v2.13.0 Latest January 7, 2026
What's Changed
Add context7.json to repo by @nicknisi in #345 feat: enable npm Trusted Publishers by @nicknisi in #346 feat: add TokenRefreshError with userId and sessionId for debugging by @nicknisi in #349 feat: add composable proxy/middleware helpers by @nicknisi in #348 fix(tests): move window.location patching and restoration to beforeEach/afterEach by @sundaray in #350 fix: avoid calling headers() in middleware context by @nicknisi in #354 fix(test): restore document.querySelector mock in afterEach by @sundaray in #356 fix(test): restore process.env after each test by @sundaray in #357 v2.13.0 by @nicknisi in #358 New Contributors
@sundaray made their first contribution in #350 Full Changelog : v2.12.2...v2.13.0
What's Changed
fix: bump Next.js dev dependency to patched version by @nickcollisson-workos in #343 v2.12.2 by @nicknisi in #344 Full Changelog : v2.12.1...v2.12.2
What's Changed
Socket workflow integration by @nickcollisson-workos in #338 Switch runner to ubuntu-latest for socket action by @nicknisi in #339 fix: bump Next.js dev dependency to patched version by @nicknisi in #341 fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #340 fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #342 New Contributors
@nickcollisson-workos made their first contribution in #338 Full Changelog : v2.12.0...v2.12.1
What's Changed
feat: Add initialAuth to AuthkitProvider by @danielr18 in #323 Full Changelog : v2.11.1...v2.12.0
What's Changed
feat: support returnTo on Impersonation stop by @danielr18 in #322 feat: don't load organization unless impersonating by @danielr18 in #324 Add validateApiKey function by @nholden in #328 Add Next.js 16 support by @nicknisi in #331 New Contributors
@danielr18 made their first contribution in #322 Full Changelog : v2.10.0...v2.11.0
v3.0.0-beta.1 Pre-release October 15, 2025
This update simply updates to @workos-inc/node v8.0.0-rc.1.
Full Changelog : v2.10.0...v3.0.0-beta.1
What's Changed
Fix docs around eagerAuth usage by @nicknisi in #313 docs: Add featureFlag usage to the README by @birdcar in #318 feat: Add support for passing custom state data through authentication flow by @nicknisi in #314 New Contributors
@birdcar made their first contribution in #318 Full Changelog : v2.9.0...v2.10.0
What's Changed
Specify 'use client' to differentiate between a server component. by @brandonin in #310 Allow onSuccess callback to update session by @nholden in #311 New Contributors
@brandonin made their first contribution in #310 @nholden made their first contribution in #311 Full Changelog : v2.8.0...v2.9.0
What's Changed
Add roles to session JWT by @atainter in #308 v2.8.0 by @atainter in #309 New Contributors
@atainter made their first contribution in #308 Full Changelog : v2.7.1...v2.8.0
What's Changed
Fix SSR hydration mismatch in tokenStore by @nicknisi in #306 Full Changelog : v2.7.0...v2.7.1
What's Changed
docs: improve middleware documentation with security best practices by @nicknisi in #293 Add eager auth for synchronous token access by @nicknisi in #301 reduce test coverage thresholds to 80% by @nicknisi in #303 Move tests inline by @nicknisi in #304 Full Changelog : v2.6.0...v2.7.0
What's Changed
add prompt to getAuthorizationURL by @jameslcarpino in #292 fix: allow signOut to work outside middleware coverage by @nicknisi in #296 Fix: Show loading state during initial token fetch to prevent flash by @nicknisi in #297 New Contributors
@jameslcarpino made their first contribution in #292 Full Changelog : v2.5.0...v2.6.0
What's Changed
Fix token staleness in inactive browser tabs by @nicknisi in #290 Full Changelog : v2.4.6...v2.5.0
What's Changed
Fix intermittent Turbopack build errors by removing .js extensions from Next.js imports by @nicknisi in #284 Full Changelog : v2.4.5...v2.4.6
What's Changed
Clean up getCookieOptions and use in signOut to respect all options when delting cookie by @nicknisi in #281 Full Changelog : v2.4.4...v2.4.5
What's Changed
Fix: Correct typos in README by @triplechecker-com in #278 docs: Update README to include explicitly passing baseURL in containerized environments by @heatherfaerber in #279 fix: improve useAccessToken timer management and prevent background flashing by @nicknisi in #280 New Contributors
@triplechecker-com made their first contribution in #278 @heatherfaerber made their first contribution in #279 Full Changelog : v2.4.3...v2.4.4
What's Changed
Fix: Token refresh logic improvements by @nicknisi in #276 Full Changelog : v2.4.2...v2.4.3
What's Changed
docs: Add default values for all optional environment variables by @nicknisi in #272 Fix: Prevent infinite token refresh loop for long-lived sessions by @nicknisi in #273 Full Changelog : v2.4.1...v2.4.2
What's Changed
Revert "fix ESM import extensions (#249)" by @nicknisi in #270 Important
This fixes a bug introduced in v2.4.0 when running with --turbo. See #268 for more details.
