TILLAUTH · CHANGELOG
TillAuth, in order.
What we shipped on the auth side of TillDev. Newest first. Material breaking changes are flagged in bold — these can require code changes on your side.
v0.4 — June 2026 · Per-app admin shell
- App-scoped sidebar at
/<org>/auth/<appId>/*— drilling into an app replaces the org nav with App / Users / Sessions / Audit / Providers / Policies, removing the duplicate tab strip. - Per-app branding editor — logo, accent, hosted-login copy.
- Empty-state landing on
/<org>/authwhen zero apps exist — pillars, numbered quickstart, single CTA. - SDK reference index — /docs/tillauth/sdk.
v0.3 — May 2026 · TillDev integration
- Cross-product audit log — TillAuth rows now also surface under the unified
/<org>/auditview alongside TillPulse + TillDev cross-product events. - Module-aware org settings — TillAuth's settings group only appears when the module is enabled.
- Post-signin smart redirect — orgs whose only configured product is TillAuth no longer land on an empty TillPulse dashboard.
- Onboarding now picks a product before walking through setup.
v0.2 — April 2026 · OAuth + SSO
- OAuth · Google + GitHub per app — client IDs stored per-app, secrets encrypted at rest.
- OIDC SSO — JWKS-verified
id_token, optional allowed-domain gate. - Secret rotation — per-app secrets re-encrypted at rest in one atomic transaction.
- Custom domains —
auth.your-domain.comvia customer DNS. - Breaking: the
verify()server SDK return shape addsidentities[]. Existing destructures keep working; new field is optional.
v0.1 — March 2026 · Spine
- Email + password — modern, memory-hard password hashing (Argon2id), progressive lockout.
- Passkeys — WebAuthn primary and 2FA, with counter-regression theft detection.
- TOTP + backup codes — first-class, on every plan.
- Magic links — IP-prefix bound, redirect allow-list checked.
- Sessions — refresh-token rotation with theft detection.
- Webhooks — signed and replay-protected, exponential-backoff retries.
- Audit log — append-only, stable action vocabulary, 365-day retention.
@tilldev/auth-reactand@tilldev/auth-nodeat 0.1.
Looking for another product? See the TillShield and TillForge changelogs, or the TillPulse changelog. The full TillDev shipping log lives at/changelog for now — a unified cross-product log is on the roadmap.