2.188.1 (2026-03-19)
2.188.0 (2026-03-17)
- cache OIDC discovery documents for providers (#2389) (40d07b5)
- enable custom providers by default (#2427) (291cdad)
- modernize IsNotFoundError handler to support errors.Is (#2392) (ab7c9f9)
- oauth-server: allow updating
token_endpoint_auth_methodfor OAuth clients (#2391) (1280dc1) - passkeys: add admin endpoints to list and delete passkeys (f109550)
- passkeys: add audit, metering, webauthn primitives (039b569)
- passkeys: add configuration, error codes, and schemas (0a5eb95)
- passkeys: add discoverable credential auth flow (#2411) (1bc68ea)
- passkeys: add management endpoints (#2413) (5b3218e)
- passkeys: add rate limiter on the
/optionsendpoint for authentication (#2422) (30b3aeb) - passkeys: derive friendly name from AAGUID (#2415) (e00ff1a)
- passkeys: progressive enrollment flow (61ae2aa)
- add MaxBytesReader middleware to limit request body size to 1MB (#2402) (6f0b2eb)
- bump Go to v1.25.8 (#2412) (a2e357f)
- passkeys: construct configuration env var correctly (dba676e)
- passkeys: enforce passkey cap during registration verify (9868df6)
- passkeys: return 204 when deleting a passkey (7d90fb8)
- passkeys: sign_count should be uint32 (e509e3a)
2.187.0 (2026-02-23)
- add metadata field to all hooks (#2365) (c675749)
- check current password on change (#2364) (33b87ae)
- indexworker: add max users threshold for rollout (#2374) (a2066c6)
- metrics: added a gauge with version information (#2375) (911ad0b)
- support custom oauth & oidc providers (#2357) (53021f6)
- case-insensitive Bearer token scheme matching (#2387) (36d712d)
- correctly parse JWT ValidMethods from env by enabling split_words (#2334) (a6076bc)
- flaky index worker test (#2366) (961a7e6)
- hooks: propagate error objects from hook calls (#2380) (3ca1e88)
- session upgrade percentage should be based on session, not request (#2371) (510e68b)
2.186.0 (2026-01-28)
- Add email send operation metrics (#2311) (0096575)
- add Supabase Auth identifier to OAuth redirect URLs (#2299) (2d3dbc6)
- log sb-auth-user-id, sb-auth-session-id, ... on sign in not just refresh token (#2342) (a486ada)
- oauth-server: store and enforce token_endpoint_auth_method (#2300) (bcd6cd5)
- replace JWT OAuth state with
flow_state.idUUID (#2331) (645654d) - upgrade existing sessions to v2 refresh tokens though config value (#2356) (6fb0e8a)
2.185.0 (2026-01-12)
- Add Sb-Forwarded-For header and IP-based rate limiting (#2295) (e8f679b)
- allow amr claim to be array of strings or objects (#2274) (607da43)
- reset main branch to 2.185.0 (#2325) (b9d0500)
- Treat rate limit header value as comma-separated list (#2282) (5f2e279)
- additional provider and issuer checks (#2326) (cb79a74)
- check each type independently (#2290) (d9de0af)
- fix the wrong error return value (#1950) (e2dfb5d)
- indexworker: remove pg_trgm extension (#2301) (c553b10)
- oauth-server: allow custom URI schemes in client redirect URIs (#2298) (ea72f57)
- tighten email validation rules (#2304) (33bb372)
2.184.0 (2025-12-08)
- increment refresh token counter by 2 for mfa verify (#2284) (2a38668)
- load template cache at startup for fault tolerance (#2261) (511c3a4)
- oauth: add support for X/Twitter v2 provider (#2275) (7f36eb0)
2.183.0 (2025-11-20)
- async, concurrent index creation for users table (#2239) (a1146bf)
- indexworker: use
auth_trgmextension if available (#2263) (05daa43) - oauthserver: add OpenID Connect support (#2250) (162788f)
- oauthserver: update oauth grant list & authorization details response structure (#2247) (137ea92)
- oauthserver: use
NewOAuthServerAuthorizationParams& configurable ttl for authorization (#2254) (61632f8)
- indexworker: detect which schema
pg_trgmexists in (#2260) (4be12b3) - look for refresh token on mfa verification only in v1 (#2249) (2906b24)
