Per-delivery refresh token TTL in hybrid mode --- new hybridPolicy.cookieRefreshExpiresIn and hybridPolicy.jsonRefreshExpiresIn config fields let you issue different refresh token lifetimes for cookie-delivered (web) vs JSON-delivered (mobile, workers) clients. Typical pairing: short cookie TTL (e.g. 7d) for browsers, long JSON TTL (e.g. 90d) for mobile. The resolved TTL drives both the refresh JWT's exp claim and the refresh cookie's Max-Age, and applies consistently across login, refresh, and MFA/social challenge completion. Both fields are optional; unset falls back to jwt.refreshToken.expiresIn. Fully backward-compatible --- existing configs are unchanged
Twilio SMS provider (@nauth-toolkit/sms-twilio) --- new first-party SMS provider using the Twilio Programmable Messaging API. Supports direct phone numbers and Messaging Services, with full template engine and global variables support
Lazy reCAPTCHA script loading by default — RecaptchaService no longer preloads the Google reCAPTCHA script at startup. The script is loaded on first execute() call, avoiding unnecessary network requests on pages that don't need reCAPTCHA. Set autoLoadScript: true to restore eager preloading
Removed APP_INITIALIZER for reCAPTCHA — both the NgModule and provideRecaptcha() standalone paths no longer force-instantiate RecaptchaService at app bootstrap
nauth.socialRedirect on NAuthInstance — NAuth.create() now constructs and returns the SocialRedirectHandler when any social provider is enabled. Express/Fastify consumers no longer need to import from @nauth-toolkit/core/internal or manually construct the handler
Rewrote README files across all 20 packages — npm landing pages now include install commands, quick-start code examples, feature lists, related package links, and documentation links
MySQL shown as alternative — install commands and code examples in core and NestJS READMEs now show MySQL as a commented alternative alongside PostgreSQL
Fixed GitHub links — example app links now correctly point to the public repo (noorixorg/nauth)
reCAPTCHA per-action score overrides — new actionScores config option allows different minimum score thresholds for each reCAPTCHA action (e.g., stricter for signup, more permissive for login)
reCAPTCHA startup validation — new validateOnStartup config option ('warn' | 'error' | false) probes the Google API on boot to verify credentials and connectivity before serving traffic
RecaptchaProvider.validateConfig() method — providers can now implement optional startup validation; all three built-in providers (v2, v3, Enterprise) include validation logic
RecaptchaValidationResult interface — structured result type for startup validation with valid, message, hint, and httpStatus fields