Releases
Explore the latest updates, features, and improvements to Thunder.
v0.22.0
📅 Published on February 13, 2026 • View on GitHub ↗
⚠️ Breaking Changes
- Update auth assertion callback URL
- Add support for configuring separate attributes for OIDC userinfo
- Introduce a new
/designAPI to replace/brandingAPI
✨ Improvements
- Add MCP authorization
- Disable registration flow in Develop App
- Reorganize JWT/JWE into JOSE package structure
- Added copilot instructions for documentation and vale rules for style checks
- Update Passkey Authentication Atomic APIs
- Add Passkey as an authentication option and dynamically construct the authentication flow graphs at Application Creation
- Add user info config view to application edit
- Add claims locales parameter support in authorize request
- Group service context propagation and transection usage
- Implement Organization Unit Tree UI
- Remove Session Cleanup of WebAuthn Session Data Table
- Add claims support to OIDC discovery
- Add offset limit support to composite store
- Added a style guide for human authors and improved agent instructions
- Make appId, idpId, senderId available for flow context
- Improve handling credential inputs in authentication flows
- Cert service context propagation and transection usage
- Add declarative resource support for themes and layouts
- Refactor MCP package
- Add support to store a Logo URL & Design Preferences (Theme / Layout) per OU
- Introduce a
Releasespage in Thunder documentation
🐛 Bug Fixes
- Stop browsers from caching
index.htmlfiles - Fix incorrect registration flow inference for passkey on-the-fly registration flows
- Add openid scope validation for userinfo endpoint
- Fix on the fly passkey registration ending up in infinite loops because of unnecessary onFailure options.
- Fix unique attribute conflict with same user when updating
- Fix child OU save bug
- Add foreign key pragma configs for sqlite
- Add registration graph for default-basic-passkey-flow
v0.21.0
📅 Published on February 6, 2026 • View on GitHub ↗
⚠️ Breaking Changes
- Rename application root level token config to
assertion
🚀 Features
- Implement JWE service
- Username-less passkey authentication
✨ Improvements
- Add unit tests for thunder-gate app
- refactor: migrate from UUIDv4 to UUIDv7 across all resources
- Add
required_attributessupport for OAuth and auth assertion executor - Unify passkey authentication and registration flow graph handles
- Role service context propagation and transection usage
- Generate separate key pair for digital signatures
- Introduce
claimssupport for OAuth flows
🐛 Bug Fixes
- Fix
runcommand issues on Windows Platforms - Add an option to copy the client secret of confidential apps
v0.20.0
📅 Published on January 30, 2026 • View on GitHub ↗
⚠️ Breaking Changes
- Rename from immutable resources to declarative resources
- Improve Passkey Authentication by Enabling Attribute-Based User Identification
- Improve default attributes handling in flows and oauth
🚀 Features
- Add passkey support for the React Vanilla Sample App
- Introduce Thunder Documentation
- Implement OU management UI
✨ Improvements
- Add passkey template and components to the login flow builder
- Onboard i18n support to flow builder UI components and improve test coverage in thunder-develop app
- Add step-up auth via SMS OTP to react-api-based-sample
- Bump SDK version for react-sdk-sample app
- Improve UI support for passkey executor in react-vanilla-sample app
- Bump to @asgardeo/react v0.9.2 with auto-login after signup support
- Add passkey registration for login flow templates and improvements to flow-builder UI
- Optimize user store calls in BasicAuth and SMSAuth executors
- Refactor user service to use transactions
- Add shared testing utilities for Thunder applications
- Improve prompt nodes to auto select single actions
- Support k8s secrets for db passwords
🐛 Bug Fixes
- Fix bootstrap scripts to fetch OUs by handle instead of picking first from list
- Fix auto-login after self-registration
- Add leeway for time claims in token validation
- Fix the ID Token Validation issues due to invalid Issuer configured in the SDK
v0.19.0
📅 Published on January 23, 2026 • View on GitHub ↗
🚀 Features
- Introduce initial MCP setup with application and flow tools
- Add admin-initiated user registration flow support
- Onboard application editing capabilities
