HelloJohn / docs

Roadmap & Changelog

HelloJohn's planned features and release history. Track what's shipping next and what changed in each version.

What's coming

HelloJohn is under active development. The roadmap below reflects current priorities. Dates are targets, not commitments.

In progress

FeatureTargetEdition
Directory sync (SCIM 2.0)Q2 2026Cloud Enterprise
Passkey-first auth (WebAuthn primary factor)Q2 2026OSS + Cloud
SMS MFA via Twilio / VonageQ2 2026OSS + Cloud
Admin audit log UIQ2 2026Cloud
Token introspection endpointQ2 2026OSS + Cloud

Planned

FeatureTargetEdition
Organization-level SSO overrideQ3 2026Cloud Enterprise
Device fingerprinting & session bindingQ3 2026OSS + Cloud
Impersonation (admin-as-user)Q3 2026OSS + Cloud
Native Android/iOS SDKsQ3 2026OSS + Cloud
Magic links (passwordless email)Q4 2026OSS + Cloud
Fine-grained API key scopesQ4 2026OSS + Cloud

Vote on features — Open a GitHub Discussion to request features or upvote existing ones.

Changelog

v0.9.0 — March 2026

New

  • MCP Server: 46 tools for AI agent control via stdio and SSE transport
  • React Native SDK with expo-secure-store support
  • Vue 3 composables: useAuth, useSession, useUser, useOrg
  • Python SDK: FastAPI dependency + Django middleware

Improved

  • EdDSA key rotation: JWKS endpoint now supports multiple active keys
  • Organization invitations: resend + revoke from SDK
  • hjctl v2: new sessions and org command groups

Fixed

  • Refresh token rotation: concurrent refresh requests no longer cause 401 loops
  • TOTP enrollment: QR code generation failure on non-UTF-8 secrets

v0.8.0 — January 2026

New

  • TOTP MFA with backup codes
  • WebAuthn / Passkeys (FIDO2) — second factor
  • Custom JWT claims via tenant configuration
  • Organizations: invite by email, role assignment

Improved

  • Go SDK: all methods now return typed errors with Code and HTTPStatus fields
  • Next.js SDK: App Router support, auth() server helper

Fixed

  • Session revocation: sessions revoked server-side now return 401 on next refresh
  • CORS: pre-flight requests on /v1/oauth/callback no longer rejected

v0.7.0 — November 2025

New

  • Multi-tenant architecture: per-tenant database isolation
  • 9 social providers: Google, GitHub, Apple, Microsoft, Discord, Twitter/X, Facebook, LinkedIn, Slack
  • HelloJohn Cloud launch (managed service)

Improved

  • Control Plane API: tenant provisioning time reduced from ~2s to ~200ms
  • Rate limiting: per-tenant limits configurable via API

v0.6.0 — September 2025

New

  • Initial public release (OSS)
  • Email + password auth
  • JWT (EdDSA/Ed25519) issuance
  • React and Node.js SDKs
  • hjctl CLI v1
  • Docker Compose deployment

Stay updated

Next steps

Glossary

Definitions of key terms used throughout the HelloJohn documentation.

Quickstart — React

Add HelloJohn authentication to your React app in 10 minutes. Sign up, sign in, and protect routes with 5 lines of code.

On this page

What's comingIn progressPlannedChangelogv0.9.0 — March 2026v0.8.0 — January 2026v0.7.0 — November 2025v0.6.0 — September 2025Stay updatedNext steps