chore(master): release 3.0.0

[github-actions]

🤖 I have created a release beep boop

3.0.0 (2025-09-25)

⚠ BREAKING CHANGES

• Release V2

Features

• _recoverAndRefresh does not remove session on retryable error (#710) (add762e)
• navigatorLock check for spec compatibility (#761) (8de722f)
• acquire lock around visibility change callback (#764) (a86f07d)
• acquire locks around mfa methods (#788) (4b6ec58)
• add _acquireLock and navigatorLock (#736) (406e95e)
• Add 'kakao' to Provider type (#720) (ef16123)
• add AuthWeakPasswordError (#817) (abff667)
• add setSession support for a SSR context (be413ca)
• add signInWithSSO method as [@experimental](https://github.com/experimental) (#526) (a441eef)
• add signInWithWeb3 with solana (#1037) (cff5bcb)
• add signOut() scope option (#713) (0f04bfc)
• add skipBrowserRedirect option to signInWithOAuth (#575) (11a0fbc), closes #417
• add async/await support for onAuthStateChange callbacks (#685) (8aaa6ac), closes #276
• add bindings for Multi-Factor Authentication (Phone) (#932) (b957c30)
• add challengeAndVerify (711fcd5)
• add debug messages and configuration (#712) (c990bc2)
• add enhanced localStorage support check (#600) (1ee7231)
• add experimental signInWithIdToken for Apple, Google (#603) (1763d48)
• add getAMR and getAAL (fa38a48)
• add identity linking methods (#814) (46d0f87)
• add kakao to sign in with ID token (#845) (e2337ba)
• add linkedin oidc type (#796) (58a1ee6)
• add method for anonymous sign-in (#858) (e8a1fc9)
• add more method implementations (d8c5234)
• add multi-tab state change notifications (#566) (0b6c5db)
• add new auto refresh token algorithm (#564) (013afae)
• add pkce (#591) (2fc2781)
• add pkce magic link bindings (#656) (e986754)
• add pkce option to signup (#661) (eb96536)
• add process lock for optional use in non-browser environments (React Native) (#977) (8af88b6)
• add provider refresh token (7c310ea)
• add resend method (#631) (1ffdd5c)
• add SSO PKCE (#707) (ba66b4d)
• add support for error codes (#855) (99821f4)
• add updateUser (email_change) bindings for pkce (#665) (5ceb216)
• allow customizing the debug log function (#785) (1f41e5d)
• bump typescript target to ES2017 (#729) (92b47d2)
• call SIGNED_OUT event if token refresh fails (#815) (a0ff059)
• change location of evaluation (#703) (abd3339)
• complete OIDC support for Apple, Google and others (#690) (6d0fd5f)
• consider session expired with margin on getSession() without auto refresh (#1027) (80f88e4)
• default to navigatorLock on browsers (#807) (b717b1c)
• disallow setSession loophole (#536) (21e496c), closes #490
• dont fire SIGNED_IN event on PASSWORD_RECOVERY (#629) (6bc45dc)
• drop window prefix (#660) (cf37d70)
• explicit cache: no-store in fetch (#847) (034bee0)
• fix stack guard issues with Safari (#743) (c614101)
• increase auto refresh tick duration to 30s from 10s (#651) (c7eb42f)
• initial MFA stubs (358e602)
• introduce experimental split user and session storage (#1023) (e7b2f21)
• introduce getClaims method to verify asymmetric JWTs (#1030) (daa2669)
• invoke callback on onAuthStateChange (#627) (832d168)
• keep expired session on initialization (#598) (1a63a42)
• make certain properties in UserIdentity nullable (#619) (fc4fce4)
• Merge pull request #304 from supabase/km/refactor-sign-in (f14cc9f)
• no persist of session with no changes in _recoverAndRefresh (#711) (964f2fd)
• parse expires_at if present (#735) (49e7df4)
• pkce challenge support in React Native with Segment (#772) (b4494cb)
• pop implicit flow URL from back stack (#574) (dfdf76c)
• provide default storage when persistSession is false or localStorage is not supported (#774) (9324fa5)
• refactor _getSessionFromURL to be easier to read (#733) (86eb5b2)
• refactor _handleRequest (#708) (65f1c52)
• refactor signInWithSSO types to work with docs (#644) (85ac7d8)
• refactor returns types to always return data (0b3086a)
• refactor to _useSession semantics (#726) (ce5ae82)
• refactor to _useSession semantics (#734) (5d142fa)
• Release V2 RC (9d6d199)
• remove cache: no-store as it breaks cloudflare (#886) (10e9d38)
• remove all cookie related methods (6211cf1)
• remove code param (#672) (069e695)
• remove experimental from signInWithSSO, update docs (#643) (759cdc1)
• remove session, emit SIGNED_OUT when JWT session_id is invalid (#905) (db41710)
• remove stack guards, lock on external calls (#757) (617dcfd)
• rename GoTrueApi to GoTrueAdminApi (4f6b92a)
• return messageId when using otp (#706) (b3a6ff4)
• return weakPassword information after sign-in (#824) (280d908)
• return pagination data for the listUsers() method (#544) (d4fe148)
• revert _useSession semantics for unknown issue (#732) (8e8eac9)
• revert use Deno.unrefTimer to stop runtime from hanging (#659) (2f40f41)
• setSession triggers SIGNED_IN event (#581) (faaaad2)
• start adding admin mfa bindings (496f1ec)
• support pagination options for listUsers() method (#537) (90495c9)
• trap errors when BroadcastChannel is not supported (#626) (1c02c9f)
• update setSession (e6ee0c6)
• update tsdoc (#687) (15ef8b7)
• use <= for auto refresh token threshold (#716) (4c2b3c6)
• use Deno.unrefTimer to stop runtime from hanging (#632) (4eddc07), closes #617
• validate uuid and sign out scope parameters to functions (#1063) (1bcb76e)
• warn use of getSession() when isServer on storage (#846) (9ea94fe)
• wrap navigator.locks.request with plain promise to help zone.js (#989) (2e6e07c), closes #830

