LoginSign Up
← Back to all sparks
F

FusionAuth

DEVOPS
Velocity6.3

Developer-focused authentication, authorization, and user management platform available self-hosted or cloud-hosted

fusionauth.io

An auth platform in a hardening cycle, tightening API scope and adding OAuth standards

ciamoauthsecurity-hardeningstandardsbreaking-changes
Current state
FusionAuth is shipping a run of security-tightening releases: webhook endpoints now require global API keys, tenant-scoped keys lost access to installation-wide endpoints, and identity-provider linking strategy became immutable. Alongside the hardening it added OAuth resource scoping (RFC 8707) and Lambda Secrets.
Where it's heading
The dominant theme is correctness and security hygiene — a series of breaking changes that close privilege-scope gaps, plus standards adoption (RFC 8707, PKCE). This reads as a platform maturing its security posture rather than chasing new surface area.
Prediction
Expect continued OAuth/OIDC standards coverage and further API-key scope tightening, with breaking changes flagged and remediated across point releases as the pattern in this window suggests.

Recent moves

  1. 17d ago

    v1.67.1 maintenance release

    A 1.67.1 maintenance release; the captured note is the standard upgrade-guidance boilerplate with no user-facing feature described.

    View source ↗
  2. 24d ago

    v1.67.0: OAuth resource scoping via RFC 8707

    ⚡ SPARK

    1.67.0 adds RFC 8707 resource indicators — tokens can now be scoped to specific resources via an authorizedResourceUris config and a resource parameter, surfaced in the aud claim. A genuine capability addition amid the hardening run.

    View source ↗
  3. 1mo ago

    v1.66.0: webhook endpoints now require global API keys

    1.66.0 extends the prior tenant-scope hardening to webhook endpoints, which now require global API keys and reject tenant-scoped keys with a 401. A breaking but deliberate fix that closes a privilege gap left open in 1.65.0.

    View source ↗
  4. 1mo ago

    v1.65.0: immutable IdP linking and tighter key scope

    1.65.0 makes enabled identity-provider linking strategy immutable and removes tenant-scoped key access to installation-wide endpoints. Two breaking changes that prevent foot-guns and tighten privilege scope — the start of the hardening run continued in 1.66.

    View source ↗
  5. 2mo ago

    v1.64.1: fix breached-password detection on change

    1.64.1 fixes a meaningful security bug where a password change could fail to detect a breached password, plus a misleading Admin UI consent dropdown. Maintenance-grade, but the breached-password fix has real security weight.

    View source ↗
  6. 3mo ago

    v1.64.0: Lambda Secrets for sensitive values in lambdas

    1.64.0 introduces Lambda Secrets — secure storage for sensitive values like app passwords and API keys, accessible from lambda functions — and adds PKCE enhancements. A useful capability for teams extending FusionAuth with custom logic.

    View source ↗