On This Page


Two Session API endpoints, GET /api/v1/sessions/me and POST /sessions/me/lifecycle/refresh, return /me instead of /${userId} in response links. These links are CORS-enabled, consistent with the original API calls which are also CORS-enabled.

For more information, see Get Session or Refresh Session.

Bugs Fixed

  • IdP keys could be deleted even when referenced by an active or inactive app instance. (OKTA-96139)
  • Properties could be deleted from the User Profile schema while still referenced as a matchAttribute in inbound SAML IdPs. (OKTA-96281)
  • Identity Providers for social authentication configured to look up usernames by Okta username or email failed to return a valid match. This failure occurred if the username was in both the username and email and a second user existed with the same email but different username. (OKTA-96335)