- DATE:
- AUTHOR:
- The Kinde team
- RELATED ROADMAP ITEMS:
- Secure passkey authentication
Passkeys, flexible billing, and more
Sign in with passkeys
You can now offer your users passwordless authentication with passkeys (WebAuthn/FIDO2). Users can register and sign in with passkeys directly from the login screen, manage their credentials in the account portal, and be prompted to set up passkeys after authentication. Admins get full control with environment and per-organization policy settings (off, optional, mandatory), new Management API endpoints for configuration, and passkey.added and passkey.removed webhook events to react to credential lifecycle changes. Learn more about passkeys.
Interval Billing
You can now choose how often a fixed plan charge recurs — daily, weekly, monthly, or yearly — rather than being limited to monthly billing. Set the billing interval directly when creating or editing a fixed charge, and Kinde syncs it through to Stripe automatically. When you pick a daily, weekly, or monthly interval, you can also offer customers an annual pricing option alongside it. This is now generally available to all accounts, with no feature flag required.
FusionAuth import with password hash migration
Customers migrating from FusionAuth can now bring their existing password hashes to Kinde, so users don't need to reset their passwords after migration. Hashes are verified securely on first login.
Identify connections on identity records
When you have multiple enterprise or OIDC connections in the same organization, you can now tell exactly which connection a user authenticated through. We've added a nullable connection_id field to identity objects returned by GET /api/v1/identities/{identity_id} and GET /api/v1/users/{user_id}/identities, which returns the public connection ID for enterprise, OIDC, SAML, and social identities (and null for email, phone, username, passkey, or deleted connections).
List users by role
You can now look up which users hold a given role, not just the roles per user. Two new paginated endpoints are available: GET /api/v1/roles/{role_id}/users for a global view across all organizations, and GET /api/v1/organizations/{org_code}/roles/{role_id}/users for an org-scoped view, both requiring the read:organization_user_roles scope. Cursor-based pagination keeps things fast even on very large datasets.
Enterprise connections list view at scale
When you have many enterprise connections configured, Kinde now automatically switches to a compact table layout once 10 or more connections exist, replacing the card grid that caused excessive scrolling. The table includes columns for icon, title, applications, and org connection badge, plus a context menu with Edit and Delete actions. The original card grid view is preserved for fewer connections and all other connection types.
Richer context in custom UI page workflows
Custom UI page workflows now have access to a much richer auth context. A new get_page_workflow_context utility resolves fields like auth.providedEmail, auth.loginHint, auth.suppliedUsername, auth.identityType, auth.reason, and auth.connectionId from the current pipeline step. We've also added logic that persists entered credentials on validation or authentication failures, so when a sign-in fails the values survive the redirect and the login field is restored when the page reloads.
Multiple GitHub App installations
You can now connect repositories from more than one GitHub org or account per business. An installation chooser UI lets you pick which org/account to connect repos from, and the selected installation is propagated through the entire connection flow including repo listing, branch listing, syncs, and webhook-driven events. Syncs no longer break when a user's OAuth session expires (with a fallback for existing connections).
Multi-domain connection callbacks
When you have multiple custom domains configured, SSO connection setup now respects your domain selection instead of always using the first available domain. A new parameter ensures the selected domain is persisted alongside the connection settings and used when building ACS/callback URLs, falling back to the default custom domain only when none is chosen. We also fixed the multi-domain dropdown so it correctly reflects the toggle state on page load.
Minor fixes and improvements
Various backend fixes and performance improvements on Billing.
Fixed logo cache invalidation so a newly uploaded logo (including dark logos) is served immediately instead of being stuck in the cache.
Added cache-busting to logo URLs in transactional emails so the correct, updated logo appears in emails per org and custom domain context.
Aligned self-serve trial upgrades with the signup flow so trial plans no longer prompt for credit card details, and added the 'Free trial for X days' badge to the portal pricing table.
SDKs
Here's some other changes to SDKs:
PKCE JS SDK: Added multi-tab token syncing to coordinate token refreshes across browser tabs
React SDK: Improved error handling on token refresh failures and fixed SSR blank render and hydration issues
Node Express SDK: Updated runtime dependencies and resolved security vulnerabilities
.NET SDK: Added Roles and Users request builders, improved AutoMapper handling, and refined SAML connection mappings
.NET SDK: Fixed management API authentication and 404 errors, improved SAML/connection mapping, and added a graph search helper
Android SDK: Added entitlements functionality and invitation code authentication, plus a fix for stale state after logout
React Native SDK: Added getValidAccessToken method with improved token persistence and concurrent refresh handling
Flutter SDK: Now fetches the latest tokens from storage before refreshing
Java SDK: Major release upgrading to Spring Boot 4 / Spring Security 7 and Java 17+, with security fixes and dependency updates
SvelteKit SDK: Security and dependency updates, including Vite v6, Svelte v5, and ESLint flat config migration
Management API JS SDK: Added passkey and role-user endpoints, plus expanded SCIM directory error responses
Remix SDK: Dependency and tooling updates, including React Router and Kinde SDK upgrades
JWT Decoder SDK: Dependency updates including a security fix for vite
JWT Validator SDK: Dependency upgrades and tooling updates, including a Vite security fix
JS Utils SDK: Toolchain and dependency upgrades, plus expo-secure-store v56 platform migration guidance added to the README
Expo SDK: Updated dependencies, including the
@kinde/js-utilspackage to 0.30.2Infrastructure SDK: Added new page context types and switch connection support, with fixed type declarations
Infrastructure SDK: Build output now targets ES2019 for the Kinde runtime bundle