hanko Changelog

March 2026 Updates

March 3, 2026

This release improves user profile handling, enhances session token transparency, and includes important security fixes.

New Features

Name and Picture Attributes for Users

Users can now store name and picture attributes directly in Hanko.

This allows:

  • Richer user profiles
  • Better OIDC compatibility
  • Easier frontend integrations that expect display name and avatar fields

These attributes follow standard OIDC conventions, are available via the API, and can be managed like other user properties. The main source for these properties will be 3rd-party accounts like Google or GitHub for now. We will add the required functionality to manage these fields to the profile element in a later update.

AMR Values in Session Tokens

Session tokens now include AMR (Authentication Methods References) values.

This enables relying parties to:

  • Inspect how a user authenticated (e.g. passkey, password, MFA)
  • Improve auditability and policy decisions

The AMR claim follows standard OIDC conventions.

Extended /me Endpoint

The /me endpoint has been extended to return additional user information.

This reduces the need for follow-up requests and simplifies frontend integrations that rely on a single user introspection endpoint.

Bug Fixes

Prevent SQL Injection in audit_logs Queries

Replaced string concatenation with prepared statements when querying audit_logs.
This prevents potential SQL injection attacks and strengthens overall security.

Security Notification Webhooks Fixed

Security notification webhooks were not triggering correctly in certain scenarios.
This has been fixed and webhooks now work as expected.

See all updates
hanko Changelog
Stay up-to-date with the latest releases, new features, and bug fixes.

Built and authenticate with Hanko

Get started for free