9 October 2025 (v2.144)
Pass state
in forgot password endpoint
You can now include an optional state
parameter when calling the POST /identity/v1/forgot-password
endpoint.
This enhancement lets frontends access and use the state
parameter before calling POST /identity/v1/update-password
, for example to warn users if the verification code has expired.
The value of state
is returned unchanged in the password reset URL sent to the user (by email or SMS).
This allows you to pass contextual information, such as the code expiration time, session identifiers, or any other client-specific metadata, between the reset request and the password reset page.
The state
value must be URL-encoded to ensure it is safely included in the password reset link.
For example:
POST
/identity/v1/forgot-password{
"email": "user@example.com",
"state": "expires_at=1761936000" (1)
}
1 | In this case, state specifies that the verification code expires on October 10, 2025 (in Unix timestamp format, seconds). |
The resulting password reset link includes the encoded state
value:
https://YOUR_URL/password-reset?verification_code=558885362&email=user@example.com&state=expires_at%3D1761936000
New scope
field for login user events
Login-related user events (such as SuccessfulLogin
) now include a new field:
-
scope
(array of strings) — The list of OAuth/OpenID scopes granted to the user during this login or token refresh.
This addition allows auditing and debugging of the permissions granted at the time of authentication.
For more details, see User Events.
{
"event": "login",
"user_id": "123456",
"client_id": "mobile-app",
"auth_type": "password",
"scope": ["openid", "profile", "email"], (1)
"time": "2025-10-07T12:34:56Z"
}
1 | In this case, scope is openid , profile , and email . |
LinkedIn Connect updates
We have updated ReachFive to support the latest LinkedIn authentication API. The previous API used for LinkedIn Connect was deprecated by LinkedIn on August 1, 2023.
To ensure a smooth transition and avoid breaking changes, ReachFive now supports both the old and new LinkedIn APIs. The correct API is automatically selected based on the configured scopes.
Clients using LinkedIn Connect should create a new LinkedIn app and update their configuration to include the new scopes.

API version | Required scopes |
---|---|
New API |
|
Old API (deprecated) |
|
The old LinkedIn API has been deprecated and may be removed by LinkedIn in the future. We recommend migrating to the new API as soon as possible to ensure continued compatibility. For more details, see LinkedIn Connect. |
Failure indicator for duplicate import jobs
Import jobs that are stopped due to duplicate user entries in the uploaded data now clearly indicate a failure. Previously, a job containing duplicates would stop without processing any rows but still report successful. This improvement ensures you can immediately understand and act on duplicate-related import issues.
With this update:
-
The job status is marked as FAILURE when duplicates are detected.
-
A clear error message is logged and visible in the ReachFive Console, explaining that the job was interrupted due to duplicate entries.
Mobile SDK updates
We have released new versions of our mobile SDKs with several improvements and breaking changes.
Breaking change : Prevent unverified users logging in at signup
The mobile SDKs (iOS and Android) now support the "Forbid login on signup with unverified email" feature introduced in ReachFive 2.143.
When this feature is enabled, the signup flow may not return an AuthToken
if the user’s email or phone number is unverified during signup.
This introduces a breaking change, as the signup callbacks now return a flow object rather than always returning a token.
signup now returns a SignupResponse
which can be:
-
AchievedLogin(authToken)
: signup completed and the user is immediately logged in. -
AwaitingIdentifierVerification
: signup pending verification (email or phone). In this case, noAuthToken
is provided.
signup now returns a SignupFlow
with the same possible outcomes:
-
.AchievedLogin(authToken: AuthToken)
: signup completed and the user is immediately logged in. -
.AwaitingIdentifierVerification
: signup pending verification. In this case, noAuthToken
is provided.
Impact on Integrators:
-
Your application logic must handle both possible outcomes of the signup flow (
AchievedLogin
vsAwaitingIdentifierVerification
) to prevent runtime issues. -
Ensure that your UI and backend processes can gracefully handle cases where the user must verify their identifier before receiving an authentication token.
-
This may require updates to existing signup handling logic, token storage, and error handling in both mobile SDKs.
Trust device during MFA enrollment
The mobile SDKs (Android only at this time) now allows users to trust their device when enrolling a second factor for multi-factor authentication (MFA), providing greater flexibility during the setup process. This feature extends the existing trust device capability, previously available only during login (Multi-factor Authentication), to the MFA enrollment process.
To enable this, set the trustDevice
parameter to true
(default is false
) in the following SDK methods:
Behavior:
-
For verified identifiers (email or phone number), setting
trustDevice
totrue
during thestartMfaEmailRegistration
orstartMfaPhoneNumberRegistration
methods will trust the device and return the__Host-trusted-device-id
cookie. -
For unverified identifiers, the
trustDevice
parameter is only taken into account during theverifyMfaEmailRegistration
orverifyMfaPhoneNumberRegistration
methods, after the verification code is submitted. -
When
trustDevice
is set totrue
, the device is trusted in the backend, and the__Host-trusted-device-id
cookie is deposited, consistent with the login flow behavior.
Impact on Integrators:
trustDevice
is an optional parameter (default is false
), so existing integrations will continue to function without modification.
-
Update your mobile SDK integration to include the
trustDevice
parameter where applicable, ensuring proper handling based on the identifier’s verification status. -
Refer to the table in the ReachFive 2.132 Release Notes for a summary of when the
trustDevice
parameter is applicable and when the cookie is returned:
Customizable MFA email and SMS templates for step-up and enrollment
The mobile SDKs (iOS and Android) now support customization of email and SMS templates for both step-up MFA and MFA enrollment processes, allowing you to tailor messaging based on specific user journeys.
This is achieved by introducing the action
parameter in the following SDK methods:
Behavior:
-
The
action
parameter allows you to specify the journey context, enabling the use of customized email or SMS templates configured in the ReachFive Console. -
This feature enhances the flexibility of MFA workflows by aligning notification content with specific user interactions or application requirements.
Impact on Integrators:
action
is an optional parameter, so existing integrations will continue to function without modification.
-
Update your mobile SDK integration to include the
action
parameter in the listed methods to leverage customized email and SMS templates. -
Ensure that corresponding templates are configured in the ReachFive Console to match the specified
action
values for seamless integration.
Trace origin for password reset requests
The mobile SDKs (iOS and Android) now support tracing the origin
of password reset requests, allowing you to provide context for where the request originated.
This is achieved by introducing the origin
parameter in the following SDK methods:
Behavior:
-
The
origin
parameter is passed to the/identity/v1/forgot-password
endpoint, enabling tracking of the request’s source (e.g., app, website, or specific feature). -
This feature enhances auditability and allows for better monitoring of password reset activities.
Impact on Integrators:
origin
is an optional parameter, so existing integrations will continue to function without modification.
-
Update your mobile SDK integration to include the
origin
parameter in therequestPasswordReset
method to provide context for password reset requests. -
Ensure the
origin
value is meaningful and aligns with your application’s tracking requirements.
Fixes
Item | Fixed |
---|---|
ReachFive Console |
|
Longer MFA Credentials on a user profile weren’t displayed correctly. |
✓ |