Skip to main content

20-27 April 2026

Weekly update for 20-27 April 2026.

SectionHistory / Weekly changes
UpdatedApr 27, 2026
AuthorTemplate Maintainers
Versionv1.0.0
Reading time2 min

Weekly update - 20-27 April 2026

✨ New features

  • Organization-backed workspaces: Workspaces now use Better Auth organizations while keeping "Workspace" as the user-facing term. The app gained organization-scoped routes under /w/:organizationKey.

  • Workspace settings and collaboration: Added settings pages for workspace details, users, invitations, teams, and roles, plus member directories, role management, invitation creation, invitation review, and zero-workspace onboarding.

  • Allowed email-domain policies: Workspace admins can configure allowed email domains, enforce them for invitations, and see clear warnings when existing members are outside the active policy.

🔧 Improvements

  • Security defaults: Added browser security headers, production HSTS, strict remote image policy, safer auth redirect handling, and normalized public app URL configuration.

  • Invitation and member privacy: Invitation details are hidden when the signed-in user is not the invited recipient, duplicate pending invitations are prevented, and invitation acceptance updates the active workspace.

  • Workspace identity safeguards: Workspace slugs are checked across all organizations, and workspace renames no longer change the slug unless a new slug is explicitly submitted.

🐛 Fixes

  • Protected action boundary: Protected server actions now use the validated Better Auth session instead of trusting forwarded user-id headers.

  • Account session safety: Account session lists no longer expose raw Better Auth session tokens to the client.

📝 Documentation

  • Added release notes for organization-backed workspaces, security hardening, and domain restrictions. Updated README, template setup notes, and OpenSpec requirements for workspace management and invitations.