25 September 2025 (v2.143)

ReachFive v2.143 brings several new features:

Now, you can prevent unverified users logging in at signup.
You can also track password reset request origins.
Additionally, you can now use Pub/Sub hooks for import events.

And as always, we fixed a few items for you.

Release highlight

Prevent unverified users logging in at signup

You can now prevent unverified users from logging at signup. This strengthens your defenses against fraudulent accounts and ensures only verified users gain access from the very start.

By default, unverified users could sign up and log in once, only being blocked on their next attempt. With the new Forbid unverified identifiers login after signup option, they cannot log in at all until their email or phone number is verified. This option is disabled by default to avoid breaking existing flows.

For more details, see Block unverified login attempts.

From the Console
For integrators
New endpoint

Go to Security Attack protection policy.
Enable Forbid unverified identifiers login after signup.

When Forbid unverified identifiers login after signup is enabled and a user is unverified:

Signup endpoints do not issue tokens or redirect users:
The Core SDK signup method returns an AuthResult without an access token or redirect.
The UI SDK showAuth method displays an overridable message (signup.awaiting.identifier.verification) telling users to verify their identifier. By default, the message the user sees is "Account created successfully. To login, please verify your identifier with the email or the SMS that you received."
- A new isIdentifierVerificationRequired field is included in the signupEvent callback to simplify flow handling.

We have introduced a new Management API endpoint as part of this feature. This endpoint consumes the verification_code received by email to verify the user’s email address.

POST /api/v2/users/{user_id}/verify-email/consume endpoint
- Accepts the verification_code sent to the user and verifies the identifier.
- Requires the manage:users scope.

Track password reset request origins

You can now track the origin of users when they request a password reset. This makes it easier to audit reset activity, monitor for suspicious behavior, and analyze trends across different applications or regions.

For more information on this subject, see Track user origins.

Identity API
Core SDK
UI SDK

The /identity/v1/forgot-password endpoint now accepts an origin field.

This value is stored in the user’s origins[] array and included in the password_reset_requested event.

Supports passing an origin parameter with requestPasswordReset.

The showAuth widget automatically forwards the configured origin when triggering a password reset.

Use Pub/Sub hooks for import events

You can now use Pub/Sub hooks to receive events related to user import jobs.

Import job events on hooks

Import jobs with user events (e.g., user_created, user_deleted, user_updated, managed_user_created) are now published through Pub/Sub hooks.
Event Source configuration

A new configuration option in the ReachFive Console allows you to include or exclude import job events, preventing existing hooks from receiving unexpected messages. When you choose api or import, only relevant events for that event source is filterable, allowing only relevant information for you.

View from the console
Job definition tracking

You can now filter events by job definition ID directly in the ReachFive Console to reduce noise when running multiple jobs.

For full details, see Pub/Sub hooks.

Fixes

Item	Fixed
The trusted device authentication cookie had a fixed expiration period, which did not align with the configurable trusted device lifetime set in the ReachFive Console.	✓

Item

Fixed

The trusted device authentication cookie had a fixed expiration period, which did not align with the configurable trusted device lifetime set in the ReachFive Console.

✓