From 733c430a1875da911207af03ae5ba81bd437c3a8 Mon Sep 17 00:00:00 2001 From: Tamal Anwar Chowdhury Date: Thu, 26 Mar 2026 20:32:29 +0600 Subject: [PATCH 1/5] fix: add environment scope, Expo SDK version, user blocking, and HRD org notes (gap report) Made-with: Cursor --- .../home-realm-discovery.mdx | 14 +++++++++++--- .../docs/developer-tools/sdks/native/expo.mdx | 6 +++++- .../access-control/delete-or-suspend-users.mdx | 18 +++++++++++++++++- .../roles-and-permissions/user-permissions.mdx | 14 +++++++++----- .../roles-and-permissions/user-roles.mdx | 10 +++++++--- 5 files changed, 49 insertions(+), 13 deletions(-) diff --git a/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx b/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx index ce9826185..6b8b4e3c0 100644 --- a/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx +++ b/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx @@ -15,7 +15,7 @@ metadata: audience: [developer, enterprise-admin, security-engineer] complexity: intermediate keywords: [home realm discovery, HRD, IdP discovery, email domain routing, enterprise auth, SSO button] - updated: 2025-01-16 + updated: 2026-03-26 featured: false deprecated: false --- @@ -28,7 +28,7 @@ HRD is usually applied where your identity provider (IdP) is a third party, such By default, Kinde provides a universal login page where users of any enterprise connection can sign in. They are then silently routed and verified via the relevant IdP. -## How it works +## How Home Realm Discovery works at Kinde? When you set up a [Microsoft Entra ID](/authenticate/enterprise-connections/azure/) or [custom SAML](/authenticate/enterprise-connections/custom-saml/) connection, you’ll configure the home realm (or domains) to be recognized during authentication. All home realm domains must be unique across all connections in the environment. @@ -45,6 +45,14 @@ In the back end, the end-user is linked to the correct identity provider via the So when Jude Watson arrives at the sign in window and enters `judewatson@enterpriseA.com`, they are routed to the IdP for SAML connection A, and authenticated. -## Showing or hiding the sign in buttons +## How to show or hide the sign in buttons? Even if you have set up HRD, you can choose to show an SSO sign in button so the user has to click to proceed. Learn more [here](/authenticate/enterprise-connections/about-enterprise-connections/#show-or-hide-the-sso-sign-in-button-on-the-auth-page). + +## Does HRD affect organization selection and default org settings? + +Yes. When home realm discovery is active, enterprise users are routed directly to their identity provider based on their email domain — before any organization selection takes place. This has a few important implications: + +- **The organization selector is bypassed** — HRD takes precedence over any org selection screen. The user is authenticated into the organization associated with their enterprise connection without being prompted to choose. +- **The last-used organization setting is bypassed** — The "remember last org" behavior does not apply to users authenticating via HRD. Their session is always tied to the organization configured for their enterprise connection. +- **Setting a default organization for SAML users is not supported** — Because HRD routes users before org selection occurs, passing `org_code` to override the destination organization is not supported for enterprise connections using home realm discovery. The user will always land in the organization linked to the matching enterprise connection. diff --git a/src/content/docs/developer-tools/sdks/native/expo.mdx b/src/content/docs/developer-tools/sdks/native/expo.mdx index 0a7f3e6ab..b4431ee60 100644 --- a/src/content/docs/developer-tools/sdks/native/expo.mdx +++ b/src/content/docs/developer-tools/sdks/native/expo.mdx @@ -35,7 +35,7 @@ keywords: - user profile - feature flags - permissions -updated: 2024-01-15 +updated: 2026-03-26 featured: false deprecated: false ai_summary: Complete guide for Expo SDK including authentication setup, token utilities, user profile management, and mobile app integration for React Native applications. @@ -53,6 +53,10 @@ You will need Node, the React Native command line interface, a JDK, Android Stud Follow [the installation instructions for your chosen OS](https://reactnative.dev/docs/environment-setup) to install dependencies. +## Which Expo SDK versions does @kinde/expo support? + +The `@kinde/expo` package requires **Expo SDK 51 or later**. This is determined by its dependencies on `expo-auth-session`, `expo-web-browser`, `expo-secure-store`, and related packages, which are versioned alongside the Expo SDK. For the latest compatibility details, refer to the [@kinde/expo npm page](https://www.npmjs.com/package/@kinde/expo) and the package changelog. + ## Installation with Expo Managed Workflow ### Install package diff --git a/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx b/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx index 686680a2f..d96e6f9f2 100644 --- a/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx +++ b/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx @@ -29,7 +29,7 @@ keywords: - admin permissions - user management - self sign up -updated: 2026-03-03 +updated: 2026-03-26 featured: false deprecated: false ai_summary: Guide to deleting or suspending users in Kinde including suspension, restoration, and permanent deletion options for access control. @@ -68,3 +68,19 @@ For details on suspending an organization, see [Add and manage organizations](/b 1. Select the first option to remove the user’s access and ability to sign in to all organizations, but leave their profile in Kinde. 