- mfa verify now works with refresh token algorithm v2 (#2246) (4e8275f)
- social-auth: default to current_user:read for Figma provider (#2195) (f409d11)
2.182.1 (2025-11-05)
2.182.0 (2025-11-05)
2.181.0 (2025-10-31)
- add
.well-known/openid-configuration(#2197) (9a8d0df) - add
auth_migrationannotation for the migrations (#2234) (b276d0b) - add advisor to notify you when to double the max connection pool (#2167) (a72f5d9)
- add after-user-created hook (#2169) (bd80df8)
- add support for account changes notifications in email send hook (#2192) (6b382ae)
- email address changed notification (#2181) (047f851)
- identity linked/unlinked notifications (#2185) (7d46936)
- introduce v2 refresh token algorithm (#2216) (dea5b8e)
- MFA factor enrollment notifications (#2183) (53db712)
- notify users when their phone number has changed (#2184) (21f3070)
- oauthserver: add OAuth client admin update endpoint (#2231) (6296a5a)
- properly handle redirect url fragments and unusual hostnames (#2200) (aa0ac5b)
- store latest challenge/attestation data (#2179) (01ebce1)
- support percentage based db limits with reload support (#2177) (1731466)
- webauthn support schema changes, update openapi.yaml (#2163) (68cb8d2)
- gosec incorrectly warns about accessing signature[64] (#2222) (bca6626)
- openapi: add missing OAuth client registration fields (#2227) (cf39a8a)
2.180.0 (2025-09-23)
- add OAuth client type (#2152) (b118f1f)
- add phone to sms webhook payload (#2160) (d475ac1)
- background template reloading p1 - baseline decomposition (#2148) (746c937)
- config reloading with fsnotify, poller fallback, and signals (#2161) (c77d512)
- enhance issuer URL validation in OAuth server metadata (#2164) (a9424d2)
- implement OAuth2 authorization endpoint (#2107) (5318552)
- oauth2: add
/oauth/tokenendpoint (#2159) (a89a0b0) - oauth2: add admin endpoint to regenerate OAuth client secrets (#2170) (0bd1c28)
- oauth2: return redirect_uri on GET authorization (#2175) (b0a0c3e)
- oauth2: use
idfield as the public client_id (#2154) (86b7de4) - openapi: add OAuth 2.1 server endpoints and clarify OAuth modes (#2165) (1f804a2)
- password changed email notification (#2176) (fe0fd04)
- support
transfer_subin apple id tokens (#2162) (8a71006)
- ensure request context exists in API db operations (#2171) (060a992)
- makefile: remove invalid @ symbol from shell commands (#2168) (e6afe45)
- oauth2: switch to Origin header for request validation (#2174) (42bc9ab)
2.179.0 (2025-08-28)
- add oauth2 client support (#2098) (8fae015)
- experimental own linking domains per provider (#2119) (747bf3b)
- fetch email from snapchat oauth provider if available for consistency (#2110) (7507822)
- implement link identity with oidc / native sign in (#2108) (5f0ec87)
- implements email-less accounts with oauth (#2105) (9a61dae)
- introduce request-scoped background tasks & async mail sending (#2126) (2c8ea61)
- refactor mailer client wiring and add validation wrapper (#2130) (68c40a6)
- support multiple
audfor the external providers (#2117) (ca5792e) - use
slices.Containsinstead of for loops (#2111) (9f22682)
- add
id-tokenpermission to ci (#2143) (79209c0) - add missing param (#2125) (c0b75f6)
- change s3 artifact upload role (#2145) (767e371)
- remove requirement of empty content-type on 204 (#2128) (ecc97e0)
- run release-please again (#2144) (2560f14)
- stripped binary now includes version (#2147) (609f169)
- update copyright year in LICENSE (#2142) (67fe0b0)
2.178.0 (2025-08-05)
- add sign in with ethereum (#2069) (079b242)
- add support for managing SSO providers by resource_id (#2081) (5ca4489)
- log all audit events separately to prevent missing events (#2086) (3b666f5)
- skip nonce check for Facebook Limited Login auth (#2082) (f1b15ff)
- support ledger solana offchain message signing (#2093) (4c94443)
