[Month] Release – 25.R2

As of version 24.R2, the input in the fingerprintRaw and fingerprintHash  input data fields is optional. This applies to the following endpoints:

• POST /events

• POST /users/{userID@domain}/events/validate

• POST /transactions

• POST /users/{userID@domain}/transactions/validate

• POST /users/{userID@domain}/login

• POST /users/register

• POST /users/{userID@domain}/unregister

Orchestration error handling with the POST /orchestration-commands endpoint is deprecated and will be removed on 31 March 2026.

TBD

Status: TBD.

This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:

• CVE-yyyy-nnnn (xyz vulnerability)

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.10.0

• 5.9.0

• 5.8.1

• 5.8.0

• 5.7.0

• 5.6.4