12 June 2025 (v2.136)
ReachFive v2.136 introduces several improvements and needed bug fixes.
You can now perform a token exchange with trusted providers.
We’re happy to announce that social providers can now be added to a user’s profile through the Management API.
In addition to those, a new user event type is generated when you remove passwords through our APIs.
Finally, we have improved the performance for sending verification messages.
In addition to these product updates, we also released version 8.2.0 of our iOS SDK.
As always, we made some general improvements and fixed a few items for you.
Release highlight
You can now configure Trusted providers in the ReachFive Console to enable OAuth 2.0 Token Exchange (RFC 8693) with external Identity providers, starting with Akamai. This allows seamless user session retrieval, supporting single sign-on and migration use cases. You can also add custom trusted providers directly in the ReachFive Console.
A login user event is generated after a token exchange with a custom provider.
When the event is emitted, it is added to the auth_types array on the user profile.
The user event also appears on the user’s Recent activity filter and is present in the user profile’s provider_details.
For more details, see Trusted providers.
Add Social Identity provider with Management API
You can now add Social Identity providers to user profiles directly through our Management API. Previously, this was only possible through Import jobs.
See the /api/v2/users/:uid/providers/identity endpoint for full details.
/api/v2/users/:uid/providers/identity{
"provider": "google", (1)
"provider_variant": "emea", (2)
"user_id": "google_id", (3)
"username": "google_username", (4)
"created_at": "2025-12-06T10:40:24.071Z", (5)
"updated_at": "2025-12-07T10:40:24.071Z" (6)
}| 1 | Required The Social Identity provider (e.g., "google", "facebook"). |
| 2 | The provider’s regional or specific variant (e.g., "emea"). |
| 3 | Required The unique user ID from the Social Identity provider. |
| 4 | The user’s display name or username from the provider. |
| 5 | Timestamp when the identity was created. |
| 6 | Timestamp when the identity was last updated. |
Remove passwords through API
Since passwords are now optional with ReachFive, as there are passwordless options available, you can remove passwords from user profiles when needed through certain endpoints.
When a password is removed, a user event is now generated with a password_deleted user event type.
Benefits of passwordless:
-
Enhanced User Experience: Simplifies authentication for users adopting passwordless methods, reducing friction.
-
Increased Security: Eliminates password-related risks, such as weak passwords or credential theft.
-
Flexibility: Supports seamless transitions to modern authentication methods, aligning with user preferences.
Endpoints to remove a password:
Improved performance for sending verification messages
We have improved the performance for sending verification messages to minimize disruptions, particularly when custom providers are used. This includes:
iOS SDK 8.2.0
This week, we also released iOS SDK 8.2.0.
We added two new methods for sending and verifying email verification.
General improvements
-
We now return the
cicofield in theid_tokenpayload after connecting with B.connect. This helps ensure payment processing is quick and efficient. -
We no longer require a fresh access token (<5 minutes old) for the following endpoints since a verification code is already used for security purposes:
-
In addition, we now ensure users are allowed up to 3 attempts before a verification code is considered no longer valid when calling
/identity/v1/verify-email.
Fixes
| Item | Fixed |
|---|---|
There were temporary some issues related to user roles. |
✓ |
There was a small alignment issue for some user profile columns in the ReachFive Console. |
✓ |
For a brief period, users were unable to authenticate via SLO in an OaaS flow. |
✓ |