FusionAuth
diff --git a/‎astro/src/content/docs/release-notes/index.mdx‎
Lines changed: 193 additions & 2 deletions b/‎astro/src/content/docs/release-notes/index.mdx‎
Lines changed: 193 additions & 2 deletions
@@ -47,11 +47,202 @@ import { YouTube } from '@astro-community/astro-embed-youtube';
 
 Looking for release notes older than 1.44.0? Look in the [release notes archive](/docs/release-notes/archive). Looking to be [notified of new releases?](/docs/operate/roadmap/releases#release-notifications) <span class="not-prose no-underline"><a class="ml-2" href="/docs/releases.xml"><i class="fas fa-xs fa-rss text-orange-700 text-2xl" width="50px" /></a></span>
 
+<ReleaseNoteHeading version='1.60.0' releaseDate='September 10, 2025' name='Prompt Param Piranha' />
+
+### Security
+
+* <Issue issue="3177">
+  FusionAuth accepts access tokens to authenticate requests and to initiate user authentication workflows.
+
+   Improvements have been made to how tokens are accepted, processed and validated to ensure they are suitable to authenticate the request. This will improve security now and will be necessary to support access tokens more extensively for authenticating requests.
+  </Issue>
+
+### Changed
+
+* <Issue issue="3177">
+  Some changes have been made to the way JWTs are produced and  validated. Please read the following carefully to understand if any of these changes could impact you.
+
+  **Moved claims**
+
+  * The `gty` claim has been moved from the JWT header to the body.
+    * This claim is present in an access token or id token produced by an OAuth grant.
+  * The `use` claim has been moved from the JWT header to the body.
+    * This claim is present in an access token produced by an OAuth client credentials grant to authenticate a FusionAuth SCIM server.
+
+  **New and reserved claims**
+
+  The following claims are now reserved.
+  - `auth_time` - Reserved for all user tokens, excludes client credentials
+  - `gty` - Reserved for all tokens
+  - `tty` - Reserved for all tokens
+  - `use` - Reserved for the client credentials grant
+
+  We do not expect this change to impact our customers. If you are adding, removing or modifying these claims using a lambda function, you will need to plan to modify your integration.
+
+  These claims are not considered reserved for the Vend API.
+
+  **Token validation**
+
+  It is possible that an existing access token or id token that has not yet expired will no longer be considered valid by FusionAuth. If you are using a short lived access token with a refresh token, refreshing the access token will correct itself. These changes will not have any affect on your use of the JWTs produced by FusionAuth.
+
+  **Deprecated features removed**
+
+  The User API JWT authentication method which was deprecated in version `1.50.0` has now been removed.
+
+  </Issue>
+
+### New
+* <Issue issue="2208">
+    FusionAuth supports the OIDC _prompt_ parameter! This enables various use cases, such as silent authentication, as well requesting re-authentication and consent prompting.
+
+    Thanks to all of the community members that have helped us define this requirement, and waited patiently for it! 🎉
+
+    See [prompt](/docs/lifecycle/authenticate-users/oauth/prompt) for more information.
+  </Issue>
+
+### Fixed
+* <Issue issue="2691">
+    When decommissioning a license in a FusionAuth cluster, the change may not be reflected in all cluster nodes immediately. This can provide intermittent and inconsistent access to licensed features, depending on which node is handling a request.
+  </Issue>
+
+* <Issue issue="2887">
+    A user can be shown a rendering error while attempting to complete an email based MFA login.
+
+    The error occurs when send rate limiting has been enabled as part of Advanced Threat Detection. When the user reached the rate limit threshold for requesting emails to be sent to complete login, the intended error was not shown an instead a page rendering error was displayed.
+  </Issue>
+
+* <Issue issue="2936">
+    When a user completes a forgot password workflow, the failed login count will be reset.
+
+    This should reduce frustration for a user that changed their password after exceeding the configured failed login count. In this scenario, if the user had entered the the incorrect password again they would be required to wait for the configured time period before attempting login again. This could be quite frustrating.
+
+     Now that the failed count has been reset, the user will at least be allowed to enter the wrong password a few more times before we thwart their efforts. 😅
+  </Issue>
+
+* <Issue issue="2966">
+    When running in dark mode, or using a dark theme with a FusionAuth simple theme, some QR code scanners are unable to read the QR code for setting up MFA. We have added a light border to ensure that the QR code is still readable on a dark background. The QR code should have a high-contrast border to allow these readers to work.
+  </Issue>
+
+* <Issue issue="3148">
+    When previewing the `Phone verification required`, `Complete registration`, and `Passwordless` theme templates in an advanced theme preview window, a FreeMarker exception is displayed to the user.
+
+    This was introduced in version `1.59.0`.
+  </Issue>
+
+* <Issue issue="3151">
+    A race condition exists, when attempting to activate FusionAuth using an air-gapped license without any outbound network access that may cause the the request to fail and not correctly persist the license.
+
+    When this issue is encountered the system becomes un-licensed.
+  </Issue>
+
+* <Issue issue="3160">
+    When regenerating Reactor's encryption key, the _Breached Password Detection_ status may take longer than expected to return to _Active_.
+
+    If you were to encounter this issue, deactivating and reactivating your license will also correct the state. You can also reach out to support if you see something like this as well.
+  </Issue>
+
+* <Issue issue="3164">
+    Improved MFA configuration workflow during self-service registration when configured as required.
+  </Issue>
+
+* <Issue issue="3175">
+    In version `1.59.0`, changes were introduced that made it impossible to set webhooks for a handful of event types as transactional.
+
+    See release notes for `1.59.1` below for additional information.
+  </Issue>
+
+### Enhancements
+* <Issue issue="3177">
+   General improvements to how we handle and proces JWTs in the form of access tokens and refresh tokens.
+
+   * Adding `tty` claim to all tokens produced to easily differentiate between an access token and id token.
+   * Moving the `gty` claim from the header to the body for tokens produced by an OAuth grant.
+   * Moving the `use` claim from the header to the body for tokens produced by the client credentials grant for a SCIM server.
+   * Better support of the `token_type_hint` on the Introspect endpoint.
+   * Allow the use of refresh tokens on the Introspect endpoint with a `token_type_hint` of `refresh_token`
+  </Issue>
+
+* <Issue issue="2886">
+   Move the `gty` and `use` claims from the JWT header to the body. This should improve interoperability with various identity providers such as AWS and Microsoft.
+
+   The `gty` claim will be present for all tokens produced by an OAuth grant. The `use` claim will be present in an access token produced to authenticate the SCIM server.
+  </Issue>
+
+* <Issue issue="3032">
+    Signicantly improved performance for the bulk User Import API.
+
+    Performance will particularly be improved when you have thousands of configured applications.
+  </Issue>
+
+* <Issue issue="3154">
+    Our release process now auto-updates the the example JSON payload for usage data on collected metrics.
+
+   This documentation will remain up to date going forward.
+
+   The example data can be found on the [Collected Metrics](/docs/get-started/download-and-install/collected-metrics#detailed-metrics) page, look for Demo Data under the Detailed Metrics.
+  </Issue>
+
+* <Issue issue="3159">
+    In version `1.59.0` the password is now optional when creating or updating a user.
+
+     When returning from a third-party login, a user may be prompted to complete registration by entering a password when self-service is enabled and is configured to require a password.
+
+     This was unintended and has been corrected.
+  </Issue>
+
+* <Issue issue="3165">
+    During a password reset workflow, for a user that has MFA configured, the user will be prompted to complete the MFA challenge.
+
+    When the user completes the challenge, the remember this device checkbox even when checked may not be honored.
+
+    The result is that once the user completes the change password workflow by completing an MFA challenge, the user will be prompt again on next login. This can be frustrating, and has been corrected.
+  </Issue>
+
+* <Issue issue="3171">
+    When performing the initial setup of FusionAuth outside of FusionAuth Cloud maintenance mode assists you with configuring the connecting to the database and search service.
+
+    When we cannot connect to the database, or you have not provided enough information to make these connections an error page is displayed.
+
+    This page has been enhanced to provide better messaging and links to documentation to help you out if you need to troubleshooting the setup process.
+  </Issue>
+
+* <Issue issue="3172">
+    FusionAuth now supports multiple assertions in the SAML AuthN response.
+
+    If the AuthN response contains multiple assertions, all will be made available to the SAML reconcile lambda function.
+  </Issue>
+
+* <Issue issue="3173">
+    We significantly improved performance of User API searches returning expanded user records, and user reindex actions as well!
+  </Issue>
+
+### Internal
+* <Issue issue="3176">
+    Update dependencies.
+    * Upgrade `io.fusionauth:fusionauth-usage-stats:fusionauth-usage-stats-common` `0.6.0` -> `0.6.1`
+    * Upgrade `org.primeframework:prime-mvc` `4.34.0` -> `4.35.1`
+    * Upgrade `io.fusionauth:fusionauth-samlv2` `0.11.1` -> `1.0.0`
+  </Issue>
+
+
 <ReleaseNoteHeading version='1.59.1' releaseDate='August 20, 2025' />
 
