--- title: Changelog --- # Changelog All notable changes to the **Sign in with Little X Little** platform. The platform follows [SemVer](https://semver.org/) at the API surface; breaking changes get a major version bump and a 12-month deprecation window. --- ## v1.0.0 — 2026-05-03 — :material-rocket-launch: Public release ### Added - OpenID Connect 1.0 server at `https://id.littlexlittle.org`. - Discovery (`/.well-known/openid-configuration`) and JWKS (`/.well-known/jwks.json`). - Authorization code flow with PKCE (S256). - `/oidc/token`, `/oidc/userinfo`, `/oidc/revoke`, `/oidc/introspect`, `/oidc/logout`. - JS SDK (`@littlexlittle/id`) — One-Tap, FedCM, pre-rendered button, silent sign-in. - PHP SDK (`littlexlittle/id-php`) — Composer + single-file fallback. - Developer portal at `app.littlexlittle.org/developers` for client registration. - Custom claims `lxl.app`, `lxl.access`, `lxl.master`, `lxl.role`, `lxl.links`. - Webhook delivery for 8 account events (HMAC-signed, retried). - Account linking: Google, Facebook, X, LinkedIn. - Sandbox issuer at `id-sandbox.littlexlittle.org` (weekly reset). ### Security - RS256 signing, 90-day key rotation. - PKCE required for public clients. - Refresh-token rotation with replay detection (RFC 6749 §10.4 / OAuth 2.0 BCP §4.13). - HTTPS-only cookies, `SameSite=Strict` on refresh-token cookie. - Per-client + per-IP rate limits on every interactive endpoint. --- ## Deprecation policy A feature marked `@deprecated`: 1. Is announced in the changelog with a removal date **at least 12 months out**. 2. Returns a `Sunset:` HTTP header with the planned removal date. 3. Triggers a developer-portal warning for any client still using it. 4. Is removed only after the announced date and a final 30-day reminder email. --- ## Versioning at a glance | Layer | Versioned by | |---|---| | OIDC endpoints | URL is stable; capabilities advertised in discovery. | | JS SDK | npm semver, bundled URL pinned per major (`/sdk.js` = v1). | | PHP SDK | Composer / Packagist semver. | | Webhook payloads | `event` field versioned via type names; new optional fields are not breaking. | | Custom claims | New claims may be added; existing claim semantics are stable. | Subscribe to release notes via the [GitHub Releases feed](https://github.com/littlexlittle/developers-docs/releases.atom).