March 2026

API

Previously, multi-factor authentication only kicked in through the challenge-based flow. Now it works everywhere, magic links, OTP, WebAuthn, all of it. If a user has MFA enrolled and your app requires it, they’ll get an mfa_required response instead of tokens, regardless of how they signed in. WebAuthn logins skip MFA by default (it’s already two factors, your device and your face), but you can turn that off per app if you’re feeling strict.

Email OTP

The OTP endpoint used to be phone-only. Now it handles email too. Set email_auth_type to "otp" on your app and the same /auth/:app_id/otps endpoint accepts email addresses. It figures out what you sent it and does the right thing.

User search got smarter

The users endpoint now supports a ?q= parameter. It does fuzzy matching across email, phone, and name using PostgreSQL’s pg_trgm extension. Results come back ranked by relevance. No more exact-match-only filtering.

Verifications API — new actions

Two new endpoints:

DELETE /v1/verify/:app_id/verifications/:id — cancel a verification
POST /v1/verify/:app_id/verifications/:id/resend — resend it (cancels the old one, creates a fresh one with the same params)

The create endpoint also now accepts full challenge params directly (purpose, method, intent, etc.) alongside the legacy format.

MFA status endpoint

New endpoint for the dashboard:

GET /v1/verify/:app_id/users/:user_id/mfa

Returns a user’s MFA enrollments, which methods they have, backup codes remaining, everything you need to show on a user detail page.

Rails 7.1

Upgraded from 7.0 to 7.1. Nothing breaks, everything’s a little faster.

Dashboard

Auth settings redesign

The authentication settings page got a full rework. You can now see a visual preview of your login flow, step by step, that updates as you change settings. New options in the settings panel:

Email auth type — switch between magic link and OTP
MFA policy — disabled, optional, or required
Allowed MFA methods — pick from TOTP, passkeys, email OTP, SMS OTP, backup codes
WebAuthn skip MFA — toggle whether passkey logins bypass MFA
MFA grace period — give users time to set up MFA after you enable it

Challenges page

“User Verification” in the nav is now “Challenges”, because that’s what they are. New full page for browsing, filtering, and creating challenges. You can filter by purpose, method, and status. Each challenge opens in a detail sheet with the full timeline and metadata. You can also create challenges directly from the dashboard now, with a dialog that supports all challenge types and purposes.

Redesigned users page

The users list is now a proper table with search, pagination, status badges, and quick actions. You can search across all user fields from one input.

User detail page

Completely new user detail view with tabs:

Overview — identity, status, login history, sessions
Security — MFA enrollments, backup codes status, security events
Challenges — all challenges for this user, with actions (resend, cancel, deny)

You can also change a user’s email or phone from here and trigger verification challenges right from the detail page.

MFA verify screen

New MFA verification UI in the login flow. Shows a 6-digit code input (or 8-digit for backup codes), lets users switch between available MFA methods, and handles TOTP / email / SMS / backup codes.

Changelogs

​March 2026

​API

​MFA now works across all login methods

​Email OTP

​User search got smarter

​Verifications API — new actions

​MFA status endpoint

​Rails 7.1

​Dashboard

​Auth settings redesign

​Challenges page

​Redesigned users page

​User detail page

​MFA verify screen