Releases: thunder-id/thunderid
Release list
ThunderID v0.48.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Introduce generic OTPExecutor with channel-agnostic OTP generation by @Dilusha-Madushan in #3477
- Add sql support for runtimestore by @senthalan in #3818
- Split access token config by subject (userConfig/clientConfig) and embed client attributes as claims by @Dilusha-Madushan in #3737
- Gate atomic authentication APIs with a server-level secret by @Malith-19 in #3762
- Move flowSecret to a request header for /flow/execute by @Malith-19 in #3808
- Update default bootstrap flows by @ThaminduDilshan in #3898
- Attribute Cache is updated to use RuntimeStoreProvider by @anushasunkada in #3863
🚀 Features
- Add attribute library and schema builder UX for user types by @sadilchamishka in #3607
- Add MCP client application type support to Console UI by @sahandilshan in #3746
- Resolve federated users by a configurable IdP attribute by @sadilchamishka in #3676
- Add admin password reset for users by @NutharaNR in #3858
- Add flow-centric browser SSO by @madurangasiriwardena in #3779
✨ Improvements
- Block connection deletion when in use by @rajithacharith in #3751
- Added runtimestore provider interface by @anushasunkada in #3730
- Route http.Server connection errors through the system logger by @rajithacharith in #3768
- Improve revocation convensions by @indeewari in #3772
- Bind authentication assertion to auth request ID by @ThaminduDilshan in #3776
- Optimize cors runtime. by @ImalshaD in #3781
- Update default bootstrap flows and flow templates by @ThaminduDilshan in #3790
- Support writing application logs to a file with rotation by @UdeshAthukorala in #3773
- Block connection deletion when dependencies exist by @rajithacharith in #3793
- Enforce token revocation inside the token validator by @indeewari in #3803
- Cascade delete role and group assignments on user deletion by @rajithacharith in #3802
- Add Email OTP flow components by @ThaminduDilshan in #3817
- Cascade deletion support for apps, agents and groups by @rajithacharith in #3826
- Add support for one time use inputs by @NutharaNR in #3724
- Add SAN extension to RSA certificate generation by @sahandilshan in #3856
- Unify resource deletion behavior through the dependency registry by @rajithacharith in #3841
- Enforce token revocation at the Resource Server request path by @indeewari in #3839
- Update mcp server UI by @sahandilshan in #3791
- Add AuthZEN authorization to Wayfinder MCP tools by @Yathusiga27 in #3775
- Add support to configure
CSS Classesvia flows by @brionmario in #3859 - Added resource indicator to the console config by @ImalshaD in #3862
- Simplify public URL configuration by @Osara-B in #3837
- Add OpenChoreo resource type and sample resource by @ayeshajay in #3857
- Implement SMS providers support in Connections page by @JayaShakthi97 in #3720
- Harden static file serving against path traversal and sanitize docs data-page attribute by @UdeshAthukorala in #3882
- Revoke the consumed refresh token on rotation to enforce single-use by @indeewari in #3872
- Support configurable default resource server. by @ImalshaD in #3874
- Improvements on browser SSO by @madurangasiriwardena in #3907
- Update OpenChoreo resource type and sample resource by @ayeshajay in #3910
- Redesign the agent edit page by @Dilusha-Madushan in #3755
🐛 Bug Fixes
- Fix wayfinder sample provisioning in try-consumer CLI flow by @UdeshAthukorala in #3820
- Improvements to display MagicLink Authenticator in Assurance list by @RandithaK in #3767
- Filter OIDC scopes by application scopes by @Yathusiga27 in #3844
- Fix insufficient permissions error during user creation by @ravindu439 in #3770
- Omit query parameters from access logs by @Osara-B in #3889
- Support trusted token audiences for token exchange by @Yathusiga27 in #3881
- Fix user credentials handling in UpdateUser method and update tests by @Sadeesha-Sath in #3884
- Fix Default SMS OTP Flow Template by @Sadeesha-Sath in #3905
- Handle OU deletion i18n errors in the Console by @rajithacharith in #3913
New Contributors
- @ZiyamSanthosh made their first contribution in #3619
- @Sadeesha-Sath made their first contribution in #3884
Full Changelog: v0.47.0...v0.48.0
License
Licenses this source under the Ap...
