v25.4.0

This release of Ory Keto brings important security updates, improved pagination, and new functionality for encrypted page tokens. It also includes a Go runtime upgrade addressing a CVE.

Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Highlights

Encrypted page tokens

Pagination tokens are now encrypted, improving privacy and resilience against tampering. This change ensures that sensitive pagination state is never exposed in plaintext.

Go 1.24.4 upgrade (CVE-2025-4673)

Keto now runs on Go 1.24.4, which fixes CVE-2025-4673. All deployments should upgrade promptly to benefit from the security fix.

Improvements

• Adopted helpers from ory/x for pagination, reducing code duplication and simplifying maintenance.
• Fallback keys are now hard-coded to avoid panics if no configuration is present.
• Vendored ory/x is now used, ensuring consistent builds and dependency stability.
• Database meta functions moved to the root ory/x package to improve reusability across Ory projects.
• Tests expanded to ensure end-to-end pagination behavior.
• Various migration fixes:
  • Correct content in down migrations is now printed.
  • Deduplication of down migrations avoids duplicate application.
  • Invalid migration names are rejected early.
  • Non-SQL files are ignored when applying migrations.
• Updated OTLP tracing defaults and improved reliability in observability.

Security

• Go runtime upgraded to 1.24.4 to address CVE-2025-4673.
• Dependency updates, including @grpc/grpc-js and other libraries.

Auto-generated release notes

Bug Fixes

• Add missing values to the session method enum (6c9016a):

• Add repo syncing for polis (bef7ae6):

• Better tracing in proxy HTTP (c1a8f1c):

• Copybara script (372b1ff):

• Deduplicate down migrations (4af256d):

• deps: Update dependency @grpc/grpc-js to v1.8.22 [security] (7315350):

• deps: Update go-x (ce0b6dd):

• Escape IPv6 regex string (05d9151):

• Failing CI in OSS repos (3fb907f):

• Fix data race in tests (bfa248e):

• Force SQL operator precedence in pagination v2 to ensure nid isolation (0c61e34):

• hydra: Instrument metrics also on public endpoints (9ea9bba):

• hydra: Use prometheus metrics instead of SQA metrics (f39a886):

• Ignore non SQL files when applying migrations (417c228):

• Implicit transactions for cockroach v23.5 and simplified migration logic (25047e1):

• Include go.mod in vendored oryx (03b3bae):

• Jsonx.ApplyJSONPatch (f8c1f68):

• keto: Use helpers from ory/x for pagination (a545c35):

• Otlp sampling rate default (bcede30):

• Print correct content of down migrations (727b2a9):

• Reject invalid migration names (322c7de):

• Remove keto from gitignore (ed39ad7):

• Return 404 on schema file not exists (6ef117e):

• Revert "fix: otlp sampling rate default (#9055)" (957b1e2):

• Simplify and fix Copybara sync job (54f5194):

• Upgrade to go 1.24.4 to fix CVE-2025-4673 (e8c829a):

• Use batch insert to speed up project changes (4b00d6f):

• Use git hash to render ory x schema references (21ccf06):

• Use hard-coded fallback key instead of panic (7f3ca7f):

• Use main branch for polis (1add72c):

Code Generation

• Prepare for OSS release - v25.4.0 (f563543):

Code Refactoring

• Move database meta functions to root x folder for reusability (7d38bde):

Features

• Add allowed domains configuration for captcha (bff0ddd):

• Autoconfigure kratos-changefeed (a3124de):

• Bump CRDB, establish foreign key, (a4c9c0f):

• changelog-oel: Choose identity schema in self-service registration and login flows (c4d8d94):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (b806441):

• changelog: Migrate http router to stdlib router (d1a6695):

• Custom page token column extraction (e526b19):

• Domain telemetry improvements (b4688a8):

• Expose Ory-Error-Id HTTP header (60ff7ff):

• hydra: Split up persister (ced95f8):

• Improve domain telemetry for OSS (Hydra & Kratos) (b9901ca):

• Improved events and identity recent activity (34b5658):

• keto: Encrypted page tokens (1483345):

• Move config testhelpers to ory/x (8e82c30):

• Use stdlib HTTP router in Kratos (3fd922c):

• Use vendored ory/x (a1e3ef6):

Tests

• Add golangci-lint config and GHA (90979c1):

• e2e: Ensure Keto pagination works (459771e):

• hydra: Add snapshots for login & consent requests (e51f852):

• Improve pgxpool tests (49ec5d5):

• Resturcture and improve integration tests (7c2e2dc):