2.177.0 (2025-07-05)
- add option to disable writing to
audit_log_entries(#2073) (80758dd) - add snapchat provider (#2071) (fca8ea4)
- enhance login analytics (#2078) (1aed4a2)
- fallback to jwt secret if alg is
HS256and thekidis not recognized (#2072) (8fa99bd) - ignore
audclaim from admin jwt (service_rolenever had one) (#2070) (57eddcb)
- add missing provider info to signedup audit logs (#2061) (c6e0cbe)
- auditlog: keep writing to logs even postgres is disabled (#2076) (b89bc32)
- do not log fatal when http server successfully closes (#2065) (1f7de6c)
- invites should send another email when user exists (#2058) (96469bd)
- use
appleid.apple.comas default issuer (#2068) (963a781) - use
split_wordsconfig option forAuditLog(#2075) (7ecb234)
2.176.1 (2025-06-11)
- new
odic.Providerfor apple with insecure issuer url context (#2055) (23d69f1) - skip apple oidc issuer check (#2053) (1c6f18e)
2.176.0 (2025-06-11)
2.175.0 (2025-06-03)
2.174.0 (2025-05-23)
- hooks round 2 - remove indirection and simplify error handling (#2025) (26e23f0)
- hooks round 4 - update tests to use require package (#2030) (aaf93df)
2.173.0 (2025-05-17)
- add
supafasttarball for upgrading auth via supabase-admin-api (#2009) (9b55785) - allow HTTP with localhost in solana (#2027) (3ee02f0)
- fix
supafasttarball generation (#2011) (88bb2c0)
2.172.1 (2025-05-05)
2.172.0 (2025-05-04)
- fix large group claim handling in azure id tokens (#1995) (2f323fe)
- use
global_user_idoversubforvercel_marketplaceissuer (#1990) (f94f97e)
- azure overage claims start with single
_not two (#1999) (29f3440) - remove azure claim overage code. (#2005) (63dce14)
- resolving azure overage claim should include
api-version=1.6query parameter (#2000) (44890d0) - upgrade godotenv to v1.5.1 to fix multiline file loading (#1997) (f2af4b2)
2.171.0 (2025-04-14)
- add sign in with solana (EIP-4361) support (#1918) (d121546)
- allow invalid config directories (#1969) (6b842f6)
- allow limiting lifespan of low-aal sessions (#1942) (d7a9ca6)
- Block specific outgoing mail servers (#1971) (091aef9)
- refactor hooks out of api package (#1976) (c5904c0)
- separate web3 rate limits from other
/token?grant_type=...(#1985) (8b23382)
- explicit permisions on actions (#1978) (06e9ead)
- propagate error when when confirming phone (#1939) (e882b42)
- redirects must not be to ip addresses (#1984) (347e23a)
- sanitize redirect URL (remove fragment, query) before pattern matching (#1974) (ccf20d7)
2.170.0 (2025-03-06)
- improvements to config reloader, 100% coverage (#1933) (21c2256)
- increase test coverage in conf package to 100% (#1937) (bc57c1c)
- enable SO_REUSEPORT in listener config (#1936) (a474b80)
- ignore not found error to check for pkce prefix later (#1929) (fbbebcc)
- log version & migration count (#1934) (8078cdc)
- update figma token endpoint (#1952) (18fbbb5)
- use sys/unix instead of syscall (#1953) (4a6d9bc)
2.169.0 (2025-01-27)
- add an optional burstable rate limiter (#1924) (1f06f58)
- cover 100% of crypto with tests (#1892) (174198e)
- convert refreshed_at to UTC before updating (#1916) (a4c692f)
- correct casing of API key authentication in openapi.yaml (0cfd177)
- improve invalid channel error message returned (#1908) (f72f0ee)
- improve saml assertion logging (#1915) (d6030cc)
2.168.0 (2025-01-06)
2.167.0 (2024-12-24)
2.166.0 (2024-12-23)
- check if session is nil (#1873) (fd82601)
- email_verified field not being updated on signup confirmation (#1868) (483463e)
- handle user banned error code (#1851) (a6918f4)
- Revert "fix: revert fallback on btree indexes when hash is unavailable" (#1859) (9fe5b1e)
- skip cleanup for non-2xx status (#1877) (f572ced)
2.165.1 (2024-12-06)
2.165.0 (2024-12-05)
- add email validation function to lower bounce rates (#1845) (2c291f0)
- use embedded migrations for
