on December 13, 2025 • View on GitHub ↗

Contributors

✨ Improvements

• Move AuthenticationContext from context to security
• Buffer encode HTTP responses before sending headers
• Add application_template to application api
• Remove OAuth jargon from Application Onboarding
• Add dynamic token issuer resolution
• Derive permission for Resources and Actions
• Add refresh token expiry time config
• Add fsGroup and runAsGroup support

🐛 Bug Fixes

• Fix db type issue and add Query method to Tx

---

v0.14.0

📅 Published on December 5, 2025 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Add multi deployment support for data layer
• Improvement to the observability package
• Remove support for scripts in bootstrap/custom
• Update public url and add support to override app configs using helm
• Add PKCE validation for public clients
• Add support for indexed user attributes
• Improve IDP property/ error handling in auth services
• Support password hashing with customizable params

🚀 Features

• Add Resource API definition and Implementation

✨ Improvements

• Add WriteSuccessResponse/WriteErrorResponse helpers
• Support reading port from deployment.yaml in build script
• Add persistence layer for Sqlite databases
• Add http server support for helm chart
• Bump react, @wso2/oxygen-ui and @asgardeo/react versions to latest
• Remove depricated nginx annotations
• Add branding resolve implementation
• Update ingress and bootstrap configurations
• Support immutable configuraitons for Identity Providers
• Add authorization request store
• Uses spans and traces properly with OpenTelemetry
• Bump SDKs
• Add config for auth code expiry time
• Improve IDP property validations/ handling default properties
• Add immutable config support for notification senders and user schemas
• Comprehensive cleanup to use WriteSuccessResponse and WriteErrorResponse

---

v0.13.0

📅 Published on November 28, 2025 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Introduce datasource for user data

🚀 Features

• Add support to exchange auth assertions to access tokens
• Add support for basic conditional node execution
• Introduce user self service API

✨ Improvements

• Move the immutable resources configs to default.json
• Refactor idp/ cert packages
• Improve application onboarding flow in Develop app
• Allow provisioning email address for federated users
• Add React SDK based application to samples
• [Develop] Enable username/password login by default
• Add OAuth settings to application onboarding
• Bump @asgardeo/react version to 0.6.8
• Improve global styling + bump oxygen-ui version
• Add support for user provisioning in external IDP OAuth/OIDC authentication flows
• Remove intermediate error message during the social login redirect
• Remove array and object type property tests from CreateUserTypePage
• Remove sign-up link from sign-in page if self-registration is disabled
• Fix divider rendering in gate app
• Improve existing user validations for the federated auth executors
• Bump @asgardeo/react to version 0.6.10
• Add react-sdk sample to release pipeline
• Add common config to indicate gate app path
• Bump @asgardeo/react to version 0.6.11
• Improve client configs in bootstrap scripts
• Add proper display names to org creation page by updating to @asgardeo/react to version 0.6.12
• Remove ou description from the ou executor default inputs

🐛 Bug Fixes

• Fix Error while decrypting IDP properties
• Change Issuer as Refresh Token audience
• Fix SQLite Database Locking Issues Under Concurrent Load
• Template http_only server config in helm charts
• Fix Develop app menu overflow

---

v0.12.0

📅 Published on November 17, 2025 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Use idpId in flow graphs instead of idpName
• [Refactoring 1] Improve flow engine and executors
• Securing Thunder APIs
• Improve application token resolve logic
• Improve the Thunder bootstrap experience
• Improve user schema to indicate which ou these users are getting created and whether they support self registration
• Change Gate app base path (/signin -> /gate) & Add SignUp support
• Add user type resolver to dynamically resolve userType and ouId in registration flows
• Enforce validation of the ou id of the users

🚀 Features

• Add http request executor
• Introduce branding support for applications
• Introduce Application Onboarding & Listing
• Add OIDC userinfo endpoint support