ThunderID v0.47.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Refactor mobileNumber attribute to snake_case by @NutharaNR in #3498
- Remove redundant entity-level certificates by @Yathusiga27 in #3475
- Add dynamic cors support. by @ImalshaD in #3553
- Update consent server version by @ThumulaPerera in #3518
- Remove SKIP_SECURITY and create default resources in-process by @UdeshAthukorala in #3381
- Standardize context variable resolution pattern in HttpRequestExecutor by @kavix in #3636
- Support configuring the log level via deployment.yaml by @UdeshAthukorala in #3693
- Verify Flow Secret for backend applications at flow initiation by @Malith-19 in #3476
- Fix pagination link issue in OU handle based user and group listing APIs by @AnuradhaSK in #3722
🚀 Features
- Support Server-wide generic store support. by @ImalshaD in #3512
- Add call node core implementation by @ThaminduDilshan in #3650
- Add Server Configurations UI support. by @ImalshaD in #3699
- Add flow definition validator by @NutharaNR in #3543
- Add call node components to the flow builder and gate UI by @ThaminduDilshan in #3738
- Add RFC 7009 token revocation with deny-list enforcement by @indeewari in #3727
✨ Improvements
- Refactor server-key cryptography by @Osara-B in #3485
- Added and moved providers into thunderidengine package by @anushasunkada in #3530
- Moved ConsentEnforcer interface to thunderidengine by @anushasunkada in #3567
- Update Next.js SDK docs & Remove B2B SDK docs by @brionmario in #3570
- Renamed the provider interfaces by @anushasunkada in #3580
- Propagate correlation ID to outbound HTTP requests by @UdeshAthukorala in #3422
- Add
/integratecommands to ThunderID CLI by @brionmario in #3625 - Add kind discriminator for MCP resource server tools and resources by @sahandilshan in #3550
- Update default agent type schema with structured attributes by @Dilusha-Madushan in #3545
- Clarifying default owner behaviour in agent create wizard by @Dilusha-Madushan in #3646
- Refactor and improve verifiable credentials quick-start by @thiva-k in #3632
- Added coverage and added observabilityProvider and authzprovider by @anushasunkada in #3633
- Add theme usages endpoint and pre-delete confirmation UI by @rajithacharith in #3208
- Add multi-auth mode support to Wayfinder sample by @Dilusha-Madushan in #3319
- Improve VC and wallet onboarding UI by @thiva-k in #3656
- Render MCP resource servers with an MCP-native Capabilities view by @sahandilshan in #3551
- Add import/export support to server_configs by @ImalshaD in #3706
- Add usage service registry and flow usages support by @rajithacharith in #3362
- Add Connections API and console UI by @JayaShakthi97 in #3536
- Parameterize I18nMessage to move runtime values out of DefaultValue by @UdeshAthukorala in #3665
- Auto-configure CORS allowed origins for source dev mode by @ImalshaD in #3711
- Decouple JOSE config from the global server config by @Osara-B in #3614
- Add usage support for users by @rajithacharith in #3712
- Add verifiable credentials samples, try-out and protocol docs by @thiva-k in #3704
- Support OU bounded role listing API by @AnuradhaSK in #3528
- Block user deletion when blocking dependencies are present by @rajithacharith in #3740
🐛 Bug Fixes
- Fix Resource Server identifier update error from Console by @Yathusiga27 in #3542
- Force consent reprompt on every CIBA request by @Dilusha-Madushan in #3596
- Fix bootstrap YAML parser bug with CRLF line endings by @ravindu439 in #3691
- Update certificate generation in build.ps1 scripts by @ravindu439 in #3671
- Improvement to the Email Executor and MagicLink Executor by @RandithaK in #3666
- Fix wayfinder declarative resources by @ThaminduDilshan in #3748
New Contributors
Full Changelog: v0.46.0...v0.47.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.46.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Block SPA creation with native flow execution by @Malith-19 in #3389
- Add OpenID4VCI and verifiable credentials management support by @thiva-k in #3474
✨ Improvements
- added promp=consent support in authorize by @sacrana0 in #3341
- verified_claims support in claims parameter of authorization request by @sacrana0 in #3320
- Add common input validation layer for API request payloads by @samadhisakunika in #3247
- Improvements to Notification Package by @RandithaK in #3397