- Introduce User Invite feature
- Add passkey executor support for flow execution
✨ Improvements
- Add react-api-based-sample app to the release artifacts
- Allow defining meta for TASK_EXECUTION nodes
- Bump golang.org/x/crypto from 0.44.0 to 0.45.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1108
- Remove i18n keys from default flows
- Add i18n resolution support for the flow builder UI
- Add React SDK integration MCP tool
- Improve templated defaults in application MCP tools
- Improve thunder develop test coverage
- Update invite link for onboarding flow
- Change Internal Webauthn Wrapper Variables to Package Private and Replace Custom Mocks with Mockery
- Update default invite flow
- Update JWKS service to retrieve all certificates
🐛 Bug Fixes
- Fix setup.sh to run with bash
- Fix UserTypeResolver to return meta for the SDK UI rendering
- Fix SMS OTP executor to prompt mobile during registration
- Fix user schema export
v0.18.0
📅 Published on January 16, 2026 • View on GitHub ↗
⚠️ Breaking Changes
- Introduce prompts to prompt nodes and improve input handling
🚀 Features
- Add Atomic API based Passkey Registration and Authentication Support
- Add transaction management infrastructure
✨ Improvements
- Modify prompt nodes to use prompts and improve input handling
- Improve server started log to indicate the startup time
- Refactor crypto services
- Move to
Thunderbranding - Add Atomic API react sample app to thunder
🐛 Bug Fixes
- Fix i18n message overriding precedence
v0.17.0
📅 Published on January 9, 2026 • View on GitHub ↗
⚠️ Breaking Changes
- Rename flow graph id to flow id
- Add config to change min TLS version
- Refactor: change credential storage from array to Map
🚀 Features
- Support multiple algorithms for JWT signing
✨ Improvements
- Update flow docs
- Integrate the thunder-logger
- Add immutable config support for I18n
- Update obtain Admin token documentation
- Improve logic in flow-builder UI and remove SCSS styling
- Introduce unit tests to the flow-builder
- Improve test coverage in develop app
- Bump golang.org/x/net from 0.19.0 to 0.38.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1050
- Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /backend by @dependabot[bot] in https://github.com/asgardeo/thunder/pull/1051
- Update dockerfile UID&GID to 10001
🐛 Bug Fixes
- Remove outdated config from helm deployment yaml
- Fix duplicate SMS OTP issue in the assurance authenticator list
- Fix wildcard export for user-schemas and ou
v0.16.0
📅 Published on December 24, 2025 • View on GitHub ↗
⚠️ Breaking Changes
- Improve flow definitions and execution API request/responses
- Define a generic START node for all flows
- Add dedicated start/end nodes and remove inferred executors
- Integrate role permission with resource definition
- Remove legacy flow mgt and migrate default flow definitions
- Change Immutable resource directory
- Introduce an executor
modeto allow two path execution
🚀 Features
- Implement login flow builder UI
- Add the new flow management implementation
- Add initial i18n framework
✨ Improvements
- Add meta to flow definitions and introduce verbose flag
- Refactor immutable resources code
- Allow basic auth executor to be used with any attribute
- Add layout information to the flow definition
- Introduce immutable handle to the flow management service
- Address Windows PowerShell Compatibility issues
- Introduce token issuance observability and refactor authentication events
- Add immutable config support for OU
- Use
componentmetadata fromFlowsAPI in Thunder Gate - Composite store support for OU
- Reading deployment secrets from environment variables and file objects
- Add immutable resource support to flow graphs
- Allow provisioning executor to perform group and role assignment
- UX improvements to flow-builder UI
- Update flow UI definitions
- Add default prefix to bootstrap flow definitions
- Fix issues in flow export function
- Integrate Branding API in Gate
- Update validation notification styling
- Update notification-senders options
- Add autolayout for flows without positioning data
- Add comprehensive guide for observability with analytics dashboard
- Add support for showing React SDK integration guides
- Add glob-pattern-based public path matching
- Improve layout of the flow builder
- Update default flow input types
🐛 Bug Fixes
- Update branding resolve API CORS
