Changelog

Step-up Auth

July 2, 2026
Step-up AuthStep-up Auth

AuthKit now supports step-up authentication, which makes a user re-verify their session before performing a sensitive action. Most auth systems trust every action in a session equally. Reading data and deleting an account are treated the same even though the risk is vastly different. A user who signed in eight hours ago carries the same trust as one who just proved who they are. Step-up authentication closes that gap by requiring the user to re-authenticate their identity.

You decide which actions require a step-up, commonly things like changing billing, revoking API keys, or other destructive operations. You send the user through a step-up flow where AuthKit re-verifies them, then hands you fresh session confirming the identity is current. AuthKit picks the right method based on what the user has enabled, like SSO or 2FA. The session stays intact, and every step-up emits an event you can log or act on. Learn more about step-up auth in the docs.