- Provide UI support for app config improvements by @NutharaNR in #3377
- Move JavaScript SDKs out of the monorepo by @brionmario in #3456
- Add Ask AI via @docsearch/docusaurus-adapter by @himeshsiriwardana in #3473
- Add current node inputs to interceptor context by @NutharaNR in #3462
- Remove SDK build Make commands by @madurangasiriwardena in #3482
🐛 Bug Fixes
- Return specific error for attribute conflicts during user provisioning by @kavix in #3317
- Fix console import summary not listing all resource types by @KD23243 in #3390
- Resolve favicon by OS color scheme and Vite base URL by @KD23243 in #3411
- Reconcile custom sign-in flow selection with method toggles in app creation by @KD23243 in #3466
- Hide Guide tab when no guide exists for selected template variant by @KD23243 in #3472
- Fix stale in-memory graph cache issue in multi-node deployments by @NutharaNR in #3471
New Contributors
Full Changelog: v0.45.0...v0.46.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.45.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Reorganize the Thunder distribution directory structure by @UdeshAthukorala in #3300
- Use camelCase for declarative resource attributes by @UdeshAthukorala in #3307
- Add IDP attribute configuration for token exchange and federated login by @sadilchamishka in #3127
- Rename BasicAuth executor to CredentialsAuth by @Dilusha-Madushan in #2777
- Block direct HTTP flow initiation for authorization_code grant type apps by @Malith-19 in #3289
- Add pre/post interceptor core logic for flows by @NutharaNR in #3123
🚀 Features
- Add CIBA poll mode support to the JavaScript SDK by @Dilusha-Madushan in #3340
✨ Improvements
- Replace OpenID4VP handler test stub with generated mock by @UdeshAthukorala in #3282
- Refactoring exporter structs to unexported by @samadhisakunika in #3334
- Separated oauth and flow config, added consolidated actorProvider by @anushasunkada in #3306
- Update usages of Authenticated User by @ThumulaPerera in #3206
- Make OTP length, character set, and validity period configurable by @HesandaLiyanage in #3297
- Change gate app slogan + bump oxygen-ui version to 0.11.0 by @jeradrutnam in #3323
- Move transitive group membership resolution to group layer by @rajithacharith in #3278
- Added RuntimeMetadata to AuthnProvider and ConsentEnforcer by @anushasunkada in #3358
- Generalizing the Notification System by @RandithaK in #3333
- Add permission assingment UI for role management by @sahandilshan in #3288
- Enrich the CLI experience with usecases to quickly try out ThunderID by @brionmario in #3279
- Add input validation support to flow components by @SajidMannikeri17 in #3301
- Improve CIBA poll mode implementation by @Dilusha-Madushan in #3369
- Enable MCP server tryout on welcome screen by @jeradrutnam in #3383
🐛 Bug Fixes
- Preserve sub claim during IDP attribute mapping by @sadilchamishka in #3354
- Fix integration test coverage path duplication on Windows by @samadhisakunika in #3372
Full Changelog: v0.44.0...v0.45.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.44.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Add resource server type as immutable metadata by @sahandilshan in #3187
- Fix handling of ECDSA keys by @hwupathum in #2632
🚀 Features
- Add AuthZEN PDP support by @Yathusiga27 in #3179
✨ Improvements
- Bundle Monaco editor locally to support no-internet environments by @JayaShakthi97 in #3205
- Serve .js assets as application/javascript to enable proxy compression by @JayaShakthi97 in #3207
- Release Arch-wise sample releases and stick with a Zip archives by @brionmario in #3174
- Migrate backend log calls to context-aware logging method by @UdeshAthukorala in #3238
- Improve welcome try with samples feature along with improvements for the breadcrumb by @jeradrutnam in #3249
- Extract prismjs Vite plugin into shared @thunderid/build-plugins package by @JayaShakthi97 in #3241
- SDK support for magic link authentication by @RandithaK in #3159
- Implement Magic Link Frontend by @RandithaK in #2987
- Improvements to the magic link implementation by @RandithaK in #3158
- Add a local smtp server to the wayfinder sample by @ThaminduDilshan in #3262
- Remove deprecated logging methods and finalize the context-first logging methods by @UdeshAthukorala in #3254
