Roadmap

What's built.
What's next.

v1.5.2 is live — 21 versions shipped since March 2026. Every version and every planned feature is documented here. No vaporware, no undated promises.

Try the Demo View on GitHub

Versions Shipped

DB Migrations

30+

REST Endpoints

55+

Audit Event Types

Shipped

Released versions

v1.5.2 April 10, 2026

Admin Key Rotation & JWT kid Headers

Admin-initiated signing key rotation — generate a new RS256 key pair, promote it to active, demote the previous key to verification-only
JWT kid header on all issued tokens (access, id_token, client credentials) per RFC 7517 — enables key identification during verification
Key retirement — disable old keys to remove them from JWKS when all tokens have expired
Signing keys management page in admin console — key history table with status badges (Active, Verification only, Retired)
Token verification gracefully handles rotated keys — reads kid from JWT header, falls back to active key for legacy tokens
New audit events: ADMIN_KEY_ROTATED and ADMIN_KEY_RETIRED

v1.5.1 April 10, 2026

Code Optimizations & N+1 Fixes

AdminRouteContext helper — single-call extraction of session, workspace, and workspace pairs across all admin routes
SecureTokens singleton — replaces 12 scattered SecureRandom() instantiations with a shared thread-safe instance
Batch user hydration for role and group detail pages — eliminates N+1 queries on assigned user lists
Extracted password policy validation into a shared method — removes duplication across password reset, invite, and change flows
Typed ID extraction helper — reusable Parameters.typedId<T>() replaces 33 inline toIntOrNull() patterns

v1.5.0 April 7, 2026

User Invitations & Required Actions

Invite users via email — admins create users and send branded invite emails instead of setting passwords directly
Accept-invite flow — branded page with real-time password validation, 72-hour token expiry, and automatic account activation
Required actions framework — extensible user action model (SET_PASSWORD) stored as PostgreSQL text[] array
Token purpose discriminator — invite and password-reset tokens are cryptographically separated, cross-purpose usage rejected
Resend invite from admin console with automatic old-token invalidation
New audit events: USER_INVITE_SENT and USER_INVITE_ACCEPTED

v1.4.1 April 5, 2026

Portal Social Accounts, Entity Picker & Pagination

Portal connected social accounts — users can view linked Google and GitHub identities from the self-service portal
Entity picker component — search-as-you-type replaces native dropdowns for role and group assignment, with debounced htmx search and keyboard navigation
RBAC assigned users table — role detail page shows all assigned users with direct links and remove actions
Pagination for users (25/page) and sessions (100 cap) with position-aware subtitles and search composition
JavaScript modernization — var to const/let, arrow functions, template literals, optional chaining across all bundles

v1.4.0 April 3, 2026

Auto-Update Check & Release Infrastructure

Auto-update check — server queries a version manifest on startup and surfaces available updates in the admin console
Version badge displayed in admin UI showing current running version
KAUTH_UPDATE_CHECK flag to disable for air-gapped deployments
Release infrastructure — CI manifest publishing, GitHub Pages CNAME, and release template

v1.3.3 April 2, 2026

REST API Partial Updates & UX Polish

REST API partial updates — PUT /users and PUT /applications accept partial payloads, omitted fields retain current values
Toast notifications for user actions — enable/disable, revoke sessions, resend verification email
CSS tooltip component with disabled-state awareness
Audit log filter auto-submits on change, settings save buttons show "Saving…" feedback

v1.3.2 April 1, 2026

Workspace Session Management & Audit Log Redesign

Workspace "Revoke all sessions" — bulk revocation across all users with confirmation dialog and audit event
SMTP test email button — verify configuration from the settings page
Webhook recovery sweep — background retry every 5 minutes, auto-fails orphaned deliveries
Workspace logos in admin console topbar, switcher, and detail pages
Audit log redesigned — color-coded badges, human-readable labels, linked clients, grouped 55-event filter
Composite role expansion rewritten as single recursive CTE
Typed webhook events — compile-time safe WebhookEventType enum

v1.3.1 March 30, 2026

Client-Side Polish & CSP Compliance

Real-time inline password validation checklist on all password fields — shows per-tenant policy as you type
Auto-dismissing toast notifications replace persistent URL banners across admin and portal
Full CSP compliance — zero unsafe-inline violations, all inline handlers replaced with event delegation
QRCode.js bundled locally — MFA enrollment works fully offline / air-gapped
CSS token architecture with shared structural tokens across all 4 bundles

