Changelog¶

All notable changes to the Sign in with Little X Little platform. The platform follows SemVer at the API surface; breaking changes get a major version bump and a 12-month deprecation window.

v1.0.0 — 2026-05-03 — Public release¶

Added¶

OpenID Connect 1.0 server at https://id.littlexlittle.org.
Discovery (/.well-known/openid-configuration) and JWKS (/.well-known/jwks.json).
Authorization code flow with PKCE (S256).
/oidc/token, /oidc/userinfo, /oidc/revoke, /oidc/introspect, /oidc/logout.
JS SDK (@littlexlittle/id) — One-Tap, FedCM, pre-rendered button, silent sign-in.
PHP SDK (littlexlittle/id-php) — Composer + single-file fallback.
Developer portal at app.littlexlittle.org/developers for client registration.
Custom claims lxl.app, lxl.access, lxl.master, lxl.role, lxl.links.
Webhook delivery for 8 account events (HMAC-signed, retried).
Account linking: Google, Facebook, X, LinkedIn.
Sandbox issuer at id-sandbox.littlexlittle.org (weekly reset).

Security¶

RS256 signing, 90-day key rotation.
PKCE required for public clients.
Refresh-token rotation with replay detection (RFC 6749 §10.4 / OAuth 2.0 BCP §4.13).
HTTPS-only cookies, SameSite=Strict on refresh-token cookie.
Per-client + per-IP rate limits on every interactive endpoint.

Deprecation policy¶

A feature marked @deprecated:

Is announced in the changelog with a removal date at least 12 months out.
Returns a Sunset: HTTP header with the planned removal date.
Triggers a developer-portal warning for any client still using it.
Is removed only after the announced date and a final 30-day reminder email.

Versioning at a glance¶

Layer	Versioned by
OIDC endpoints	URL is stable; capabilities advertised in discovery.
JS SDK	npm semver, bundled URL pinned per major (`/sdk.js` = v1).
PHP SDK	Composer / Packagist semver.
Webhook payloads	`event` field versioned via type names; new optional fields are not breaking.
Custom claims	New claims may be added; existing claim semantics are stable.

Subscribe to release notes via the GitHub Releases feed.