- Add resource server management UI to the Console by @sahandilshan in #3188
- Configurable builtin executors by @anushasunkada in #3066
- Add tryout secure AI agent to welcome page along with few other improvements by @jeradrutnam in #3281
- Update wayfinder self signup with a registration completion page by @ThaminduDilshan in #3285
- Add CIBA id_token_hint support and demo scripts for wayfinder upgrade… by @Dilusha-Madushan in #3286
- Support multi-group and multi-role assignment in provisioning executor by @Dilusha-Madushan in #3295
🐛 Bug Fixes
- Fix paths in krakend doc by @piraveena in #3250
- Fix email executor with attribute resolution fallback by @ThaminduDilshan in #3251
- Fix b2c try it out flows by @ThaminduDilshan in #3259
- Fix auto redirection of signup component for display responses by @ThaminduDilshan in #3284
- Show "Finish" on last step of application creation wizard by @sadilchamishka in #2839
- Remove duplicate node property rendering in flow builder executor panel by @Dilusha-Madushan in #3296
New Contributors
- @piraveena made their first contribution in #3248
Full Changelog: v0.43.0...v0.44.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.43.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Unify flow execution error by @NutharaNR in #2677
🚀 Features
- Add CIBA poll mode authentication by @Dilusha-Madushan in #3171
✨ Improvements
- Improve wayfinder sample setup experience in console by @ThaminduDilshan in #3125
- Introduce a new application template for MCP Clients by @brionmario in #3150
- Upgrade npm dependencies to fix security vulnerabilities by @Malith-19 in #3164
- Update agent onboarding model names by @thiva-k in #3165
- Support single-file declarative resources via -resources startup flag by @rajithacharith in #3016
- Add declarative resource support for groups by @rajithacharith in #3010
- Migrate backend log calls to context-aware logging method by @UdeshAthukorala in #3160
- Switched Algolia search application by @himeshsiriwardana in #3183
- Add a
Customapplication template by @brionmario in #3184 - Improve react SDK sample to support scopes by @ThaminduDilshan in #3200
- Migrate backend log calls to context-aware logging method by @UdeshAthukorala in #3196
- Remove redundant group models by @thiva-k in #2660
🐛 Bug Fixes
- Fix unique key violation when importing roles with assignments a second time by @rajithacharith in #3149
- Add eventType to OTP verify button step by @HasiniSama in #3162
- Fix oauth certificate handling in frontend by @thiva-k in #3167
- Fix application update issue with consent sync failure by @ThaminduDilshan in #3189
- Make redirect_uri at token endpoint conditional per RFC 6749 §4.1.3 by @HesandaLiyanage in #3194
- Add import support for notification senders by @rajithacharith in #3195
New Contributors
- @HasiniSama made their first contribution in #3162
- @HesandaLiyanage made their first contribution in #3194
Full Changelog: v0.42.0...v0.43.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.42.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Update subject claim handling in client credential grant by @sahandilshan in #3132
🚀 Features
✨ Improvements
- Route OTP registration, Magic Link registration, Magic Link authentication through authnprovider by @ThumulaPerera in #3012
- Resolve runtime product name in passkey flow templates by @RushanNanayakkara in #2997
- Replace lodash-es merge with @thunderid/utils and fix initialize() deep merge by @JayaShakthi97 in #3073
- Improve SDKs to forward scopes to embedded flow init by @Dilusha-Madushan in #3052
- Support non-interactive mode in npx-thunderid for AI tools and CI environments by @rajithacharith in #3077
- passing CacheConfig as argument to Initialize by @anushasunkada in #3050
- Add route-level lazy loading for console and gate apps by @JayaShakthi97 in #3098
- replace custom internal server errors with global server error by @samadhisakunika in #3091
- Add GetTLSMaterial impl in RuntimeCryptoProvider by @JeethJJ in #3031
- Add declarative resource support for resource server sub resources by @rajithacharith in #3096
- Add read-only indicators and access guards for declarative resources by @rajithacharith in #3033
- Pass TranslationConfig as argument to Initializer by @anushasunkada in #3079