Bug Fixes

• _getSessionFromUrl() test (4838a4b)
• _isPKCEFlow is not being awaited (#653) (35c8e2e)
• generatePKCEChallenge should use btoa (#1044) (c06fafb)
• getUser returns null if there is no session (#876) (6adf8ca)
• isBrowser() to include check on window (#982) (645f224)
• add ban_duration (ea900c7)
• add email as a verification type (#642) (aa78b75)
• add email change types to generateLink (fe0663e)
• add email_address_invalid error code (#994) (232f133)
• add emailRedirectTo option to resend method (#724) (44af61e)
• add emailRedirectTo option to updateUser (#610) (a831a35)
• add figma provider (#723) (3fc3b52)
• add forgotten data option for sign ins (37d19aa)
• add initial enroll and challenge implementations (e978aac)
• add loose auto complete to string literals where applicable (#966) (fd9248d)
• add missing deleted_at property to User interface (#1059) (96da194)
• add missing new_phone property (#609) (2988031)
• add new error codes (#979) (dfb40d2)
• add option to pass in data (d728b6f)
• add password recoery flow support for pkce (#813) (e46a324)
• add reauthenticate method (#688) (0b36795)
• add soft delete option in deleteUser (#587) (1217825)
• add status property to AuthError (#580) (b7b66fe)
• add verify token hash (#722) (293662c)
• always wait for _initialize before loading the session (#747) (67eb616)
• assert type in decodeJWTPayload (#1018) (3d80039)
• await _saveSession and _removeSession (ebf4ce4)
• await getSessionFromUrl in _recoverAndRefresh (4506866)
• better defined localStorage support for debug (#753) (6a82b88)
• bump version (02876d7)
• Call SIGNED_OUT event where session is removed (#854) (436fd9f)
• change enroll params to snake case (78044a4)
• change setSession to take in an access token (ed87b76)
• change setSession to take in an object (f7e3bc1)
• change types to return appropriate signatures (3c5f2e0)
• check for access token in header (#882) (ae4a53d)
• check for Deno (#658) (6b9e92a)
• cleanup localStorage session format (a93adc6)
• cleanup type docs (0fe005c)
• correct typo (828b0b3)
• Correct typo in GoTrueClient warning message (#938) (8222ee1)
• decode base64 to UTF8. (#528) (b4ddf4c)
• decodeBase64URL compatibility (#586) (c9d5d01)
• default to plain code challenge method if crypto API is undefined (#663) (455ff47)
• defer notifyAllSubscribers in the constructor (#623) (6c842b8)
• distinguish between malformed urls and errors (5db69b0)
• don't call removeSession prematurely (#915) (e0dc518)
• don't remove session for identity linking errors (#987) (e68ebe6)
• don't remove session in resend (#717) (48f21e1)
• don't throw error in exchangeCodeForSession (#946) (6e161ec)
• don't throw errors in constructor (250923e)
• drop experimental MFA tag (#547) (5826e9b)
• Emit password recovery event from verifyOtp when otp type is recovery (#829) (78abe52)
• eof newline (2eea38f)
• export processLock from toplevel (#1057) (d99695a)
• export errors (4c07a72)
• expose role in admin user type (#790) (d2ec8ff)
• fix broken test (fc7ac57)
• fix ts error introduced with prettier changes (709e3f4)
• fixes exponential backoff upon token refresh (01e39c6)
• getUser should accept jwt (7a7075f)
• getUser should default to authorization header (9e8d89f)
• handle custom fetch response in error handler (7371ad6)
• handle null current session with split session storage (#1071) (bc6192a)
• implement exponential back off on the retries of _refreshAccessToken method (#869) (f66711d)
• improve mfa.enroll return types (#956) (8a1ec06)
• limit proxy session warning to once per client instance (#900) (4ecfdda)
• listFactors should use getUser (e214bdb)
• make types tigher for generateLink (07adc58)
• mark captchaToken option on verifyOtp deprecated (#532) (c8b73df)
• merge rc into mfa (4f2ada3)
• mfa admin list factors (#562) (2b65646)
• mfa challenge and verify (bf53819)
• mfa verify should update current session (9ed8fcc)
• move channel parameter from sign in to sign up (#647) (e83caba)
• move docker compose to v2 (#940) (38eef89)
• move isBrowser localStorage check (dffd2b9)
• move MFA sub types to internal file (#964) (4b7455c)
• move options into verifyOtp params (262f7e9)