2. Select the second option to completely remove the user record from Kinde, including access and all subscriber lists. 5. Select **Delete user**. When the user tries to sign in, they will be prompted to sign up (if self-sign-up is allowed in your business). + +## Can I block users by email, username, or phone number? + +Kinde does not have a built-in blocklist for specific email addresses, usernames, or phone numbers. Suspending or deleting a user removes their existing account, but does not prevent someone from signing up again with the same identifier if self-sign-up is enabled. + +To block a specific identifier from being used to create new accounts, use one of these workarounds: + +- **Workflows** — Use a [post-authentication workflow](/workflows/example-workflows/workflow-user-post-auth/) to check the authenticating user's email, username, or phone number against a blocklist stored in an environment variable or external data source. If matched, the workflow can deny access using the `deny` action. +- **Webhooks** — Subscribe to the `user.created` event via [webhooks](/integrate/webhooks/about-webhooks/). When a new user signs up with a blocked identifier, call the [Management API](/kinde-apis/management#tag/users/patch/api/v1/user) to suspend or delete them immediately. +- **Management API** — React to sign-up events and use the [`PATCH /api/v1/user`](/kinde-apis/management#tag/users/patch/api/v1/user) endpoint to suspend users whose identifiers match your blocklist. + + diff --git a/src/content/docs/manage-users/roles-and-permissions/user-permissions.mdx b/src/content/docs/manage-users/roles-and-permissions/user-permissions.mdx index 701e81ecc..7b90ca287 100644 --- a/src/content/docs/manage-users/roles-and-permissions/user-permissions.mdx +++ b/src/content/docs/manage-users/roles-and-permissions/user-permissions.mdx @@ -31,19 +31,19 @@ keywords: - dynamic permissions - token refresh - permission deletion -updated: 2024-01-15 +updated: 2026-03-26 featured: false deprecated: false ai_summary: Guide to managing user permissions in Kinde including permission creation, editing, deletion, key naming conventions, and integration with roles for access control. --- -It’s easy to manage and control user access with permissions. Once you set up permissions, they can be grouped into [roles](/manage-users/roles-and-permissions/user-roles/), to make assigning them managing access easier. +You can manage and control user access with permissions. Once you set up permissions, they can be grouped into [roles](/manage-users/roles-and-permissions/user-roles/), to make assigning them managing access easier. -## **First time creating permissions?** +## First time creating permissions? For each permission you create on Kinde, you need to assign a unique ‘key’ that your product code will reference to apply the permission. We suggest you create permissions first, and then if you want, create roles to group sets of permissions to apply to users. -## **Add a new user permission** +## Add a new user permission 1. Go to **Settings** **> User Management >** **Permissions**. If you already have permissions added, you’ll see a list of them. 2. Select **Add permission**. @@ -56,7 +56,7 @@ For each permission you create on Kinde, you need to assign a unique ‘key’ t 6. Select if you want this permission to be automatically added when a new role is created. You might do this for example, if the permission is something all users need to be allowed to do. 7. Select **Save**. -## **Edit permission** +## Edit permission User permissions are dynamic and refreshed via the issued token. This means that any changes you make will be applied to users, the next time they sign in. @@ -73,3 +73,7 @@ When you delete a permission, you remove the permission access from all users wh 1. Go to **Settings > User Management > Permissions**. Your list of permissions is shown. 2. Select the three dots next to the permission and choose **Delete**. A confirmation / warning message appears. 3. Select **Delete permission**. The permission is permanently deleted. + +## Are Kinde permissions shared across environments? + +Yes. Permissions are defined at the **business level**, not per environment. A permission created in your development environment is the same permission in staging and production — there is no per-environment isolation. If your team needs to test permission changes without affecting production, manage each environment in a separate Kinde business. Permissions can also be grouped into [roles](/manage-users/roles-and-permissions/user-roles/) to make assigning access easier. \ No newline at end of file diff --git a/src/content/docs/manage-users/roles-and-permissions/user-roles.mdx b/src/content/docs/manage-users/roles-and-permissions/user-roles.mdx index ce3a6c1bf..2f4edb695 100644 --- a/src/content/docs/manage-users/roles-and-permissions/user-roles.mdx +++ b/src/content/docs/manage-users/roles-and-permissions/user-roles.mdx @@ -35,7 +35,7 @@ keywords: - token claims - api management - role assignment -updated: 2024-01-15 +updated: 2026-03-26 featured: false deprecated: false ai_summary: Comprehensive guide to managing user roles in Kinde including role creation, editing, deletion, API integration, and token customization for access control. @@ -70,7 +70,7 @@ Tip: [Set default roles when a user signs up to an organization](/manage-users/r 7. Select the permissions that are included in the role by switching them on. See also [Define user permissions](/manage-users/roles-and-permissions/user-permissions/). 