- Email Executor Improvement to support attributes from node inputs by @RandithaK in #2374
- Guard DOMPurify hook registration in RichTextAdapter for SSR by @ThaminduDilshan in #3144
- Add correlation IDs to the logs with context-aware logging methods by @UdeshAthukorala in #3141
- Add tryout with sample flows to welcome flow by @jeradrutnam in #3143
- Add implicit on-behalf-of act claim to authorization code user tokens by @sahandilshan in #3142
🐛 Bug Fixes
- Redirect to application URL after sign-up instead of bare sign-in page by @Dilusha-Madushan in #3101
- Preserve target attribute on anchors in RichTextAdapter by @Sithumli in #2576
- Fix authorization denied when loading declarative applications and agents on startup by @rajithacharith in #3114
New Contributors
- @samadhisakunika made their first contribution in #3091
- @Sithumli made their first contribution in #2576
- @UdeshAthukorala made their first contribution in #3141
Full Changelog: v0.41.0...v0.42.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.41.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows. It works across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
- MCP - by following Securing MCP Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Migrate IDP PROPERTIES from JSON array to JSON object format by @sahandilshan in #2752
- Treat system resource as a normal resource by @sahandilshan in #2554
🚀 Features
- DPoP feature support by @sacrana0 in #2618
- Add input validation for flow inputs by @SajidMannikeri17 in #2709
✨ Improvements
- Add
ThunderIDagentic skills & plugins to Hero & Docs by @brionmario in #2950 - Refactor JWT verification to use provider-backed public key retrieval by @JeethJJ in #2681
- Add make targets and script to run PR checks locally by @madurangasiriwardena in #2924
- Add console support for provisioning dynamic input flows by @Dilusha-Madushan in #2738
- Migrate JWE crypto operations to RuntimeCryptoProvider and CryptoLab by @JeethJJ in #2700
- Clean up documentation Vale checks by @himeshsiriwardana in #2936
- Update vanilla sample declarative resource by @Dilusha-Madushan in #2947
- Fix imports and refactor crypto package structure by @JeethJJ in #2729
- Allow SDK provider configuration to be overridden via config.js by @JayaShakthi97 in #2991
- Add default KM configuration implementation by @JeethJJ in #2981
- Add app-level refresh token validity period support by @Yathusiga27 in #3018
- Add securing MCP sample use case and refactor docs by @thiva-k in #3027
- Removed unused dependency and separated DCR initialization by @anushasunkada in #3039
- Add branding guide page to docs by @jeradrutnam in #3034
🐛 Bug Fixes
- Fix ID part not visible in light mode by @brionmario in #2952
- Re-enabling API route with the fix by @jeradrutnam in #2956
- Fix TypeScript strict mode related lint issues in SDKs by @brionmario in #2978
- Fix Start-Service-Process to use platform-specific npm executable by @ravindu439 in #2990
- Fix DEV MODE CORS issue in Translations by @brionmario in #3014
- Fix signInOptions on initial sign-in and improve token request params support by @JayaShakthi97 in #3011
- Fix theme flashing in docs page. by @Malith-19 in #3040
- Fix bugs in flow canvas delete handlers by @Dilusha-Madushan in #2962
- Fix afterSignUpUrl base path in SignUpBox to include BASE_URL prefix by @Dilusha-Madushan in #3063
New Contributors
- @Yathusiga27 made their first contribution in #3018
Full Changelog: v0.40.0...v0.41.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.40.0
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Getting Started
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
What's Changed
⚠️ Breaking Changes
- Allow configuring default admin credentials at setup time by @sadilchamishka in #2857
🚀 Features
- Add support for resource/action permission consent by @thiva-k in #2823
- Introduce
ExpressJSintegration to ThunderID by @JayaShakthi97 in #2829 - Introduce
Vanilla JSintegration to ThunderID by @DonOmalVindula in #2837 - Introduce Zero-Install CLI for ThunderID Installation (via
npx) by @brionmario in #2903 - Introduce
Vue,Nuxt&Node.jsintegrations to ThunderID by @brionmario in #2899
✨ Improvements
- Improve
@thunderid/expressSDK + Update invalid refs in SDK by @brionmario in #2788 - Track presented optional inputs across prompt and executor flows by @Dilusha-Madushan in #2687
