Userfront Changelog

Additions and updates to the Userfront platform.

May 2024

Updates to tenant management

We’ve made tenant types easier to understand:

  • Tenants with one user are now called Individual tenants
  • Tenants that allow more than one user to have a role in their tenant are Organization tenants
  • Enterprise tenants have their own custom authentication and can have their own administrator

  • The tenant detail page now lists the creator of the tenant
  • The tenant list page now lists the max number of tenants per type allowed for your subscription

Improved team member management

Adding and removing team members has been simplified and the seat management process improved.

February 2024

Updated rate limit rules

Rate limiting for sending emails has been updated as follows:

  • Email sending now has additional rate limiting based on the number of unused email links/codes sent recently.
  • Confirmed users can now be excluded from daily rate limits.

You can find complete guidance on rate limiting in the API docs

New & improved Users page

The Dashboard's Users page now includes:

  • New user sorting and filtering functionality
  • Users can be added with no roles - or multiple roles
  • Users can be added without sending an invite email

Configurable theming for Toolkit forms

Visit the Toolkit page in your Dashboard to customize the look & feel of your Toolkit forms

January 2024

Delete Workspaces

You can now delete a workspace directly from the Dashboard

Fixed: reset emails without email link configured

Password reset email for new users now work as expected when email link is not configured as a first auth factor

Improved workspace and tenant management

The display of nested tenants has been improved to make tenant heierarchy clearer. Workspace UUIDs are also now displayed and searchable. See these updates now on the Tenants page.

New Toolkit release

The latest release of Toolkit resolves an issue where "oops, an unknown error occurred" was occasionally displayed. Read more in the complete release notes.

October 2023

New support for custom JWT payloads

You can now create a JWT access token with a custom payload in Userfront's API. Learn more in the API docs.

Rate limits on email

Rate limiting for sending emails has been updated as follows:

  • emails are not sent in test mode. In live mode, emails to new & unverified users are limited to one email per day.
  • Verified users may not be emailed more than once every 10 seconds.

September 2023

New Toolkit 🎉

A milestone new release of Userfront's Toolkit makes it easier to add multi-factor authentication (MFA) to your website or mobile application. Read more about this Toolkit release here on the blog, or follow along with a hands-on tutorial here.

August 2023

New meta fields for user confirmation status

Confirmation status on users is now more granular with the addition of two fields:

  • New fields: isEmailConfirmed and isPhoneNumberConfirmed
  • Deprecated field: isConfirmed

These fields are returned in every user record within your workspace or your workspace's tenants.

July 2023

Added the GET /self endpoint to allow a logged-in user to read detailed information about themself. See Read own user data.

Import users via API

You can now import existing users into your Userfront database in bulk via API.

Learn more about the new user import endpoints in the API reference.

June 2023

Add Okta SSO

Single Sign-On is now available for Okta on both web and mobile. You can configure Okta as an SSO provider directly in your Userfront dashboard.

October 2022

GET /self endpoint

 "mode": "live",
 "userId": 5,
 "tenantId": "demo1234",
 "email": "",
 "name": "Jane Doe",
 "locked": false,
 "isConfirmed": true,
 "isMfaRequired": false,
 "data": {
   "custom": "data"
 "tenant": {
   "tenantId": "demo1234",
   "name": "Demo Workspace"
 "authentication": {
   "firstFactors": [
     { "strategy": "password", "channel": "email" },
     { "strategy": "link", "channel": "email" }
   "secondFactors": [{ "strategy": "totp", "channel": "authenticator" }]
 "authorization": {
   "demo1234": {
     "roles": []

Nested roles

It is now possible to use your workspace API key or JWT access token to manage roles for your nested tenants.

This means you can have a structure like the following:

  • Your application (global)
    • Organization A
      • Team A1
      • Team A2
    • Organization B
      • Team B1
      • Team B2

Each level can have its own roles, and each user can have roles at any level, or at multiple levels. For example, a user could be a viewer at the global application level, an editor in Organization A, an owner in Organization B, a viewer in Team B1, and so on.

You can manage roles for each user using the Roles API endpoints.

September 2022

New dashboard 🎉

The new Userfront dashboard is live, with many new features.

  • New dashboard home page that includes insights and top users for your workspace, automatically calculated based on your application's activity.

Userfront dashboard

  • Insights page with additional insights.
  • Security report with detailed information about all of your security settings, all in one place.
  • MFA configuration page that allows you to configure which factors you want to use for MFA, and whether it should be required for all users.

MFA configuration

The old dashboard will remain available at through the end of 2022.

Tenant nesting

Now you can nest tenants an additional level, allowing you to create sub-organizations within your application.

  • Your application
    • Organization A
      • Workspace A1
      • Workspace A2
    • Organization B
      • Workspace B1
      • Workspace B2

See the create child tenant endpoint to create a nested tenant. Once you have created a child tenant, the other existing endpoints work the same as for the parent tenant.