v1.3.0 March 30, 2026

Security Hardening & CLI Tools

KAUTH_SECRET_KEY required in all environments — no dev-mode fallback
RSA private keys encrypted at rest with AES-256-GCM — plaintext keys auto-migrated on startup
KAUTH_ADMIN_BYPASS removed — admin auth is exclusively OAuth PKCE
CLI subcommands: generate-secret-key and reset-admin-mfa via java -jar kauth.jar cli
MFA challenge rate limiting (5/5min) and password reset rate limiting (3/5min)
findById tenant scoping enforced at database query level — cross-tenant lookups structurally impossible
HTTP response compression, static asset caching, and 12 missing FK indexes

v1.2.1 March 27, 2026

New /authorize Endpoint & JS Bundling

/authorize shorthand replaces verbose /protocol/openid-connect/auth path
JS bundled with esbuild — 4 minified files with SRI integrity hashes on all script tags
Swagger UI bundled locally — API docs work in air-gapped environments
Password show/hide toggle on all password fields
Session revocation DB check on every request — admin revoke immediately invalidates cookies
Email templates redesigned with TenantTheme branding

v1.2.0 March 27, 2026

Security Hardening & Admin OAuth

Admin console authenticates via OAuth Authorization Code + PKCE — eats its own dogfood
Admin role gating — only users with the admin role on the master tenant can access the console
Account lockout — configurable failed login threshold with automatic lockout duration and email notification
OIDC end-session logout — proper RP-initiated logout with id_token_hint and open redirect prevention
Password changed email notification on all password change paths
HMAC-signed admin cookies with dedicated key derivation
SecurityConfig extracted to dedicated table — password policy, MFA policy, and lockout config
CVE patches: Netty, Jackson, Logback, PostgreSQL JDBC
Content-Security-Policy header, SameSite cookie attributes, thread-safe JWT cache

v1.1.x March 24–26, 2026

Reliability, Performance & External Databases

HikariCP connection pooling — eliminates per-request TCP/TLS overhead
Async email delivery — SMTP calls no longer block the auth response
External database compose file — bring your own PostgreSQL (RDS, Supabase, Neon, Railway, Render)
Multi-arch Docker images (amd64 + arm64) built natively in CI
Composite database indexes for session lookups and audit log queries
Session cleanup background job — purges expired sessions hourly
Rate limit keys tenant-scoped — one tenant's traffic doesn't affect another
Route intercept pattern — eliminated ~80 duplicate database calls across route files
Zero-config quickstart with demo data pre-loaded

v1.0.0 March 17, 2026

Initial Stable Release

OAuth 2.0 / OIDC provider — Authorization Code + PKCE, Client Credentials, token rotation, introspection, revocation, discovery
Multi-tenancy — isolated workspaces with per-tenant RS256 key pairs, user directories, and branding
RBAC — tenant-scoped and client-scoped roles, composite inheritance with cycle detection, group hierarchy
TOTP MFA (RFC 6238) with recovery codes and per-workspace policy enforcement
Social login — Google and GitHub OAuth with automatic account linking by email
User self-service portal — profile editing, password change, session management, MFA enrollment
Admin console — workspace settings, user/application/role/group management, audit log viewer
Webhooks — HMAC-SHA256 signed delivery for 8 event types with exponential backoff retry
REST API v1 — 30+ endpoints with OpenAPI 3.1 spec and Swagger UI
White-label theming — 9 CSS custom properties injected server-side per tenant, 3 presets included
Audit logging — 30+ immutable event types, append-only, queryable via API and admin UI
Security baseline — bcrypt, AES-256-GCM, SHA-256, RS256, rate limiting, CSRF, startup validation
Docker multi-stage build — published to GHCR with Flyway auto-migrations on startup

Planned

What's next

Planned but not yet scheduled. Priority reflects market demand and dependency on existing foundations.

Near-term

WebAuthn / Passkeys

Phishing-resistant, passwordless login using platform authenticators and security keys

Magic links

Passwordless email login with short-lived signed tokens

Prometheus metrics endpoint

SMS OTP

Pluggable SMS provider interface for one-time password delivery

Typed TypeScript/JavaScript SDK

Wrapping the REST API and OIDC flows with full type safety

Long-term

Helm chart

Kubernetes deployment with configurable replicas, probes, and secret management

LDAP / Active Directory sync

User and group sync with configurable interval

SAML 2.0

SP-initiated and IdP-initiated flows for enterprise SSO

External OIDC broker

Relay authentication to upstream providers (Azure AD, Okta)

SCIM 2.0

Automated user provisioning from external HR and identity systems

Per-tenant email templates

Full HTML email template customization per workspace

Audit log export

Ship audit events to S3-compatible storage or SIEM webhook

Want to shape what's next?

Open an issue or start a discussion. This roadmap is driven by real use cases.

Open an Issue Discussions

What's built. What's next.