• move resetPasswordForEmail and refreshAccessToken to GoTrueClient (8f1d19e)
• onAuthStateChange returns data object (0210ed2)
• only remove session when there is an invalid one (ef412f1)
• patch release workflow (#922) (f84fb50)
• pkce does not generate truly random values in a browser (#636) (095a756)
• refactor all pkce code into a single method (#860) (860bffc)
• refactor update method (f794b1b)
• refactor user methods (49aef46)
• refreshSession() test (62996c2)
• remove _recoverSession (6ee6f10)
• remove internal-types.ts (#1014) (28ead89)
• remove access token and jwt code (b5d807d)
• remove async from generatePKCEVerifier and fix parameter of _handleProviderSignIn (#638) (ea007ca)
• remove comments about calling getUser() in listFactors() (#570) (16d3deb)
• remove crypto-js (#641) (09b60e5)
• remove data property from AdminUserAttributes (#612) (e91b379)
• remove data type (#848) (15c7c82)
• remove duplicated methods in GoTrueApi (f6d9c41)
• remove multitab stuff (0a9814b)
• remove oauth flow type (#655) (f0089fa)
• remove phone mfa deletion, match on error codes (#963) (ef3911c)
• remove unnecessary notify events (31c9041)
• remove xform methods (5c43ca5)
• rename localstorage to storage (41e66e6)
• return error early for redirects (#992) (9f32d30)
• return error if missing session or missing custom auth header (#891) (8d16578)
• return provider refresh token (7640bd7)
• return redirect errors early (#1003) (9751b80)
• return warning if persistSession is true with no storage option (#697) (4664066)
• Revert "fix: getUser returns null if there is no session (#876)" (#889) (6755fef)
• revert "fix: respect EXPIRY_MARGIN on getSession" (#533) (e9e0a01)
• revert #992 and #993 (#999) (12b2848)
• revert check for access token in header (#885) (03d8ba7)
• revert pop implicit flow URL from back stack (#596) (8eb91a6)
• revert using @supabase/node-fetch (#765) (22923e7)
• send application/json in Content-Type header (#429) (0fc980c)
• send headers on all requests (5dfdd94)
• set jwks_cached_at (#1039) (9bdc023)
• setSession is in broken state after v2.4.0 (#548) (0fcc8f5)
• signInWithPassword should send sign-in event (92e4f0e)
• signOut should ignore 403s (#894) (eeb77ce)
• signOut should remove any unused code verifier (#664) (a922241)
• signout should remove session if user doesn't exist (#541) (ed8fe4f)
• spelling (56b765e)
• suppress getSession warning whenever _saveSession is called (#895) (59ec9af)
• throw AuthRetryableFetchError on network errors only (7e7f32f)
• tidy up tab issue in unrelated code (9031ee9)
• Type error on code exchange when no item in storage (#825) (6d6ec13)
• type errors in verifyOtp (#918) (dcd0b9b)
• typedocs docs (d4a49ee)
• typo (#786) (45b6e3e)
• typo in auth cookie error (489af4d)
• typo in warning message (#975) (4f21f93)
• update corresponding type for TOTP (65d9505)
• update default value from totp -> TOTP (c36fa1c)
• update docs to add scrypt (#1012) (1225239)
• update getAAL and getAMR methods (792ea21)
• update getAuthenticatorAssuranceLevel (4559cf3)
• update mfa methods (#551) (958d948)
• update resend types (#691) (aa47a89)
• update session warning (#879) (3661130)
• update soft-deletion docs (#973) (cb052a9)
• update to node 18 (#582) (1947a4a)
• update tsdocs (#559) (a2920dd)
• update types (#930) (dbc5962)
• update types for generateLink (99f1bec)
• upgrade to node 20 (#839) (3c74318)
• use @supabase/node-fetch (#763) (bdfd212)
• use @supabase/node-fetch (#776) (e0b9c9f)
• use captcha_token in verifyOtp (#525) (321a95e)
• use location.assign() instead of location.href (#573) (26344e4), closes #155
• use unref on setInterval to stop tests from hanging (#599) (1d8df28)
• use current session in _startAutoRefreshToken callback (83f48ab)
• use snake_case in req body keys (fcc4306)
• validate error callback urls (c065fd4)
• verifyOtp should not removeSession for phone_change & email_change (#698) (83bc5b6)
• verifyOTP should send session (81b52db)
• wait for _getSessionFromUrl (4018cae)
• weak password error runtime type checks (#819) (016ee66)

---

This PR was generated with Release Please. See documentation.