releases.shpreview
Home/Collections/Auth & Identity/Week of May 25, 2026

Debugging emails, hardening auth, and SSO everywhere

May 25–31, 2026

Clerk launched Email Logs in public beta for debugging delivery issues, while Better Auth patched several high-severity security flaws. Auth0 shipped GA passkeys with cross-subdomain support and organization-scoped Token Vault, and Clerk added self-serve SSO configuration across its SDKs.

Debugging transactional email delivery

Clerk introduced Email Logs in public beta, giving production instances a reverse-chronological view of every transactional email Clerk sends. You can filter by recipient, message ID, event type, or IP address, and inspect delivery status, bounce reasons, and raw provider payloads — all from the Clerk Dashboard. For teams debugging why a verification or invitation email never arrived, this removes the need to check a third-party email service or parse server-side logs.

Hardening across Better Auth

Better Auth shipped three patch releases this week addressing multiple security issues. v1.6.12 fixed a session cookie leak that allowed session_token and session_data cookies to be captured and replayed to bypass 2FA when cookie caching was enabled, and made passkey challenges atomic to prevent replay attacks. v1.6.13 patched a high-severity XML injection vulnerability in signed SAML assertions and a stateStrategy defaulting bug that caused oversized-cookie errors on AWS Lambda — plus fixes for Google One Tap authenticating the wrong user after account linking, unauthorized dynamic OAuth client registration, and SAML Single Logout that left users signed in. v1.7.0-beta.4 hardens OAuth and OIDC further, binding RFC 8707 resource indicators to the authorization grant and fixing PKCE validation, state-cookie handling, and redirect URI validation. Any team using Better Auth's SAML or OAuth flows should upgrade immediately.

Passkeys and token vault reach GA at Auth0

Auth0's Passkeys feature with customizable RPID is now generally available, allowing a single passkey to authenticate users across multiple applications under the same root domain — useful for teams with several subdomain-hosted services that want shared enrollment. Separately, Token Vault with Organization Support reached GA, scoping third-party token exchanges to (user, org_id) pairs so each organization in a multi-tenant B2B app maintains isolated token records.

Self-serve SSO rolls out across Clerk SDKs

Clerk's JavaScript SDK v6.13.0 and the underlying UI components now display a "Single Sign-on (SSO)" section in OrganizationProfile whenever self-serve SSO is enabled for the active organization. The ConfigureSSO UX was improved with attribute-mapping labels per IdP nomenclature, a test URL button, and clearer empty states. The localizations package also gained complete translations for Bengali, Hindi, Malay, Tamil, and Telugu, filling previously untranslated keys across billing, sign-in, and MFA flows.

Elsewhere, Clerk added Expo SDK 56 support and fixed Astro View Transitions styling loss. And @clerk/shared v3.47.7 added an oiat field to JWT headers to support monotonic token freshness checks in session minter.

Releases covered