- Fix vanilla sample application
- Fix system token generation in readme to match flow execution changes
- Remove auth_flow_graph_id for the Client Credential App
v0.15.0
📅 Published on December 13, 2025 • View on GitHub ↗
✨ Improvements
- Move AuthenticationContext from context to security
- Buffer encode HTTP responses before sending headers
- Add
application_templateto application api - Remove OAuth jargon from Application Onboarding
- Add dynamic token issuer resolution
- Derive permission for Resources and Actions
- Add refresh token expiry time config
- Add fsGroup and runAsGroup support
🐛 Bug Fixes
- Fix db type issue and add Query method to Tx
v0.14.0
📅 Published on December 5, 2025 • View on GitHub ↗
⚠️ Breaking Changes
- Add multi deployment support for data layer
- Improvement to the observability package
- Remove support for scripts in bootstrap/custom
- Update public url and add support to override app configs using helm
- Add PKCE validation for public clients
- Add support for indexed user attributes
- Improve IDP property/ error handling in auth services
- Support password hashing with customizable params
🚀 Features
- Add Resource API definition and Implementation
✨ Improvements
- Add WriteSuccessResponse/WriteErrorResponse helpers
- Support reading port from deployment.yaml in build script
- Add persistence layer for Sqlite databases
- Add http server support for helm chart
- Bump react, @wso2/oxygen-ui and @asgardeo/react versions to latest
- Remove depricated nginx annotations
- Add branding resolve implementation
- Update ingress and bootstrap configurations
- Support immutable configuraitons for Identity Providers
- Add authorization request store
- Uses spans and traces properly with OpenTelemetry
- Bump SDKs
- Add config for auth code expiry time
- Improve IDP property validations/ handling default properties
- Add immutable config support for notification senders and user schemas
- Comprehensive cleanup to use WriteSuccessResponse and WriteErrorResponse
v0.13.0
📅 Published on November 28, 2025 • View on GitHub ↗
⚠️ Breaking Changes
- Introduce datasource for user data
🚀 Features
- Add support to exchange auth assertions to access tokens
- Add support for basic conditional node execution
- Introduce user self service API
✨ Improvements
- Move the immutable resources configs to default.json
- Refactor idp/ cert packages
- Improve application onboarding flow in Develop app
- Allow provisioning email address for federated users
- Add React SDK based application to samples
- [Develop] Enable username/password login by default
- Add OAuth settings to application onboarding
- Bump @asgardeo/react version to 0.6.8
- Improve global styling + bump oxygen-ui version
- Add support for user provisioning in external IDP OAuth/OIDC authentication flows
- Remove intermediate error message during the social login redirect
- Remove array and object type property tests from CreateUserTypePage
- Remove sign-up link from sign-in page if self-registration is disabled
- Fix divider rendering in gate app
- Improve existing user validations for the federated auth executors
- Bump @asgardeo/react to version 0.6.10
- Add react-sdk sample to release pipeline
- Add common config to indicate gate app path
- Bump @asgardeo/react to version 0.6.11
- Improve client configs in bootstrap scripts
- Add proper display names to org creation page by updating to @asgardeo/react to version 0.6.12
- Remove ou description from the ou executor default inputs
🐛 Bug Fixes
- Fix Error while decrypting IDP properties
- Change Issuer as Refresh Token audience
- Fix SQLite Database Locking Issues Under Concurrent Load
- Template http_only server config in helm charts
- Fix Develop app menu overflow
v0.12.0
📅 Published on November 17, 2025 • View on GitHub ↗
⚠️ Breaking Changes
- Use
idpIdin flow graphs instead ofidpName - [Refactoring 1] Improve flow engine and executors
- Securing Thunder APIs
- Improve application token resolve logic
- Improve the Thunder bootstrap experience
- Improve user schema to indicate which ou these users are getting created and whether they support self registration
- Change
Gateapp base path (/signin->/gate) & AddSignUpsupport - Add user type resolver to dynamically resolve userType and ouId in registration flows
- Enforce validation of the ou id of the users
🚀 Features
- Add http request executor
