Release notes

The release notes describe new features, enhancements, and fixes for the ReachFive platform. The latest release notes are found below. For previous releases, check out the sidebar.

For upcoming changes that require your attention, see the Attention page.

Other releases

The following shows other ReachFive releases for your convenience.

SDK repository Latest version Docs

SDK repository	Latest version	Docs
Core SDK		Core SDK
UI SDK		UI SDK
Android SDK	MavenCentral `9.5.0`	Android SDK
iOS SDK		iOS SDK
SFCC Cartridge	SFCC Cartridge `20.8.2`	Salesforce cartridge

identity core

identity ui

MavenCentral 9.5.0

Reach5

SFCC Cartridge 20.8.2

Salesforce cartridge

9 January 2025 (v2.127)

ReachFive v2.127 introduces several improvements and needed bug fixes.

We have added the {{link}} variable to the SMS passwordless template which also impacts the SDK Core passwordless methods. We now better support email updates for Social Logins. We also now retrieve the full Identities objects with webhooks and Pub/Sub hooks.

The improvements in this release also let you retrieve addresses from Naver users. In addition, we have some security enhancements, where it’s now possible for you to configure the lifetime of trusted devices and hide suspension reasons directly from the ReachFive Console.

As always, we made some general improvements and fixed a few items for you.

SMS passwordless magic links

We have added the {{link}} variable to the SMS passwordless template combined with enhanced redirect functionality which includes the ability to override the default redirect_to in the template.

The {{link}} variable is a magic link that verifies the start of the passwordless flow. Magic links verify the user’s identity and ownership, ensuring secure and authorized access to the passwordless flow.

SDK Core updates

These updates also impact the startPasswordless method since a redirect_uri is now required either through the default redirect set in the template or through the method itself.

The redirect address must be whitelisted in your client settings.

The verifyPasswordless method now has the possibility to respond with AuthResult in addition to void.

AuthResult: If the verification is successful and results in an authentication (e.g., the user is logged in after clicking the magic link), the method returns an AuthResult.
void: If the verification is successful but no authentication (such as a user login) is performed, the method resolves with void.

To create an SMS passwordless template:

Go to Settings Passwordless SMS verification code.
Enter the Verification Code Lifetime in seconds.
Set the Redirect to.

This must be whitelisted in your client settings.
Write your Message.

ReachFive now correctly recognizes and authenticates users based on their unchanged Social Provider ID, even when the email address has been updated on the Social provider side.

Example flow

A user logs in with an updated email linked to the same Social Provider ID,
ReachFive detects the existing profile associated with the Social Provider ID.
ReachFive authenticates the user based on the existing profile.
ReachFive updates the email address in the profile to reflect the new one.

Retrieve full Identities objects with hooks

You can now retrieve the full Identities object with webhooks and Pub/Sub hooks. Previously, it was only possible to retrieve the name of the provider and any associated provider variants.

When you select Identities and Identities Id in the Filterable fields section, you will receive the whole Identities object.

For more on this topic, see User-event webhooks and Pub/Sub hooks respectively.

Naver user addresses

With this release, you can now retrieve addresses from Naver users. Once the user consents, you can pull in all the address information directly into ReachFive.

You first need to create a new custom address field called is_naver_address. This field is always set to true. If this field is not present in your client settings, Naver addresses can’t be imported.

If you would like to receive the roadNameYn field from Naver, you must also create an address custom field called road_name (checkbox data type).

For more details, see Naver.

Address example

  "addresses": [
    {
      "id": 0,
      "to_delete": true,
      "default": true,
      "address_type": "delivery",
      "street_address": "1200 Seomun 10",
      "address_complement": "2nd floor",
      "locality": "Seogwipo-si",
      "postal_code": "46 KR",
      "region": "Jeju-do",
      "country": "South Korea",
      "recipient": "Suh Minh",
      "phone_number": "0723538943",
      "custom_fields": {
        "is_naver_address": true, (1)
        "road_name": true (2)
      }
    }
  ],

1	The `is_naver_address` custom address field (`checkbox` data type) to let our system know it is a Naver address so we won’t overwrite the address.
2	The `road_name` custom address field (`checkbox` data type) is optional but needed if you want to retrieve the `roadNameYn` field from Naver.

Configure lifetime of trusted devices

You can now configure the lifetime of a trusted device directly in the ReachFive Console. By default, the lifetime is set to 90 days, meaning after a successful authentication, the device is considered as trusted for the specified number of days (between 1 and 365).

For more, see Risk-based Authentication.

Why is this useful for me?

This option enhances security by allowing you to adjust how long devices remain trusted, reducing risk in case of loss or compromise. We hope this flexibility empowers you to balance security and user experience, tailoring authentication policies to your specific needs.

Hide suspension reason

And last but certainly not least, you can now hide the suspension_reason returned in the API error response for suspended users.

When enabled, a default error message is sent in the response.

For more on this topic, see Data Breach Detection.

To hide the suspension reason:

Go to Settings Security Data Breach Detection.
Scroll to Suspension reason.
Enable the Hide suspension reason in API error response option.
Don’t forget to Save your input.

General improvements

We now ensure that the auth_types field in the User Profile object only contains active methods, ensuring no stale information is present related to how users authenticate.

Fixes

Item Fixed

Item	Fixed
In some limited cases, browsers were autofilling the username and password fields on the ReachFive Console, leading to an extra manual step for users. This has been resolved and the fields are no longer autofilled.	✓
For a brief period, the "Send test email" feature on the ReachFive Console wasn’t working properly.	✓
There was a minor issue importing profiles with passwords encrypted with ISO-8859-1.	✓
For a brief period, the `last_login` field wasn’t being updated during logins for passwordless logins.	✓
In some limited cases, customers using our API directly to log out of the ReachFive Console were experiencing some issues.	✓

In some limited cases, browsers were autofilling the username and password fields on the ReachFive Console, leading to an extra manual step for users. This has been resolved and the fields are no longer autofilled.

✓

For a brief period, the "Send test email" feature on the ReachFive Console wasn’t working properly.

✓

There was a minor issue importing profiles with passwords encrypted with ISO-8859-1.

✓

For a brief period, the last_login field wasn’t being updated during logins for passwordless logins.

✓

In some limited cases, customers using our API directly to log out of the ReachFive Console were experiencing some issues.

✓