Featbit

v5.3.4 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 20d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ab-test ab-testing asp-net-core ci-cd c# .net

+12 more

entitlement experimentation feature feature-flags feature-management feature-toggles progressive-delivery python release-as-code remote-config self-hosted typescript

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 13d

Featbit 5.3.4 makes Jwt__Key mandatory for HS256 signing; startup fails without it. The release adds RS256 and ES256 support as alternatives.

Why it matters: Jwt__Key is now mandatory for HS256; missing configuration blocks startup. Test in dev before upgrading; either add the required key or migrate to RS256/ES256 signing.

Summary

AI summary

Jwt__Key becomes mandatory for HS256 signing, causing startup failure without a custom secret.

Changes in this release

Type	Severity	Summary	CVE
Breaking	Medium	Jwt__Key is now mandatory for HS256 signing. Jwt__Key is now mandatory for HS256 signing. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Added RS256 and ES256 support for JWT signing. Added RS256 and ES256 support for JWT signing. Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

What's Changed

RS256/ES256 Support for JWT Signing

In addition to HS256, you can now configure the API to sign JWTs using asymmetric algorithms:

RS256 (RSA)
ES256 (ECDSA)

This update ensures better alignment with enterprise compliance and environments requiring public/private key pairs.

[!TIP]
Check out the JWT Configuration Documentation to get started with asymmetric signing.

Breaking Changes & Security Hardening

`Jwt__Key` is now Mandatory for HS256

To prevent insecure deployments using the publicly known default credentials, the Jwt__Key environment variable is no longer optional when using the HS256 algorithm.

Behavior: The API service will fail to start if Jwt__Key is missing or set to the default value.
Action Required: You must set Jwt__Key to a unique, custom secret value before upgrading.

Full Changelog: v5.3.3...v5.3.4

Breaking Changes

The `Jwt__Key` environment variable is now mandatory when the HS256 algorithm is used; the API will fail to start if it is missing or set to the default value.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Featbit

Get notified when new releases ship.

About Featbit

Enterprise-grade feature flag platform that you can self-host.

All releases →

Related context

Related tools

Earlier breaking changes

v5.4.0 Requires database schema migration scripts for PostgreSQL and MongoDB to upgrade to this release.
v5.4.0 Migrates the `tags` parameter for tag‑management endpoints from URL query string to JSON request body.
v5.4.0 Deprecates the standalone "Data Sync" module, integrating its capabilities into the "End Users" module.