migratecommand (#1843) (e358da5)
- fallback on btree indexes when hash is unavailable (#1856) (b33bc31)
- return the error code instead of status code (#1855) (834a380)
- revert fallback on btree indexes when hash is unavailable (#1858) (1c7202f)
- update ip mismatch error message (#1849) (49fbbf0)
2.164.0 (2024-11-13)
- add error codes to refresh token flow (#1824) (4614dc5)
- add test coverage for rate limits with 0 permitted events (#1834) (7c3cf26)
- correct web authn aaguid column naming (#1826) (0a589d0)
- default to files:read scope for Figma provider (#1831) (9ce2857)
- improve error messaging for http hooks (#1821) (fa020d0)
- make drop_uniqueness_constraint_on_phone idempotent (#1817) (158e473)
- possible panic if refresh token has a null session_id (#1822) (a7129df)
- rate limits of 0 take precedence over MAILER_AUTO_CONFIRM (#1837) (cb7894e)
2.163.2 (2024-10-22)
2.163.1 (2024-10-22)
2.163.0 (2024-10-15)
- add mail header support via
GOTRUE_SMTP_HEADERSwith$messageType(#1804) (99d6a13) - add MFA for WebAuthn (#1775) (8cc2f0e)
- configurable email and sms rate limiting (#1800) (5e94047)
- mailer logging (#1805) (9354b83)
- preserve rate limiters in memory across configuration reloads (#1792) (0a3968b)
- add twilio verify support on mfa (#1714) (aeb5d8f)
- email header setting no longer misleading (#1802) (3af03be)
- enforce authorized address checks on send email only (#1806) (c0c5b23)
- fix
getExcludedColumnsslice allocation (#1788) (7f006b6) - Fix reqPath for bypass check for verify EP (#1789) (646dc66)
- inline mailme package for easy development (#1803) (fa6f729)
2.162.2 (2024-10-05)
- refactor mfa validation into functions (#1780) (410b8ac)
- upgrade ci Go version (#1782) (97a48f6)
- validateEmail should normalise emails (#1790) (2e9b144)
2.162.1 (2024-10-03)
2.162.0 (2024-09-27)
- apply authorized email restriction to non-admin routes (#1778) (1af203f)
- magiclink failing due to passwordStrength check (#1769) (7a5411f)
2.161.0 (2024-09-24)
- add
x-sb-error-codeheader, show error code in logs (#1765) (ed91c59) - add webauthn configuration variables (#1773) (77d5897)
- config reloading (#1771) (6ee0091)
- add additional information around errors for missing content type header (#1576) (c2b2f96)
- add token to hook payload for non-secure email change (#1763) (7e472ad)
- update aal requirements to update user (#1766) (25d9874)
- update mfa admin methods (#1774) (567ea7e)
- user sanitization should clean up email change info too (#1759) (9d419b4)
2.160.0 (2024-09-02)
- add authorized email address support (#1757) (f3a28d1)
- add option to disable magic links (#1756) (2ad0737)
- add support for saml encrypted assertions (#1752) (c5480ef)
- apply shared limiters before email / sms is sent (#1748) (bf276ab)
- simplify WaitForCleanup (#1747) (0084625)
2.159.2 (2024-08-28)
- allow anonymous user to update password (#1739) (2d51956)
- hide hook name (#1743) (7e38f4c)
- remove server side cookie token methods (#1742) (c6efec4)
2.159.1 (2024-08-23)
2.159.0 (2024-08-21)
- add error codes to password login flow (#1721) (4351226)
- change phone constraint to per user (#1713) (b9bc769)
- custom SMS does not work with Twilio Verify (#1733) (dc2391d)
- ignore errors if transaction has closed already (#1726) (53c11d1)
- redirect invalid state errors to site url (#1722) (b2b1123)
- remove TOTP field for phone enroll response (#1717) (4b04327)
- use signing jwk to sign oauth state (#1728) (66fd0c8)
2.158.1 (2024-08-05)
- add last_challenged_at field to mfa factors (#1705) (29cbeb7)
- allow enabling sms hook without setting up sms provider (#1704) (575e88a)
- drop the MFA_ENABLED config (#1701) (078c3a8)
- enforce uniqueness on verified phone numbers (#1693) (70446cc)
- expose
X-Supabase-Api-Versionheader in CORS (#1612) (6ccd814) - include factor_id in query (#1702) (ac14e82)