Full Changelog : v2.4.0...v2.4.1
What's Changed
bump Next.js peer dependency to ^14.2.26 by @nicknisi in #256 add getCustomClaims and useCustomClaims hook by @nicknisi in #254 fix ESM import extensions by @dfrankland in #249 feat: handleAuth > return authenticationMethod by @dlarroder in #257 Update README about authenticationMethod and onSuccess callback data by @nicknisi in #259 Simplify useCustomClaims to useTokenClaims by @nicknisi in #258 Add support for the feature_flags claim by @kkajla12 in #262 Full Changelog : v2.3.3...v2.4.0
What's Changed
Consistently pass redirectUri to getAuthorizationUrl in middleware by @mthadley in #251 v2.3.3 by @dandorman in #252 Full Changelog : v2.3.2...v2.3.3
What's Changed
fix: infinite redirects when using useAccessToken with 60 second token duration by @nicknisi in #247 v2.3.2 by @nicknisi in #248 Full Changelog : v2.3.1...v2.3.2
What's Changed
Fix errors thrown by signOut method by @nicknisi in #243 v2.3.1 by @nicknisi in #244 Full Changelog : v2.3.0...v2.3.1
What's Changed
Add client-side access to access token by @nicknisi in #231 Add session refresh callbacks to updateSession function by @coreycoto in #234 Fix signOut not working by @nicknisi in #238 Add organizationId to onRefreshSuccess and update README by @nicknisi in #236 New Contributors
@coreycoto made their first contribution in #234 Full Changelog : v2.2.1...v2.3.0
What's Changed
add CODEOWNERS file to repo by @nicknisi in #225 Respect sameSite while deleting cookie by @mintuhouse in #232 fix: set middleware headers on request too to fix issues with netlify deploys by @nicknisi in #230 v2.2.1 by @nicknisi in #233 Full Changelog : v2.2.0...v2.2.1
This minor version updates the Next.js peer dependency versions to include patched versions of Next.js that mitigate the CVE-2025-29927 vulnerability
What's Changed
Update peer dependencies for Next.js to non-vulnerable versions by @nicknisi in #226 Also update Next.js 13 peer dep version by @nicknisi in #228 v2.2.0 by @nicknisi in #227 Full Changelog : v2.1.0...v2.2.0
What's Changed
Add coana-guardrail and coana-analysis workflows by @nicknisi in #219 fix guardrail to work with forks too by @nicknisi in #221 Expose loginHint & redirectUri option in getSignInUrl and getSignUpUrl by @mintuhouse in #220 add WORKOS_COOKIE_SAMESITE optional configuration by @nicknisi in #218 add switchToOrganization action and client helper by @nicknisi in #214 Expose a saveSession method for advanced use cases by @nicknisi in #223 v2.1.0 by @nicknisi in #222 New Contributors
@mintuhouse made their first contribution in #220 Full Changelog : v2.0.2...v2.1.0