March 25, 2026

Security fixes for session handling, OAuth token revocation, and vendor access controls.

Security

  • Password reset no longer disrupts active sessions. Requesting a password reset no longer logs you out immediately. Sessions are only revoked when the password is actually changed, so you stay logged in until then.
  • Session verification strengthened. New sessions now check that authentication tokens have not been revoked. "Revoke all sessions" now reliably prevents re-authentication with previously issued tokens.
  • OAuth token revocation requires authentication. Revoking OAuth tokens now requires valid client credentials, preventing unauthorized third parties from revoking other users' access tokens.
  • Vendor preload import restricted to admins. The vendor preload import feature now requires admin privileges. Non-admin vendor members can no longer create issuer onboarding links or spend organization credits.
March 25, 2026 | Strutter AI