11 June 2026 (v2.159)

Staging ๐Ÿงช

ReachFive v2.159 brings a few new features and updates:

As always, we made some general improvements and fixed a few items for you.


Release highlight

Access Control v2

We are excited to launch Access Control v2, which extends our Attribute-Based Access Control (ABAC) engine with a powerful new capability: Access Token Entitlements.

While the ABAC engine initially focused on blocking or allowing entry to signup and login journeys, this upgrade empowers you to inject dynamic authorization attributes directly into user access tokens at runtime. This bridges the gap between authentication and downstream authorization, allowing your applications to make instant, context-aware access decisions without repetitive API lookups.

With the introduction of Entitlements, the access token becomes a self-contained vehicle for fine-grained authorization.

What’s new?

  • Dynamic token enrichment: Automatically populate a top-level entitlements claim array with custom authorization attributes (such as roles, classifications, or permissions) mapped from user profile data.

  • Continuous evaluation: Entitlements are evaluated globally whenever a new access token is generated or refreshed. This includes standard logins, passwordless flows, and third-party authentications.

  • Dedicated audit trail: Monitor and troubleshoot configurations effortlessly using the new, standalone entitlement_provided user event, which cleanly separates authorization tracking from standard authentication logs.

Immediate Benefits:

  • Zero extra API overhead: Offload application-level access logic to the token itself. Your downstream services and APIs can inspect the token’s entitlements claim locally to grant rights, eliminating the need to query the ReachFive Identity API post-login.

  • Real-time security syncing: Because entitlement rules are re-evaluated during token refresh, any modifications to a user’s profile attributes automatically update downstream when their token rotates, ensuring permissions are always accurate.

For more details on this topic, see Attribute-Based Access Control (ABAC).


Additional audit log actions for Pub/Sub hooks

The users:get and users:search actions are now included in the audit logs for Pub/Sub hooks, providing more comprehensive tracking of user profile access and search activities.

Audit log actions for Pub/Sub hooks
Audit log actions for Pub/Sub hooks

For more details, see Audit logs: Create Pub/Sub hook from console.


General improvements

  • When a user authenticates with a second social provider, we now ensure that the existing email for the user is retained and not overwritten by the new provider’s email, which may be different. The new email is still kept as part of the identities and emails objects.

  • Provider variants are now included in a user’s recent activity so it’s more clearly visible which provider variant was used for each event.


Fixes

Item Fixed

In some limited instances, logins with Paypal Connect were failing unexpectedly.

When using the /oauth/par endpoint, against non-existent profiles, the response was a 404. The response is now a 303 with a query parameter showing the error so the user is redirected accordingly and you can handle the error in your application.

There was temporarily an issue when sorting by email when searching for users via the Management API.

R5 AI Assistant
The R5 AI assistant can make mistakes, verify answers.

Confirm Deletion