- Introduce branding support for applications
- Introduce Application Onboarding & Listing
- Add OIDC userinfo endpoint support
✨ Improvements
- UX improvements to the user creation flow
- Refactor authentication services to use di pattern
- Add i18n UI package to handle translations in apps
- Refactor message notification package
- Add collapsible sidebar for thunder-develop app
- Refactor OAuth and introduce token service
- Improve apps visual appearance
- Add OpenChoreo deployment artifacts
- [Refactoring 2] Improve flow services and executors
- Refactor crypto package and add sign verify methods
- Automate thunder helm chart release
- Add OAuth client authentication middleware
- Refactor API hooks in thunder-develop app to use Asgardeo's HTTP client
- Allow storing flexible node properties
- Add applicationld in the gate app redirection
- Update sidepanel styling and icons with test coverage improvements
- Add allowed user types to application
- Add ou details to the auth assertion
- Remove local ui packages and point to oxygen-ui
- Expose
logo_urlfrom Application Listing API - Update healthcheck path for security check
- Add immutable config export support for applications
- Improvement to start and setup scripts
- Introduce service method to get user schema by name
- Enforce OU validation in the user schema
- Add error path as public
- Enhance
Gateapp'sSignUpcomponent to supportSELECTinputs - Improve user-schema UIs to include OU ID & allowSelfRegistration details
- Handle make run to setup thunder properly and fix middleware execution order
- Add userType and ou details to the oauth tokens
- Disable application view button
- Refactor db provider to have dedicated db client methods
- Improve user type UIs to indicate OU name instead of OU ID
- Improve docs to include token header in the system API calls
- Improve apps UI styling
- Improve ou handle validation to restrict forward slash
- FIx some UI sizing issues
🐛 Bug Fixes
- Fix incorrect
passwordfield type in Gate App - Fix setup scripts to include ou in user schema creation
- Fix redirect based login in the sample app
- Fix create user ui to include correct ou
- Improve setup process to create resources required to the Quickstart guide
v0.11.0
📅 Published on November 3, 2025 • View on GitHub ↗
⚠️ Breaking Changes
- Update token endpoint auth method
- Initiate login flow from oauth before redirecting to gate
- Make user schema validation mandatory
🚀 Features
- Onboard React based
Gate&Developsecured with@asgardeo/reactSDK - Implement user managment UI in thunder-develop application
- Add support for generating auth assurance levels
- Introduce DCR support
- Modify auth executors to generate and add auth assurance
- Add OAuth/OIDC discovery endpoints
- Add immutable configuration support for Applications
- Add ou creation executor and improve the provisioning flow
- Role management implementation
- Add token exchange support
- Add initial observability component
✨ Improvements
- Refactor DI pattern of oauth package
- Refactor crypto and hash packages
- Role API definition
- Add OAuth resource indicator support
- Refactor cert configuration initialization
- Add user type and ou to the flow assertion
- Refactor system cert service usage
- Remove application service provider
- RBAC support for flow engine and auth code flow
- Improve UI theming by onboarding oxygen-ui dependency
🐛 Bug Fixes
- Fix PostgreSQL query issues
- Update default container image tag
- Add certificate for JWT in HTTP mode
- Fix google login with flow execution
- Fix limit param validation in user schema listing
- Update user api spec to reflect latest changes
v0.10.0
📅 Published on October 18, 2025 • View on GitHub ↗
v0.9.0
📅 Published on October 7, 2025 • View on GitHub ↗
v0.8.0
📅 Published on September 23, 2025 • View on GitHub ↗
v0.7.0
📅 Published on September 10, 2025 • View on GitHub ↗
v0.6.0
📅 Published on August 15, 2025 • View on GitHub ↗
v0.5.0
📅 Published on July 28, 2025 • View on GitHub ↗
v0.4.0
📅 Published on July 22, 2025 • View on GitHub ↗
v0.3.0
📅 Published on July 4, 2025 • View on GitHub ↗
v0.2.0
📅 Published on June 24, 2025 • View on GitHub ↗
v0.1.0
📅 Published on June 2, 2025 • View on GitHub ↗
v0.0.1
📅 Published on May 26, 2025 • View on GitHub ↗
🚀 Features
- Note:* The credentials can be configured in the
repository/conf/deployment.yamlfile under theuser_storesection.