- move is owned by check to load factor (#1703) (701a779)
- refactor TOTP MFA into separate methods (#1698) (250d92f)
- remove check for content-length (#1700) (81b332d)
- remove FindFactorsByUser (#1707) (af8e2dd)
- update openapi spec for MFA (Phone) (#1689) (a3da4b8)
2.158.0 (2024-07-31)
- maintain backward compatibility for asymmetric JWTs (#1690) (0ad1402)
- MFA NewFactor to default to creating unverfied factors (#1692) (3d448fa)
- minor spelling errors (#1688) (6aca52b), closes #1682
- treat
GOTRUE_MFA_ENABLEDas meaning TOTP enabled on enroll and verify (#1694) (8015251) - update mfa phone migration to be idempotent (#1687) (fdff1e7)
2.157.0 (2024-07-26)
2.156.0 (2024-07-25)
2.155.6 (2024-07-22)
2.155.5 (2024-07-19)
- check password max length in checkPasswordStrength (#1659) (1858c93)
- don't update attribute mapping if nil (#1665) (7e67f3e)
- refactor mfa models and add observability to loadFactor (#1669) (822fb93)
2.155.4 (2024-07-17)
2.155.3 (2024-07-12)
2.155.2 (2024-07-12)
- improve session error logging (#1655) (5a6793e)
- omit empty string from name & use case-insensitive equality for comparing SAML attributes (#1654) (bf5381a)
- set rate limit log level to warn (#1652) (10ca9c8)
2.155.1 (2024-07-04)
- apply mailer autoconfirm config to update user email (#1646) (a518505)
- check for empty aud string (#1649) (42c1d45)
- return proper error if sms rate limit is exceeded (#1647) (3c8d765)
2.155.0 (2024-07-03)
- improve mfa verify logs (#1635) (d8b47f9)
- invited users should have a temporary password generated (#1644) (3f70d9d)
- upgrade golang-jwt to v5 (#1639) (2cb97f0)
- use pointer for
user.EncryptedPassword(#1637) (bbecbd6)
2.154.2 (2024-06-24)
- publish to ghcr.io/supabase/auth (#1626) (930aa3e), closes #1625
- revert define search path in auth functions (#1634) (155e87e)
- update MaxFrequency error message to reflect number of seconds (#1540) (e81c25d)
2.154.1 (2024-06-17)
- add ip based limiter (#1622) (06464c0)
- admin user update should update is_anonymous field (#1623) (f5c6fcd)
2.154.0 (2024-06-12)
- add max length check for email (#1508) (f9c13c0)
- add support for Slack OAuth V2 (#1591) (bb99251)
- encrypt sensitive columns (#1593) (e4a4758)
- upgrade otel to v1.26 (#1585) (cdd13ad)
- use largest avatar from spotify instead (#1210) (4f9994b), closes #1209
- define search path in auth functions (#1616) (357bda2)
- enable rls & update grants for auth tables (#1617) (28967aa)
2.153.0 (2024-06-04)
- add SAML specific external URL config (#1599) (b352719)
- add support for verifying argon2i and argon2id passwords (#1597) (55409f7)
- make the email client explicity set the format to be HTML (#1149) (53e223a)
- call write header in write if not written (#1598) (0ef7eb3)
- deadlock issue with timeout middleware write (#1595) (6c9fbd4)
- improve token OIDC logging (#1606) (5262683)
- update contributing to use v1.22 (#1609) (5894d9e)
2.152.0 (2024-05-22)
- new timeout writer implementation (#1584) (72614a1)
- remove legacy lookup in users for one_time_tokens (phase II) (#1569) (39ca026)
- update chi version (#1581) (c64ae3d)
- update openapi spec with identity and is_anonymous fields (#1573) (86a79df)
- improve logging structure (#1583) (c22fc15)
- sms verify should update is_anonymous field (#1580) (e5f98cb)
- use api_external_url domain as localname (#1575) (ed2b490)
2.151.0 (2024-05-06)
- do call send sms hook when SMS autoconfirm is enabled (#1562) (bfe4d98)
- format test otps (#1567) (434a59a)
- log final writer error instead of handling (#1564) (170bd66)
2.150.1 (2024-04-28)
2.150.0 (2024-04-25)
- add support for Azure CIAM login (#1541) (1cb4f96)
- add timeout middleware (#1529) (f96ff31)
- allow for postgres and http functions on each extensibility point (#1528) (348a1da)
