Ory Network, Ory Kratos, Ory Polis, Ory Elements v26.2.18 released

Ory Network

Pause and resume event streams

Event streams now have a status field that is either active or paused. A paused stream stays fully configured, but Ory stops forwarding events to it until you set it back to active.

In the Ory Console you can now pause or resume a stream from its menu, see each stream's status in the table, and create a stream as paused with a toggle.

Through the API, set the status field when creating or updating a stream. To pause without resubmitting the destination, send only the status:

PUT /projects/{project_id}/eventstreams/{event_stream_id}
{ "status": "paused" }

• New event streams are active by default.

• Updating an event stream is now a partial update: every field is optional and omitted fields keep their current value.

• Pausing skips the destination connectivity check, so you can pause (or create as paused) a stream whose destination is currently unreachable.

Project creation no longer rejects plan-gated settings in entitled workspaces

Creating a project in a workspace whose subscription includes a plan-gated setting (such as cacheable sessions / Edge Cache, CAPTCHA, or SAML) now succeeds. Previously, creation resolved entitlements against the free plan because the project did not exist yet, so it returned 403 feature_not_available even when the target workspace's subscription included the feature.

Plan checks during creation now resolve through the target workspace. Validation on the update path is unchanged.

Talos hardening: key redaction, audit-event tracing, rotation retention, and validation fixes

This release fixes four issues found during the Ory Talos pre-launch review:

• Signing-key material no longer appears in logs or traces. Errors raised while fetching or parsing base64:// signing-key URLs now redact the embedded key payload and reference the key by its position in the configuration instead. This also hardens the shared configuration fetcher used across Ory services.

• Audit events are no longer dropped when tracing is enabled. Tracer initialization failed on startup due to an OpenTelemetry schema conflict, silently disabling all audit events. Initialization now succeeds, and any future tracer failure logs an error stating that audit events will be dropped.

• Key rotation now applies the 30-day revocation retention window. Rotating an API key previously cleared the old key's expiry, leaving the revoked record without an expiration. Rotation now sets the same revocation expiry as direct revocation (the later of 30 days from now or the original expiry), and the rotation response reflects it.

• Batch key import validates each item like single import. Batch items now enforce the same field limits as ImportApiKey (key length, name and actor ID length, scope count and length, request ID length). Invalid items fail individually with INVALID_ARGUMENT while valid items in the same batch still succeed.

• Clearing scopes via update_mask now works. Updating a key with update_mask: ["scopes"] and an empty scope list previously returned success but kept the old scopes. The update now clears them for both issued and imported keys.

This is now available on Ory Network and for the Ory Enterprise License.

Ory Kratos

Fix SCIM group membership data loss and conflict reporting

Fixes several SCIM provisioning defects affecting Microsoft Entra ID, Okta, and WorkOS clients.

• Removing a member from a group no longer removes that user from their other groups; the delete is scoped to the changed group.

• Groups now return their complete membership: no duplicated entries, and no silent truncation past 1000 combined members and subgroups (which previously dropped the missing members on the next update).

• PATCH remove without a path now returns 400 noTarget (RFC 7644) instead of erasing the entire user or group.

• Creating a user that already exists returns 409 uniqueness instead of 500. Duplicate group externalId and cross-organization conflicts also use uniqueness.

• Correct HTTP status on errors: an invalid filter on Users/Groups returns 400 invalidFilter (was 404 for Groups), and unexpected persistence errors return 500 (was 404).

• An absent active attribute now defaults to active instead of creating a disabled user; explicit active: false still deactivates.

• PATCH replace whose value-path filter matches nothing returns 400 noTarget instead of silently creating a fabricated element.

This is now available on Ory Network and for the Ory Enterprise License.

Ory Polis

Configurable retention for SCIM webhook event logs

You can now set how long SCIM (directory sync) webhook event logs are kept, using the DSYNC_WEBHOOK_LOGS_TTL environment variable. Set it to a duration such as 720h or 30d.

If you leave the variable unset, logs keep the existing 7-day retention. Set it to an empty string to keep logs indefinitely. An unrecognized value falls back to the 7-day default and logs a warning, so a typo never disables retention.

This is now available for the Ory Enterprise License.

Ory Elements

Pre-fill the sign-in email from a login hint

Elements now pre-fills the email or identifier field on the login and registration screens when a login_hint is provided. The hint is read from the login_hint query parameter on the page URL, and on OAuth2 sign-in it falls back to the OpenID Connect login_hint that the relying party sent.

The hint only sets the field's initial value. It never overwrites what a user has typed, and it is never used for routing or any sign-in decision.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Hydra, Ory Keto, Ory Oathkeeper, and Ory Terraform

No significant changes in this release.