arrow-left Back to Announcements
DATE:
AUTHOR:
The Kinde team
RELATED ROADMAP ITEMS:
Self-serve portal for org member management + team invitations
Authentication Billing Brilliant basics Developer features SDK User management Highly requested

Scaled up and locked down

DATE:
AUTHOR: The Kinde team
RELATED ROADMAP ITEMS: Self-serve portal for org member management + team invitations

Invite member controls for organizations

Organization owners can now control whether member invitations are enabled at all, and how invite emails are sent. You can toggle invites on or off via policy settings, and the full invite flow now has API support — including optional email sending and filtering by revoked or accepted status. Custom SMTP is also supported for sending invite emails, so your branded experience stays consistent end to end.

Contentsquare tracking integration

You can now add a Contentsquare Tag ID to your Kinde environment for session replay and behavioural analytics. It works the same way as the existing Hotjar and Google Analytics integrations — set your Tag ID in the Environment details form, and Kinde handles script injection and CSP configuration on hosted login and registration pages. Available on plans with the advanced tracking entitlement, and exposed via the Management API.

OIDC and OpenID scope support for device authorization flow

The device authorization flow now fully supports OpenID Connect. You can request the openid, profile, email, phone, and address scopes, and the token endpoint will return an ID token as expected. This brings the device flow in line with Kinde's other auth flows and makes it easier to build OIDC-compliant apps for smart TVs, CLIs, IoT devices, and more.

Custom SAML connection improvements

A few gaps in the custom SAML connection API have been filled. The is_use_custom_domain, is_trusted, and saml_signing_private_key options can now be set and updated via the API as documented. The saml_sign_in_url field is also now included in the connections management API spec. If you've been working around these limitations, you no longer need to.

New SDK - Tanstack

We now have first-party auth support for TanStack Start via the new @kinde/tsr package. It handles login, logout, registration, and callback through a single catch-all route, and includes a protect() helper for guarding routes with roles, permissions, feature flags, and billing entitlements.

Performance improvements for large user and organization lists

If you have a large number of users or organizations, the admin UI should feel noticeably faster. Search on the users list was timing out for tenants with millions of users, and the organizations list was taking upwards of too many seconds to load. Default page loads on the users list are around 22x faster than before.

Audit log improvements

API-driven changes are now correctly attributed to the API in the audit trail rather than being logged as 'Admin'. On top of that, key organization settings — including advanced orgs, auto join, and custom connections — are now captured in the change audit log. This gives you a more complete and accurate picture of what changed and how.

SCIM Beta sign up

We are fast approaching the full release of SCIM directory sync. Be the first to try and use this feature which will allow you enterprise connection customers to automatically sync users, groups and custom attributes from identify provider. To be added to the beta request list drop an email to support@kinde.com.

Minor fixes and improvements

  • The user details page in the admin UI now always shows the Organizations section, including a CTA when the user has no memberships

  • Deleting a billing group now correctly removes its associated plans, and a migration cleans up any orphaned plans left behind by the previous behavior

  • Custom OAuth2 attribute helper text now clearly explains how each field maps to a JWT claim

  • Enhancements to the use of API keys with the Management API via the MCP

  • User export improvements, including performance improvements, and also removing already removed organizations, roles, and permissions.

  • The organization PATCH endpoint now treats is_enforce_mfa as a truly optional field.

  • Back links on the upgrade plan and billing portal pages now correctly reflect where you came from, rather than pointing to a dead-end or incorrect route

  • The verify password form name can now be overridden via a system setting to prevent Chrome incorrectly identifying it as a credit card field

  • Organization filter dropdowns in the admin UI now sort alphabetically

SDKs

Here's some other changes to SDKs:

  • PKCE JS SDK: New portal, invitation, and logout features added alongside a storage layer refresh and several deprecations

  • React SDK: Bug fixes for initialization guards, token refresh error handling,query parameter handling in authentication flows, TypeScript 6 and dependency updates

  • NextJS SDK: Dependency updates and maintenance improvements including updated Kinde SDKs, cookie library, and developer tooling upgrades, invitation code support, fixed prompt=none redirect handling, improved feature flag and error state management

  • iOS SDK: Configurable authorization flow timeout added with improved concurrency handling and error reporting

  • Python SDK: Added invitation code support, regenerated Management API client, improved FastAPI and Flask integrations, and updated security dependencies

  • React Native SDK: Added invitation code support and improved error handling stability

  • JWT Decoder SDK: Maintenance release with dependency updates and security patches

  • JWT Validator SDK: Maintenance release with security fixes for jsrsasign and vitest dependencies, plus updated CI tooling and TypeScript version

  • Expo SDK: Upgraded to Vite 8 build stack with security updates

Powered by LaunchNotes