Logo / Blog

Announcing FusionAuth Version 1.56 - The SSO Snake

FusionAuth v1.55.1 "The Holiday Hippo" brings major updates including SAML encryption support, enhanced API key security with via expiration, configurable lambda timeouts, and more.

Authors

Brad McCarty

Published: March 7, 2025

We recently released FusionAuth version 1.56.0. This version focuses on API security, and it introduces some new flexibility in how you can use SSO sessions within FusionAuth. We also have custom domains for every hosting plan.

Our fearless Senior Director of Developer Relations (welcome to the team, Kim!) has dubbed this release “The SSO Snek.” Our slithering friend is here to sneak past non existent SSO sessions and ensure a seamless experience for your users.

The SSO Snek is a sneaky little guy

And now, on to the good stuff!

API Key Security

In version 1.56.0, we’ve improved API key security by introducing secured storage. This builds on our 1.55.1 release that added expiration times. With 1.56.0, newly-created API keys are now optionally secured before being stored, reducing risks in case of a database compromise. We want to stress that the default behavior is not changing, so your existing keys will continue to work. If you want your keys secured, you will need to create new ones.

A note of caution: If you secure the API key, retrieving its value after creation is no longer possible due to this security measure. So if you need the key to be accessible in plaintext, make sure to copy it on creation or choose not to secure it.

Custom Domains for Everyone (on FusionAuth Cloud)

Custom domains allow you to keep your domain name front and center during the authentication process. So instead of a customer seeing piedpiper.fusionauth.io in the URL bar, they could see auth.piedpiper.com. This also helps with storing access tokens. If you are using the hosted backend, cookies domains will be set to piedpiper.com and therefore can be sent to any other APIs on that domain.

We’ve supported custom domains since 2021 (and unlimited domains since 2023), but they were only available on Business or Enterprise deployments. As of 1.56.0, all new FusionAuth Cloud deployments on our next-gen platform have custom domains enabled:

Here are the number of domains you get for each hosting level:

  • Basic Hosting: 1 Custom Domain
  • Business Hosting: 5 Custom Domains
  • HA Hosting: 20 Custom Domains (unlimited if you have an Enterprise plan)

Existing customers may not have access to the new custom domains, and you need to be on a more recent version of FusionAuth. If you would like to use custom domains, please contact support to learn more.

Seamless SSO Across Applications

We’ve had some customers that needed some more flexibility in how they used SSO sessions. This update ensures users stay logged in across multiple services, creating a frictionless experience for complex workflows. Here’s an example:

Suppose that you have a native application. You want to use the Login API because your app is using the IOS or Android UX.  While using your native app, you want to display a webview for an entirely different web application for which FusionAuth handles authentication. Here’s how this change improves the flow.

The flow before:

  1. A user logs in to your native application which uses the Login API because your mobile app devs wanted to use native UX controls.
  2. The native application has an access token because of a successful Login API response.
  3. When attempting to access the section of the application that contains the webview display, the user sees an authentication screen.

The flow after:

  1. A user logs in to your native application which uses the Login API because your mobile app devs wanted to use native UX controls.
  2. The native application has an access token because of a successful Login API response.
  3. When rendering the webview, the native app makes a call to the token endpoint with the access token and a redirect URI pointing to the second web application.
  4. The user is transparently logged in to the second application and can see their data.

The SSO session has been bootstrapped from the access token.

This enhancement keeps users logged in across multiple services without interruption, giving them a smoother experience. It’s especially valuable for applications that:

  • Integrate with third-party services requiring authentication handoffs
  • Use the Login API from a native or desktop app to authenticate users and want to use SSO to log into other applications
  • Need to otherwise join the FusionAuth SSO session when you only have an access token

All the Rest

We also tackled several bugs, improved admin application security, enhanced overall system performance, and added minor features to make FusionAuth even more reliable. You can find all of the granular details in the release notes.

Thanks for using FusionAuth. We’re excited to see what you build. Not using FusionAuth yet? We’ve made it easier than ever to get started for free.

Get updates on techniques, technical guides, and the latest product innovations coming from FusionAuth.

Just dev stuff. No junk.