Ory Network, Ory Kratos, Ory Oathkeeper v26.1.16 released

Ory Network, Ory Kratos

Breaking change: Self-service flows now return UI errors for disabled identities

The login and registration flows now return a UI error message when an identity is disabled, instead of a 401 Unauthorized error object.
Previously, disabled identities received a 401 response. This behavior was never documented, and some SDKs returned "unknown error response" because they did not expect this status code. The new behavior returns a standard UI error message within the flow, consistent with how other self-service errors are handled.

• Who is affected: clients that parsed the 401 status code or its error body to detect disabled identities in login or registration flows. If your UI rendering follows the standard self-service UI rendering documentation, no changes are needed.

• What to do: if you explicitly handle 401 responses from login or registration flows to detect disabled identities, update your code to handle the error as a UI message in the flow response instead.

• Expected rollout: on or after March 20th, 2026

Ory Oathkeeper

Pass through HTTP 429 rate-limit errors with upstream headers

Oathkeeper now propagates rate-limit headers (Retry-After, X-Rate-Limit-, RateLimit-) from upstream services when returning HTTP 429 responses. Previously, rate-limit errors lost their headers during error handling, preventing clients from knowing when to retry. This fix also resolves a potential data race caused by mutating shared error sentinel values.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Hydra, Ory Keto, Ory Polis, and Ory Elements

No significant changes in this release.