V0.164.0

Auth Hardening & Proxy Security

Daytona v0.164.0 changelog dark Daytona v0.164.0 changelog light

This release improves platform security with a major auth guard refactor. Authentication is now global by default, admin endpoints use dedicated controllers, and organization guards are consolidated into a single consistent layer with full test coverage.

The proxy now strips authorization headers after validation, preventing credential leakage to sandboxed services. Invitation emails sanitize organization names to prevent domain-like names from being auto-linked by email clients. File downloads with Unicode filenames now work correctly via RFC 5987 encoding.

The SDK adds connection pool saturation warnings, and the daemon ensures session exit codes are written only after output processing completes.

Release Details

Fixes:

  • api: sanitize org name in invitation emails to prevent URL auto-linking (#4341)

  • api: return 503 when svix is not configured (#4424)

  • api: sandbox runner join query uuid (#4425)

  • api: handle transient errors in jwt strategy (#4423)

  • api: truncate error message audit logs jobs (#4426)

  • daemon: write session exit code after output labelers drain (#4422)

  • proxy: remove auth header after successful validation (#4419)

  • sdk: conn pool saturation warning (#4386)

  • toolbox: add RFC 5987 encoding for Unicode filenames in multipart downloads (#4331)

Refactor:

Chores:

  • sync go.sum for v0.163.0 (#4407)

  • ci: invalidate Nx build cache when set-version changes package version (#4410)

  • runner: conflicting go dependencies in Dockerfile (#4420)

  • sdk-go: bump to v0.164.0 (#4428)