Added XOauth2 authentication support for SMTP, enabling integrations with modern providers like Gmail and Microsoft Exchange Online.

Added UI support for configuring XOAuth2 SMTP authentication in the Management Console.

Added the ability to manage OIDC Back-Channel Logout URIs directly within the application settings in the Management Console.

Added a setting to disable automatic redemption of email verification codes. This prevents link scanners from inadvertently consuming one-time codes before the user interaction.

Introduced log streams (Runtime, Request, Event Handler, Queue, Event Pusher) to provide better granularity and context in logs.

Added support for Google Cloud Error Reporting with formatted stack traces and location reporting.

Enabled cross-app distributed tracing for V2 APIs by honoring incoming W3C traceparent headers.

The settings service now returns the list of allowed languages, enabling Login V2 to correctly respect these restrictions.

Back-Channel Logout notifications are now processed via a worker queue (River) to prevent back-pressure on projection handlers.

Refactored the SAML Post binding flow to bypass browser cookie size limits by returning form data directly to the client for auto-submission. This fixes 404 errors and missing state when using external SAML IdPs or the SAML IdP interface.

Fixed an issue where users without explicit roles would see a blank screen in the Console after a password reset. These users are now correctly redirected to their profile page.

The Login V2 UI now correctly respects the Instance Password Complexity settings and only displays the required criteria.

Updated database setup steps to ensure compatibility with PostgreSQL 18, particularly regarding partitioned table persistence (LOGGED vs UNLOGGED).

Fixed an issue where OIDC `CreateApplication` requests ignored the provided application ID.

Made authentication optional for testing SMTP settings to maintain backwards compatibility after the introduction of XOAuth2.

Increased the contrast ratio for disabled buttons in dark mode to 1.69 for better accessibility.

`allowUsernamePassword` is deprecated and replaced by `allowLocalAuthentication`. The login UI now hides the username form if local authentication is disabled.

OAuth2 Token Exchange has been moved from Beta to General Availability (GA). The feature toggle is now deprecated.

OIDC Back-Channel Logout has been moved from Beta to General Availability (GA). The feature toggle is now deprecated.

Unified telemetry and instrumentation using context-aware structured logging and OpenTelemetry exporters.