August 2022

Improved usage recording

Userfront now records all signup and login activities to help identify usage patterns and attempted unauthorized actions. These events and metrics will soon be available to view in the dashboard.

Improved usage reporting

Userfront now aggregates user activity into daily and monthly summaries for your workspace. This includes:

  • Daily Active Users (DAU)
  • Daily new users
  • Monthly Active Users (MAU)
  • Total users
  • Top existing users
  • Top new users
  • Calendar heat maps for signups
  • Calendar heat maps for activity

This aggregate information will soon be available to view in the dashboard.

July 2022

Improved brute force security

All nonce-based security methods now have enhanced security, with brute-force detection and blocking built in.

By default, each link can only be guessed 10 times before the link credentials will be marked as invalid. Userfront also records these attempts, and in the future will notify you when they occur.

This change adds additional brute force security and monitoring to the following:

  • Passwordless links
  • Password reset links
  • Verification codes
  • SSO final step (Google, Facebook, Azure, Apple, etc.)
  • SAML exchange
  • MFA first factor token

authentication object included in API response

For user CRUD operations, Userfront now returns a list of authentication methods that are valid for the user:

 "authentication": {
   "firstFactors": [
     { "strategy": "password", "channel": "email" },
     { "strategy": "google", "channel": "email" }
   "secondFactors": [{ "strategy": "totp", "channel": "authenticator" }]

June 2022

Verification code and TOTP authenticator

It's now possible to login with 2 more approaches:

signup({ method: "verificationCode" }) and login({ method: "verificationCode" })

Accompanying the verification code approaches above, the signup() and login() methods for Core JS now support the verificationCode method.

login({ method: "totp" })

Accompanying the TOTP authenticator code approach above, the login() method for Core JS now supports the totp method.


Added the sendVerificationCode() method to Core JS. This method allows a user to request an email or SMS with a single-use verification code. The verification code can be used with login({ method: "verificationCode" }) mentioned above.

updatePassword() method

Added the updatePassword() method to Core JS. This method supersedes the resetPassword() method, which is now an alias, and allows for updating a user's password with their reset link credentials or while the user is logged in.

May 2022

Add Apple SSO

Single Sign-On is now available for Apple on both web and mobile. For mobile applications it satisfies Apple's requirement to include Apple as an SSO option whenever any other providers are included.

Add Azure single-tenant SSO

Users can now sign in via Oauth 2.0 using Azure with single tenant. Previously, this was only possible for multi-tenant Azure instances.

Password update endpoint for logged in users

Added an API endpoint for Update own password that allows a user to update their own password when logged in. If the user does not have a password yet (e.g. if they signed in with SSO), this endpoint creates their password.

Tenant search endpoint

Added an API endpoint for Search tenants that allows searching for tenants by name, custom data attributes, and/or tenantId.

Phone number verification

Added an API endpoint for Verify a phone number that allows a user to send a 6-digit verification code by SMS to the given phone number and then enter that 6-digit verification code to verify the phone number. Once a phone number is verified, it can be used for login or multi-factor authentication.

Email 6-digit verification codes

Added the ability to log in by receiving a 6-digit verification code by email. Users can receive their code and submit it to the verification code login endpoint to log in.

April 2022

Authenticator app Multi-Factor Authentication (alpha)

Multi-factor authentication (MFA) via TOTP (Time-based One-Time Password) / authenticator app is now available in alpha. This allows for MFA flows that use Google Authenticator, Authy, and other TOTP code-generating applications.

This feature is in closed alpha and will be in beta shortly, followed by general release.

As with SMS MFA, we will release SDK methods and integrate MFA into the toolkit in the coming weeks.

Disable all Userfront emails

You can now disable all emails from Userfront, ensuring that there are no triggers that will generate an automated email from Userfront to your users. This feature will be added to the dashboard soon, and in the meantime you can contact us to set up this feature.

Support for x-origin header

Previously, when making client-to-server requests from a mobile application or backend server in live mode, the request could include the x-application-id header in place of the origin header (which the browser sends). Now the request can additionally include either the x-origin header or the x-application-id header.

The chosen header should correspond to a live mode domain in order for the request to be considered live mode. For example:

 "headers": {
   "x-origin": ""

Login option: noResetEmail

The default behavior on Userfront is that when a user attempts to log in with a password but does not yet have a password set, Userfront sends the user a password reset email. This can happen with users who have previously signed in with SSO, for example.

With the the included noResetEmail: true flag, Userfront does not send the user a password reset email if they do not already have a password, and instead returns an error message.

March 2022

SMS Multi-Factor Authentication (beta)

Multi-factor authentication (MFA) is officially live through the use of security codes sent by SMS.

We will release SDK methods and integrate MFA into the toolkit as well in the coming weeks.

Authenticator MFA is next.

Improved rate limiting

We improved our internal rate limiting infrastructure to further prevent unwanted access attempts and to harden the service overall.

Custom cookie attributes (beta)

Browser storage for JWT access tokens is now customizable. See the MDN docs for more information about cookie attributes.