- Update new logo by @jeradrutnam in #2801
- Change default resource server identifer to mcp url by @rajithacharith in #2812
- Improve Agent Sample App by @KaveeshaPiumini in #2818
- Add caching for ou store by @ThumulaPerera in #2820
- Update authorization code index in SQL scripts to match the queries by @ThumulaPerera in #2833
- Support handle-based references in declarative resource imports by @madurangasiriwardena in #2814
- Improve ThunderID MCP server by @rajithacharith in #2816
- Reduce setup script logs by @JeethJJ in #2804
- Add cache for entity credentials by @ThumulaPerera in #2807
- Add invite base url node property by @Dilusha-Madushan in #2838
- Add agent declarative resource support with export/import API integration by @KaveeshaPiumini in #2835
- Switch sample app setup from bootstrap scripts to declarative resource configs by @madurangasiriwardena in #2840
- Add ou_handle support to role, user, resource server, and group by @sahandilshan in #2879
- Add support for agent export/import resources in console by @KaveeshaPiumini in #2880
- Add new links to product welcome page by @jeradrutnam in #2884
- Add release step to publish docker compose by @ThumulaPerera in #2893
- Improve the welcome page by @senthalan in #2930
- Add agent summary display to configuration import page by @KaveeshaPiumini in #2934
- Fix agent ID generation and IDP property parsing by @rajithacharith in #2940
- Update wayfinder sample declarative resources by @ThaminduDilshan in #2941
🐛 Bug Fixes
- Rename BEM blocks to use 'thunderid' prefix across all primitive components in vue sdk by @kavindadimuthu in #2779
- Fix start.sh syntax error when invoked with sh by @sadilchamishka in #2782
- Resolve declarative role permissions for API-added assignments by @RushanNanayakkara in #2761
- Fix embedded sign-in flow in Next.js SDK by @kaviru2 in #2810
- Trust self-issued tokens on secured APIs when a trusted issuer is configured by @RushanNanayakkara in #2831
- Fix i18n key resolution in flow builder by @sadilchamishka in #2867
- Fix UUID generation logic when importing resources by @rajithacharith in #2890
- Fix dialog box transparency issue by @jeradrutnam in #2916
- Fix useNavigate error at /gate/callback caused by duplicate react-router pnpm instances by @sadilchamishka in #2921
- Fix syntax for GIN index creation on IDP properties by @KaveeshaPiumini in #2732
- Fix application URL not being set in add application flow by @rajithacharith in #2919
- Remove SCIM2/Me request from React SDK sign-in flow by @rajithacharith in #2927
- Improve welcome page styling along with some UI alignment and text readable fixes across the product by @jeradrutnam in #2931
New Contributors
- @madurangasiriwardena made their first contribution in #2814
- @JayaShakthi97 made their first contribution in #2829
- @savindi7 made their first contribution in #2827
- @kaviru2 made their first contribution in #2810
Full Changelog: v0.39.0...v0.40.0
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.
ThunderID v0.39.0
ThunderID ⚡
Identity Management Suite
ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
What's Changed
🚀 Features
- Bring-in JavaScript ecosystem SDKs to ThunderID monorepo by @brionmario in #2735
✨ Improvements
- Add Clickable Option for the user when consent is timeout. by @Dilusha-Madushan in #2722
- Migrate pnpm to v11 by @jeradrutnam in #2721
- Migrate public key discovery to RuntimeCryptoProvider by @JeethJJ in #2657
- Added documentation style updates to Thunder docs. by @himeshsiriwardana in #2743
- Update old SDK references to new
@thunderid/*namespace by @brionmario in #2762
🐛 Bug Fixes
- Add app name to invite email template data by @Dilusha-Madushan in #2699
- Ignore empty credential values during provisioning by @Dilusha-Madushan in #2669
- Fix credential handling in user onboarding flow request by @thiva-k in #2728
- Remove flow type constraint from OAuth executor by @ThaminduDilshan in #2734
- Improve declarative resource usertype parsing by @rajithacharith in #2718
Full Changelog: v0.38.0...v0.39.0
⚡ Quickstart
This Quickstart guide will help you get started with ThunderID quickly. It walks you through downloading and running the product, trying out the sample app, and exploring registering a user, logging in, and using the Client Credentials flow.