- merge provider metadata on link account (#1552) (bd8b5c4)
- send over user in SendSMS Hook instead of UserID (#1551) (d4d743c)
2.149.0 (2024-04-15)
- linkedin_oidc provider error (#1534) (4f5e8e5)
- revert patch for linkedin_oidc provider error (#1535) (58ef4af)
- update linkedin issuer url (#1536) (10d6d8b)
2.148.0 (2024-04-10)
2.147.1 (2024-04-09)
- add validation and proper decoding on send email hook (#1520) (e19e762)
- remove deprecated LogoutAllRefreshTokens (#1519) (35533ea)
2.147.0 (2024-04-05)
2.146.0 (2024-04-03)
- add custom sms hook (#1474) (0f6b29a)
- forbid generating an access token without a session (#1504) (795e93d)
- add cleanup statement for anonymous users (#1497) (cf2372a)
- generate signup link should not error (#1514) (4fc3881)
- move all EmailActionTypes to mailer package (#1510) (765db08)
- refactor mfa and aal update methods (#1503) (31a5854)
- rename from CustomSMSProvider to SendSMS (#1513) (c0bc37b)
2.145.0 (2024-03-26)
- add error codes (#1377) (e4beea1)
- add kakao OIDC (#1381) (b5566e7)
- clean up expired factors (#1371) (5c94207)
- configurable NameID format for SAML provider (#1481) (ef405d8)
- HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets (#1467) (5b24c4e)
- refactor PKCE FlowState to reduce duplicate code (#1446) (b8d0337)
- add http support for https hooks on localhost (#1484) (5c04104)
- cleanup panics due to bad inactivity timeout code (#1471) (548edf8)
- docs: remove bracket on file name for broken link (#1493) (96f7a68)
- impose expiry on auth code instead of magic link (#1440) (35aeaf1)
- invalidate email, phone OTPs on password change (#1489) (960a4f9)
- move creation of flow state into function (#1470) (4392a08)
- prevent user email side-channel leak on verify (#1472) (311cde8)
- refactor email sending functions (#1495) (285c290)
- refactor factor_test to centralize setup (#1473) (c86007e)
- refactor mfa challenge and tests (#1469) (6c76f21)
- Resend SMS when duplicate SMS sign ups are made (#1490) (73240a0)
- unlink identity bugs (#1475) (73e8d87)
2.144.0 (2024-03-04)
- add configuration for custom sms sender hook (#1428) (1ea56b6)
- anonymous sign-ins (#1460) (130df16)
- clean up test setup in MFA tests (#1452) (7185af8)
- pass transaction to
invokeHook, fixing pool exhaustion (#1465) (b536d36) - refactor resource owner password grant (#1443) (e63ad6f)
- use dummy instance id to improve performance on refresh token queries (#1454) (656474e)
- expose
providerunderamrin access token (#1456) (e9f38e7) - improve MFA QR Code resilience so as to support providers like 1Password (#1455) (6522780)
- refactor request params to use generics (#1464) (e1cdf5c)
- revert refactor resource owner password grant (#1466) (fa21244)
- update file name so migration to Drop IP Address is applied (#1447) (f29e89d)
2.143.0 (2024-02-19)
- deprecate hooks (#1421) (effef1b)
- error should be an IsNotFoundError (#1432) (7f40047)
- populate password verification attempt hook (#1436) (f974bdb)
- restrict mfa enrollment to aal2 if verified factors are present (#1439) (7e10d45)
- update phone if autoconfirm is enabled (#1431) (95db770)
- use email change email in identity (#1429) (4d3b9b8)
2.142.0 (2024-02-14)
2.141.0 (2024-02-13)
2.140.0 (2024-02-13)
- deprecate existing webhook implementation (#1417) (5301e48)
- update publish.yml checkout repository so there is access to Dockerfile (#1419) (7cce351)
2.139.2 (2024-02-08)
- improve perf in account linking (#1394) (8eedb95)
- OIDC provider validation log message (#1380) (27e6b1f)
- only create or update the email / phone identity after it's been verified (#1403) (2d20729)
- only create or update the email / phone identity after it's been verified (again) (#1409) (bc6a5b8)
- unmarshal is_private_email correctly (#1402) (47df151)
- use
patternfor semver docker image tags (#1411) (14a3aeb)