✨ Improvements

• UX improvements to the user creation flow
• Refactor authentication services to use di pattern
• Add i18n UI package to handle translations in apps
• Refactor message notification package
• Add collapsible sidebar for thunder-develop app
• Refactor OAuth and introduce token service
• Improve apps visual appearance
• Add OpenChoreo deployment artifacts
• [Refactoring 2] Improve flow services and executors
• Refactor crypto package and add sign verify methods
• Automate thunder helm chart release
• Add OAuth client authentication middleware
• Refactor API hooks in thunder-develop app to use Asgardeo's HTTP client
• Allow storing flexible node properties
• Add applicationld in the gate app redirection
• Update sidepanel styling and icons with test coverage improvements
• Add allowed user types to application
• Add ou details to the auth assertion
• Remove local ui packages and point to oxygen-ui
• Expose logo_url from Application Listing API
• Update healthcheck path for security check
• Add immutable config export support for applications
• Improvement to start and setup scripts
• Introduce service method to get user schema by name
• Enforce OU validation in the user schema
• Add error path as public
• Enhance Gate app's SignUp component to support SELECT inputs
• Improve user-schema UIs to include OU ID & allowSelfRegistration details
• Handle make run to setup thunder properly and fix middleware execution order
• Add userType and ou details to the oauth tokens
• Disable application view button
• Refactor db provider to have dedicated db client methods
• Improve user type UIs to indicate OU name instead of OU ID
• Improve docs to include token header in the system API calls
• Improve apps UI styling
• Improve ou handle validation to restrict forward slash
• FIx some UI sizing issues

🐛 Bug Fixes

• Fix incorrect password field type in Gate App
• Fix setup scripts to include ou in user schema creation
• Fix redirect based login in the sample app
• Fix create user ui to include correct ou
• Improve setup process to create resources required to the Quickstart guide

---

v0.11.0

📅 Published on November 3, 2025 • View on GitHub ↗

Contributors

New Contributors

⚠️ Breaking Changes

• Update token endpoint auth method
• Initiate login flow from oauth before redirecting to gate
• Make user schema validation mandatory

🚀 Features

• Onboard React based Gate & Develop secured with @asgardeo/react SDK
• Implement user managment UI in thunder-develop application
• Add support for generating auth assurance levels
• Introduce DCR support
• Modify auth executors to generate and add auth assurance
• Add OAuth/OIDC discovery endpoints
• Add immutable configuration support for Applications
• Add ou creation executor and improve the provisioning flow
• Role management implementation
• Add token exchange support
• Add initial observability component

✨ Improvements

• Refactor DI pattern of oauth package
• Refactor crypto and hash packages
• Role API definition
• Add OAuth resource indicator support
• Refactor cert configuration initialization
• Add user type and ou to the flow assertion
• Refactor system cert service usage
• Remove application service provider
• RBAC support for flow engine and auth code flow
• Improve UI theming by onboarding oxygen-ui dependency

🐛 Bug Fixes

• Fix PostgreSQL query issues
• Update default container image tag
• Add certificate for JWT in HTTP mode
• Fix google login with flow execution
• Fix limit param validation in user schema listing
• Update user api spec to reflect latest changes

---

v0.10.0

📅 Published on October 18, 2025 • View on GitHub ↗

Contributors

New Contributors

---

v0.9.0

📅 Published on October 7, 2025 • View on GitHub ↗

Contributors

---

v0.8.0

📅 Published on September 23, 2025 • View on GitHub ↗

Contributors

---

v0.7.0

📅 Published on September 10, 2025 • View on GitHub ↗

Contributors

---

v0.6.0

📅 Published on August 15, 2025 • View on GitHub ↗

---

v0.5.0

📅 Published on July 28, 2025 • View on GitHub ↗

---

v0.4.0

📅 Published on July 22, 2025 • View on GitHub ↗

---

v0.3.0

📅 Published on July 4, 2025 • View on GitHub ↗

---

v0.2.0

📅 Published on June 24, 2025 • View on GitHub ↗

---

v0.1.0

📅 Published on June 2, 2025 • View on GitHub ↗

---

v0.0.1

📅 Published on May 26, 2025 • View on GitHub ↗

🚀 Features

• Note:* The credentials can be configured in the repository/conf/deployment.yaml file under the user_store section.

---