 ### Known Issues
 
-* <KnownIssue issue="3159">Admins control whether users must have passwords for an application by modifying the application's advanced registration form. Basic registration forms always have a password field, so a password is always required. IdP logins (such as Login with Google) create users without passwords. If the users are using an IdP to log in to an application with a required password field, the user is forced to set a password.</KnownIssue>
+* <IssueResolvedVia resolvedIn="1.60.0" viaIssue="3159">
+  Admins control whether users must have passwords for an application by modifying the application's advanced registration form. Basic registration forms always have a password field, so a password is always required. IdP logins (such as Login with Google) create users without passwords. If the users are using an IdP to log in to an application with a required password field, the user is forced to set a password.
+* <IssueResolvedVia resolvedIn="1.60.0" viaIssue="3175">
+    Updating the tenant will cause the following webhook events when enabled to be configured as non-transactional. This will only affect you if you have configured one or more of these event types as transactional.
+
+    - `user.identity.update`
+    - `user.identity.verified`
+    - `user.registration.create`
+    - `user.registration.delete`
+    - `user.registration.update`
+    - `user.registration.verified`
+    - `user.update`
+  </IssueResolvedVia>
 * <KnownIssue issue="3161">IdP logins do not work for Universal Apps. Instead, the error message `Invalid_Request. Missing_tenant_id` is displayed.</KnownIssue>
 
 ### Fixed
@@ -253,7 +444,7 @@ Looking for release notes older than 1.44.0? Look in the [release notes archive]
   A few forms in the FusionAuth admin UI are setting the input focus in nonstandard ways. These include the setup wizard, the add API key view, and the edit API key view.
   </Issue>
 * <Issue issue="3117">
-  
+
   </Issue>
 
 ### Enhancements