Cookie attribute

Strict, Lax, None
Any path (e.g. /custom)
Set Domain?
false, true
Setting Domain explicitly will allow subdomains to read cookies.

These options will be available in the dashboard shortly. If you need to adjust them in the meantime, please contact us.

February 2022

Disable signups

You can now disable new user registration and allow only the users you add manually to sign in. This feature will be added to the dashboard soon, but in the meantime you can contact us to set up this feature.

SMS Multi-Factor Authentication (alpha)

Multi-factor authentication (MFA) is in production for alpha testing, with security codes sent by SMS.

January 2022

Improved user search endpoint and documentation

Added search options, fixed some minor display bugs, and improved the documentation for user search. Added examples of advanced filtering with various combinations of and and or search queries.

Custom link durations

The Generate Link, Invite User and Invite User to a role endpoints all generate email links with a set expiration by default:

Cookie attribute


1 hour
3 days
3 days

Now you can also specify custom durations for each type of link, up to 1 week and down to 10 seconds, using the options.duration parameter.

  options: {
    duration: "5 minutes"

Invite user with immediate password set

By default, invite emails contain a login link that will log the user in directly. However, this flow does not ask the user to set a password right away. Now it is possible to use a password reset link in place of a login link in the invite email by using the options.type parameter.

 options: {
   type: "reset"

December 2021

Add API endpoints to create, invalidate, and delete API keys

Programmatically create, invalidate, and delete API keys: admin, readonly, and webhook key types are supported. Rotate keys as needed to secure your application.

Allow test, dev, and password as passwords in test mode

Now in test mode you can use test, dev, and password when registering a user or changing their password. This allows for faster testing.

Streamline SSO signup webhooks

Previously, user registration by SSO would fire a user created webhook with the user unconfirmed, followed closely by a user updated webhook with the user confirmed. Now only the user created webhook is fired, with the user already confirmed.

Improved certificate generation

Simplified the process for generating certificates for live domains, and removed a bug that affected some subdomains when "include subdomains" was checked.

November 2021

SAML beta release

3rd party login with SAML is stable and in limited-party testing in advance of a public release.

Twitter SSO initial spec

Adding Oauth 2.0 login with Twitter, which is based on the Twitter 2 API (in beta). We are waiting for Twitter to implement some features such as profile lookup before we can publish Oauth 2.0 compliant login via Twitter.

Apple SSO initial spec

Adding "Sign in with Apple" functionality, which is loosely based on Oauth 2.0 standard. Awaiting some confirmation from Apple regarding their long-term timeline before finalizing this implementation for all platforms.

Webhook sends for user lock/unlock

Whenever a user is locked or unlocked, the User Updated Webhook will be sent.

October 2021

Link generation without email

Use a server-to-server API endpoint to generate link credentials (uuid and token) for use in custom login, welcome, and account verification emails.

Signup option: noSignupEmail

Works the same as standard signup, but with the the included noSignupEmail: true flag, Userfront does not send the new user an email. Combined with "Link generation without email" above, this allows you to create fully custom signup flows.

Include roles as a filter in user search

Filter users by the roles they have in a given tenant.

Improved client-to-server documentation

Updated code examples for client-to-server docs.

September 2021

Add documentation for passwordless flows

Added documentation for "passwordless" flows to give a clearer picture of all the options for signup and login.

Add endpoint to allow users to update their own password with a valid JWT access token

Users can now present a valid JWT access token, existing password, and the new password to update their password directly from the client.

Consistent response format for link generating endpoints

Updated the response format for newer link generation endpoints to better match other API endpoints.

Old format (deprecated):

 Message: 'OK',
 To: ''
 MessageID: '12ac72f3-355f-4266-8c7d-05d0acdab703',
 SubmittedAt: 2021-09-12T17:21:48.046Z,

Updated format:

 message: 'OK',
 result: {
   to: '',
   messageId: '12ac72f3-355f-4266-8c7d-05d0acdab703',
   submittedAt: 2021-09-12T17:21:48.046Z

August 2021

Include data attributes in user search

Allow search by users' custom data attributes via the user search endpoint.

Add httpOnly option for refresh tokens

Add system and endpoints for creating and using refresh tokens in httpOnly mode. These tokens cannot be read by client-side JavaScript and are thus not susceptible to XSS attacks. Usage of httpOnly tokens requires a custom domain.

Custom JWT access token formats

Added the ability to generate custom JWT access token formats (e.g. compact, verbose, OIDC) by manuallys setting a value for the tenant. We will eventually add the ability to configure this directly from the dashboard.

July 2021

Tenant deletion by API

Added an API endpoint and webhook to delete tenants programmatically.

Updated JWT key pair signing configuration

Changed the key pair signing configuration from pkcs1 to pkcs8 as the former has compatibility issues with certain PHP libraries. All future keys will use the new format, and existing keys can be rotated to use the new format if needed.

Added examples for Vue.js and Node.js

Included example projects for setting up Userfront with Vue.js (custom forms) and Node.js authentication + access control.