Features 4

• Add recovery code MFA support (#9954, #6898)

  Adds recovery codes as a new 2FA factor and additional check type for the Session API. Users can generate, use, and manage one-time recovery codes as a backup MFA method. Includes session recovery_code check support on v2/sessions endpoints, adds mfa_recovery_code_checked_at column to projections.sessions8 table, support for SECOND_FACTOR_TYPE_RECOVERY_CODES in login policy, and recovery code import support.

  auth session-api mfa
• Add Ukrainian language support (#10696)

  Complete Ukrainian localization for ZITADEL including console translations (2,861 strings), login interface (535 strings), email notifications (68 strings), and common texts (1,417 strings). Professional translations using established Ukrainian IT terminology and formal language appropriate for business software.

  i18n console login
• Add French localization (#11050)

  Re-adds French localization support to the new login app that was present in the previous version.

  i18n login
• Add Dutch (nl) locale (#11139)

  Adds Dutch translations to the login UI v2 including nl.json with complete Dutch translations and language dropdown integration.

  i18n login

Bug Fixes 8

• Execute actions without features set (#11271)

  Fixed issue where actions were never executed on systems that did not have any features set. The scanAuthzInstance function now handles queries without features returned correctly.

  actions
• Fix typos in MustBeMemoryOfOrg i18n strings (#11085)

  Fixed grammar mistake in user membership strings from 'The user must be member' to 'The user must be a member'.

  i18n
• ID token had no lifetime for client credentials (#11204, #11060)

  Fixed issue where ID-token had no lifetime when a token was requested using the client_credentials grant. The token now uses the lifetime provided by the server, allowing proper validation.

  oidc tokens
• Inconsistent user creation v2 radio buttons (#11208, #11092)

  Fixed unresponsive radio buttons in the User V2 creation form. Radio buttons now work when clicking directly on them, not just on the label text. The app-auth-method-radio-theme mixin selector is now scoped to .auth-method-radio-button-wrapper to only affect the intended component.

  console ui
• Cleanup server logs of sensitive information (#11195, #11184)

  Removed unnecessary logging of loginName and idpIntent from server-side logs to reduce data noise and improve security hygiene. The loginName was already retrievable from URL parameters and idpIntent logging provided no additional value.

  login logging
• Delete custom request headers when their value is empty (#11263)

  Extended CUSTOM_REQUEST_HEADERS handling to allow removal of default headers by setting empty values. When a header is defined with an empty value (e.g., x-zitadel-public-host:), the interceptor will delete that header from the request, enabling opt-out of default headers via configuration.

  login configuration
• Enable explicit IDP linking using existing session id (#11225, #11191)

  Fixed IDP linking for accounts with no authentication method. Added strict session ownership validation and hash generation using sessionId + fingerprintId cookie. Improved TypeScript error handling in IDP intent processing logic with safe error propagation to client-side redirect URLs.

  login idp saml
• Fix typo in LoginPolicy.IgnoreUnknownUsernames config (#11243, #11007)

  Fixed issue where the config DefaultInstance.LoginPolicy.IgnoreUnknownUsernames was ignored during application start due to a typo in the field name used during unmarshaling (was IgnoreUnknownUsername, now IgnoreUnknownUsernames).

  configuration login-policy

Contributors 10