8. Select **Save**. -## **Edit user roles** +## Edit user roles You can [update user roles via the Kinde Management API](/kinde-apis/management#tag/roles/patch/api/v1/roles/{role_id}) or using the procedure below. @@ -92,7 +92,7 @@ When you delete a user role, you will remove the role as well as all the associa 2. Select the three dots next to the role and choose **Delete**. A confirmation / warning message appears. 3. Select **Delete role**. The role is deleted permanently. -## **Add user roles via API** +## Add user roles via API You can add user roles via the Kinde API. @@ -122,3 +122,7 @@ getClaim("roles"); - [View a list of permissions for a role](/kinde-apis/management#tag/roles/get/api/v1/roles/{role_id}/permissions) - [Edit permissions for a role](/kinde-apis/management#tag/roles/patch/api/v1/roles/{role_id}/permissions) - [Remove permissions from a role](/kinde-apis/management#tag/roles/delete/api/v1/roles/{role_id}/permissions/{permission_id}) + +## Are Kinde roles and permissions shared across environments? + +Yes. Roles and permissions are defined at the **business level**, not per environment. A role created in your development environment is the same role in staging and production — there is no per-environment isolation. If your team needs to test role changes without affecting production, manage each environment in a separate Kinde business. \ No newline at end of file From 228ea339a40c1973e9c46c42ad09e374d5068b84 Mon Sep 17 00:00:00 2001 From: Tamal Anwar Chowdhury Date: Fri, 27 Mar 2026 12:56:41 +0600 Subject: [PATCH 2/5] fix code rabbit suggestions --- .../enterprise-connections/home-realm-discovery.mdx | 4 ++-- .../manage-users/access-control/delete-or-suspend-users.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx b/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx index 6b8b4e3c0..634e7ebb6 100644 --- a/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx +++ b/src/content/docs/authenticate/enterprise-connections/home-realm-discovery.mdx @@ -45,9 +45,9 @@ In the back end, the end-user is linked to the correct identity provider via the So when Jude Watson arrives at the sign in window and enters `judewatson@enterpriseA.com`, they are routed to the IdP for SAML connection A, and authenticated. -## How to show or hide the sign in buttons? +## How to show or hide the sign-in buttons? -Even if you have set up HRD, you can choose to show an SSO sign in button so the user has to click to proceed. Learn more [here](/authenticate/enterprise-connections/about-enterprise-connections/#show-or-hide-the-sso-sign-in-button-on-the-auth-page). +Even if you have set up HRD, you can choose to show an SSO sign-in button so the user has to click to proceed. Learn more [here](/authenticate/enterprise-connections/about-enterprise-connections/#show-or-hide-the-sso-sign-in-button-on-the-auth-page). ## Does HRD affect organization selection and default org settings? diff --git a/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx b/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx index d96e6f9f2..0a8cabded 100644 --- a/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx +++ b/src/content/docs/manage-users/access-control/delete-or-suspend-users.mdx @@ -76,7 +76,7 @@ Kinde does not have a built-in blocklist for specific email addresses, usernames To block a specific identifier from being used to create new accounts, use one of these workarounds: - **Workflows** — Use a [post-authentication workflow](/workflows/example-workflows/workflow-user-post-auth/) to check the authenticating user's email, username, or phone number against a blocklist stored in an environment variable or external data source. If matched, the workflow can deny access using the `deny` action. -- **Webhooks** — Subscribe to the `user.created` event via [webhooks](/integrate/webhooks/about-webhooks/). When a new user signs up with a blocked identifier, call the [Management API](/kinde-apis/management#tag/users/patch/api/v1/user) to suspend or delete them immediately. +- **Webhooks** — Subscribe to the `user.created` event via [webhooks](/integrate/webhooks/about-webhooks/). When a new user signs up with a blocked identifier, call the [Management API](/kinde-apis/management#tag/users/patch/api/v1/user) to suspend or delete them as soon as the event is processed. - **Management API** — React to sign-up events and use the [`PATCH /api/v1/user`](/kinde-apis/management#tag/users/patch/api/v1/user) endpoint to suspend users whose identifiers match your blocklist.