Download and Run ThunderID
You can run ThunderID either by downloading the release artifact or using the official Docker image.
Option 1: Run from Release Artifact
Follow these steps to download the 0.39.0 release of ThunderID and run it locally.
-
Download the distribution from the 0.39.0 release
OS Architecture Download Link macOS ARM64 (Apple Silicon) thunderid-0.39.0-macos-arm64.zip macOS x64 (Intel) thunderid-0.39.0-macos-x64.zip Linux x64 thunderid-0.39.0-linux-x64.zip Linux ARM64 thunderid-0.39.0-linux-arm64.zip Windows x64 thunderid-0.39.0-win-x64.zip -
Unzip the product
Unzip the downloaded file using the following command:
unzip thunderid-0.39.0-<os>-<arch>.zip
Navigate to the unzipped directory:
cd thunderid-0.39.0-<os>-<arch>/
-
Setup the product
You need to setup the server with the initial configurations and data before starting the server for the first time.
If you are using a Linux or macOS machine:
./setup.sh
If you are using a Windows machine:
.\setup.ps1
Note the id of the sample app indicated with the log line
[INFO] Sample App ID: <id>. You'll need it for the sample app configuration. -
Start the product
If you are using a Linux or macOS machine:
./start.sh
If you are using a Windows machine:
.\start.ps1
The product will start on
https://localhost:8090.
Option 2: Run with Docker Compose
Follow these steps to run ThunderID using Docker Compose.
-
Download the Docker Compose file
Download the
docker-compose.ymlfile using the following command:curl -o docker-compose.yml https://raw.githubusercontent.com/thunder-id/thunderid/v0.39.0/install/quick-start/docker-compose.yml
-
Start ThunderID
Run the following command in the directory where you downloaded the
docker-compose.ymlfile:docker compose up
This will automatically:
- Initialize the database
- Run the setup process
- Start the ThunderID server
Note the id of the sample app indicated with the log line
[INFO] Sample App ID: <id>in the setup logs. You'll need it for the sample app configuration.The product will start on
https://localhost:8090.
Try Out the Product
Try out the ThunderID Console
Follow these steps to access the ThunderID Console:
-
Open your browser and navigate to https://localhost:8090/console.
-
Log in using the admin credentials created during the initial data setup (
admin/admin).
Try Out with the Sample App
ThunderID provides two sample applications to help you get started quickly:
- React Vanilla Sample — Sample React application demonstrating direct API integration without external SDKs. Supports Native Flow API or Standard OAuth/OIDC.
- React SDK Sample — Sample React application demonstrating SDK-based integration using
@asgardeo/reactfor OAuth 2.0/OIDC authentication.
React Vanilla Sample
-
Download the sample
OS Architecture Download Link macOS ARM64 (Apple Silicon) sample-app-react-vanilla-0.39.0-macos-arm64.zip macOS x64 (Intel) sample-app-react-vanilla-0.39.0-macos-x64.zip Linux x64 sample-app-react-vanilla-0.39.0-linux-x64.zip Linux ARM64 sample-app-react-vanilla-0.39.0-linux-arm64.zip Windows x64 sample-app-react-vanilla-0.39.0-win-x64.zip -
Unzip and navigate to the sample app directory
unzip sample-app-react-vanilla-0.39.0-<os>-<arch>.zip cd sample-app-react-vanilla-0.39.0-<os>-<arch>/
-
Configure the sample
Open
app/runtime.jsonand set theapplicationIDto the sample app ID generated during "Setup the product":{ "applicationID": "{your-application-id}" } -
Start the sample
./start.sh
Open your browser and navigate to https://localhost:3000 to access the sample app.
📖 Refer to the
README.mdinside the extracted sample app for detailed configuration options including OAuth redirect-based login.
React SDK Sample
-
Download the sample
| OS | Architecture | Download Link |
|-------|-------------|...