Changelog

• 481a07c chore(deps): bump alpine from 3.21.0 to 3.21.3 in /.docker (#1704)
• ca8d8ff chore(deps): bump grpc-tools from 1.12.4 to 1.13.0 (#1701)
• 694aa90 chore(deps): bump semver from 6.3.0 to 6.3.1 in /contrib/docs-code-samples in the npm_and_yarn group (#1673)
• eef59cd chore(deps): bump the npm_and_yarn group with 2 updates (#1674)
• d909668 chore(deps): update actions/setup-node action to v6
• bae4770 chore(deps): update actions/upload-artifact action to v5
• 7cec59e chore(deps): update dependency node to v24
• b76e258 chore(deps): update keto
• bb56b3f chore(deps): update keto workflows
• 7e442c7 chore(hydra): registry setup refactoring
• ba63df3 chore(kratos): cleanup and improve some tests
• a9c3fb1 chore: add migration tests in kratos non-oss for crdb
• c272ad2 chore: add pagination secrets for Kratos
• e8876c1 chore: add pre-release workflows for oss
• d85e2ac chore: additional pop options
• 70cf26e chore: axios update
• 97bd6ec chore: bump Go everywhere
• 897862b chore: bump dependencies and migrate to go tool (#1722)
• 07a4011 chore: bump deps
• 6e9304d chore: bump go deps
• d4aa8e7 chore: bump go to 1.24.6
• 27dc277 chore: bump pop to master
• 8ead071 chore: bump sec deps
• 0a89fec chore: cleanup oss workflows
• 8b1580b chore: fix build for kratos-oss
• c61356a chore: fix vulnerable dependencies
• 9685a1a chore: force replacements where expected
• 0e371e6 chore: gh actions and node lib updates
• 1b76d64 chore: go mod tidy to unblock CI
• 2ec6664 chore: improve migration testdata and assertions
• 73f9b83 chore: merge ory/x repo
• fabfcfb chore: more gh actions and npm lib updates
• 58530f6 chore: remove counting courier messages
• 4e9d683 chore: remove sdk generation action
• 67f40e5 chore: replace deprecated usages
• e1a76fc chore: security updates for go deps
• d94bd7f chore: shared serve config
• 3bfb4b7 chore: simplify service and option loading
• 306f495 chore: template migration command help
• 4fba3c5 chore: update OSS readme
• 4479e90 chore: update copybara rules
• 6e3f299 chore: update copybara transformation
• 829f770 chore: update fosite to latest master commit
• cfb0e68 chore: update github actions
• 982f743 chore: update github actions
• ff61c2c chore: update opencontainers/runc to v1.3.3
• 731868f chore: update repository templates to ory/meta@bc603a6
• d06b234 chore: update repository templates to ory/meta@d919e6f
• d0b00d3 chore: update repository templates to ory/meta@fc1b4d6
• 480fa77 chore: updated node to lts
• 8a7ee5f chore: upgrade crdb to v25.2 everywhere & deflake CI!
• d50c75e chore: use dedicated ory fork of pop
• 3bce67a ci: update oss workflows and add to renovate
• d1a6695 feat(changelog): migrate http router to stdlib router
• c4d8d94 feat(changelog-oel): choose identity schema in self-service registration and login flows
• b806441 feat(changelog-oel): improved tracing and metrics for the high-performance SQL connection pool
• ced95f8 feat(hydra): split up persister
• 1483345 feat(keto): encrypted page tokens
• bff0ddd feat: add allowed domains configuration for captcha
• a3124de feat: autoconfigure kratos-changefeed
• a4c9c0f feat: bump CRDB, establish foreign key,
• e526b19 feat: custom page token column extraction
• b4688a8 feat: domain telemetry improvements
• 60ff7ff feat: expose Ory-Error-Id HTTP header
• b9901ca feat: improve domain telemetry for OSS (Hydra & Kratos)
• 34b5658 feat: improved events and identity recent activity
• 8e82c30 feat: move config testhelpers to ory/x
• 3fd922c feat: use stdlib HTTP router in Kratos
• a1e3ef6 feat: use vendored ory/x
• 7315350 fix(deps): update dependency @grpc/grpc-js to v1.8.22 [security]
• ce0b6dd fix(deps): update go-x
• 9ea9bba fix(hydra): instrument metrics also on public endpoints
• f39a886 fix(hydra): use prometheus metrics instead of SQA metrics
• a545c35 fix(keto): use helpers from ory/x for pagination
• 6c9016a fix: add missing values to the session method enum
• bef7ae6 fix: add repo syncing for polis
• c1a8f1c fix: better tracing in proxy HTTP
• 372b1ff fix: copybara script
• 4af256d fix: deduplicate down migrations
• 05d9151 fix: escape IPv6 regex string
• 3fb907f fix: failing CI in OSS repos
• bfa248e fix: fix data race in tests
• 0c61e34 fix: force SQL operator precedence in pagination v2 to ensure nid isolation
• 417c228 fix: ignore non SQL files when applying migrations
• 25047e1 fix: implicit transactions for cockroach v23.5 and simplified migration logic
• 03b3bae fix: include go.mod in vendored oryx
• f8c1f68 fix: jsonx.ApplyJSONPatch
• bcede30 fix: otlp sampling rate default
• 727b2a9 fix: print correct content of down migrations
• 322c7de fix: reject invalid migration names
• ed39ad7 fix: remove keto from gitignore
• 6ef117e fix: return 404 on schema file not exists
• 957b1e2 fix: revert "fix: otlp sampling rate default (#9055)"
• 54f5194 fix: simplify and fix Copybara sync job
• e8c829a fix: upgrade to go 1.24.4 to fix CVE-2025-4673
• 4b00d6f fix: use batch insert to speed up project changes
• 21ccf06 fix: use git hash to render ory x schema references
• 7f3ca7f fix: use hard-coded fallback key instead of panic
• 1add72c fix: use main branch for polis
• 7d38bde refactor: move database meta functions to root x folder for reusability
• 459771e test(e2e): ensure Keto pagination works
• e51f852 test(hydra): add snapshots for login & consent requests
• 90979c1 test: add golangci-lint config and GHA
• 49ec5d5 test: improve pgxpool tests
• 7c2e2dc test: resturcture and improve integration tests

Artifacts can be verified with cosign using this public key.