> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Upgrading the API to 2026_04_01

Dynamic lets you opt into API changes on your own schedule. Not all updates are backwards compatible, so setting a minimum API version in the dashboard gives you control over when new behavior applies to your integration.

Go to [Dashboard > Developers > API & SDK Keys](https://app.dynamic.xyz/dashboard/developer/api) to view and set your minimum API version. New environments default to the latest version. Existing environments remain on their current version until you opt in.

## 2026\_04\_01

Setting `2026_04_01` as your minimum version unlocks two security features:

* **[Step-up authentication](/overview/authentication/step-up-auth)** — requires users to re-verify their identity before performing sensitive actions. Credential linking/unlinking and wallet export always require step-up verification. Wallet sign is optional and configurable.
* **[Device registration](/overview/security/device-registration)** — protects accounts from takeover and phishing attacks by verifying users when they sign in from an unrecognized device. They receive an email verification link before being granted access. New users are registered automatically during signup with no extra friction.

### About device registration

<Info>
  Device registration is **optional and disabled by default**. Upgrading to `2026_04_01` does not turn it on — you control rollout from the [Dynamic Dashboard](https://app.dynamic.xyz) under your environment's security settings.
</Info>

Key things to know before enabling it:

* **Optional, off by default.** The default is `false`. Nothing changes for your users until you enable it in the dashboard.
* **Phishing protection via domain allow-listing.** The verification email's redirect URL is restricted to the domains you've allow-listed for your environment (the same CORS allow-list Dynamic enforces for browser requests). An attacker hosting a phishing site on a domain outside that list cannot have the verification link redirect to their site, so they cannot complete device registration even if they've harvested the user's credentials.
* **Not compatible with in-app wallet browsers.** The verification link opens in the device's default browser, so users who sign in from inside an in-app wallet browser (for example, MetaMask, Trust Wallet, Rainbow, or Coinbase Wallet) cannot complete verification. Leave device registration disabled if your app expects users on these surfaces.

## Action required

<Warning>
  If you plan to enable device registration or use step-up authentication, you must implement both features in your app **before** setting the minimum API version. Once enabled, the backend enforces these requirements immediately — users will see errors if your app doesn't handle them.
</Warning>

### Minimum SDK versions

These minimum versions include support for **step-up authentication** and **device registration**. Implement both flows before raising your minimum API version.

| SDK          | Minimum version |
| ------------ | --------------- |
| React        | `4.76.0`        |
| React Native | `4.76.0`        |
| JavaScript   | `0.24.1`        |
| Flutter      | `1.2.10`        |
| Kotlin       | `1.0.8`         |
| Swift        | `1.0.11`        |

### Implementation guides

| SDK          | Device registration                                               | Step-up                                                             |
| ------------ | ----------------------------------------------------------------- | ------------------------------------------------------------------- |
| React        | [Guide](/react/authentication-methods/device-registration)        | [Guide](/react/authentication-methods/step-up-auth/overview)        |
| React Native | [Guide](/react-native/authentication-methods/device-registration) | [Guide](/react-native/authentication-methods/step-up-auth/overview) |
| JavaScript   | [Guide](/javascript/authentication-methods/device-registration)   | [Guide](/javascript/authentication-methods/step-up-auth/overview)   |
| Flutter      | [Guide](/flutter/authentication-methods/device-registration)      | [Guide](/flutter/authentication-methods/step-up-auth/overview)      |
| Kotlin       | [Guide](/kotlin/device-registration)                              | [Guide](/kotlin/step-up-auth)                                       |
| Swift        | [Guide](/swift/device-registration)                               | [Guide](/swift/step-up-auth)                                        |

### Widget UI

<Info>
  If you use Dynamic's built-in widget UI (e.g. the Dynamic Widget with the React SDK), you're all set — just upgrade to the minimum SDK version above. No additional UI work required.
</Info>

## AI-assisted upgrade prompts

<Tip>
  These prompts are designed for AI coding agents (Cursor, Claude Code, Copilot). Always review generated code before committing — agents can misread your project structure.

  Install the Dynamic MCP below so your agent can reference live documentation automatically. If you don't have it installed, the prompts fall back to `https://www.dynamic.xyz/docs/llms.txt`.
</Tip>

<Tabs>
  <Tab title="Cursor">
    [Click here to add the MCP to Cursor.](https://cursor.com/en/install-mcp?name=dynamic\&config=eyJ1cmwiOiJodHRwczovL3d3dy5keW5hbWljLnh5ei9kb2NzL21jcCJ9)
  </Tab>

  <Tab title="Claude Code">
    ```bash theme={"system"}
    claude mcp add --transport http dynamic https://www.dynamic.xyz/docs/mcp
    ```
  </Tab>

  <Tab title="Codex">
    ```bash theme={"system"}
    codex mcp add dynamic --url https://www.dynamic.xyz/docs/mcp
    ```
  </Tab>

  <Tab title="Other">
    If your editor or agent supports remote HTTP MCP, add a server that points at `https://www.dynamic.xyz/docs/mcp`. The exact steps depend on the product; use its MCP documentation for URL-based or HTTP transport setup.
  </Tab>
</Tabs>

<Info>
  These steps are only required for headless integrations. If you use the Dynamic Widget, both step-up authentication and device registration UI are handled automatically — skip this section.
</Info>

### Step 1: Scaffold step-up authentication screen

<Tabs>
  <Tab title="React">
    ```
    I need to add step-up authentication to my Dynamic SDK headless
    React integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using `isStepUpRequired`
       from `useStepUpAuthentication` in `@dynamic-labs/sdk-react-core`
    3. If required, call `promptStepUpAuth` with the appropriate `TokenScope`
       from `@dynamic-labs/sdk-api-core`:
       - Wallet export: `TokenScope.Walletexport`
       - Wallet sign: `TokenScope.Walletsign`
       - Credential link: `TokenScope.Credentiallink`
       - Credential unlink: `TokenScope.Credentialunlink`
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="JavaScript">
    ```
    I need to add step-up authentication to my Dynamic SDK headless
    JavaScript integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using `checkStepUpAuth`
       from `@dynamic-labs-sdk/client` with the appropriate scope:
       - Wallet export: `TokenScope.Walletexport`
       - Wallet sign: `TokenScope.Walletsign`
       - Credential link: `TokenScope.Credentiallink`
       - Credential unlink: `TokenScope.Credentialunlink`
    3. If required, call the appropriate verification method:
       - TOTP: `authenticateTotpMfaDevice` with `requestedScopes`
       - Passkey: `authenticatePasskeyMFA` with `requestedScopes`
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="React Native">
    ```
    I need to add step-up authentication to my Dynamic SDK headless
    React Native integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using:
       `client.stepUpAuth.isStepUpRequired` with the appropriate scope:
       - Wallet export: `TokenScope.Walletexport`
       - Wallet sign: `TokenScope.Walletsign`
       - Credential link: `TokenScope.Credentiallink`
       - Credential unlink: `TokenScope.Credentialunlink`
    3. If required, call the appropriate method:
       - `client.stepUpAuth.promptStepUpAuth` — let SDK pick the method
       - `client.stepUpAuth.verifyTotpMfa` — TOTP verification
       - `client.stepUpAuth.verifyPasskeyMfa` — Passkey verification
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Flutter">
    ```
    I need to add step-up authentication to my Dynamic SDK headless
    Flutter integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using:
       DynamicSDK.instance.stepUpAuth.isStepUpRequired(scope)
       with the appropriate scope string:
       'wallet:export', 'wallet:sign', 'credential:link', 'credential:unlink'
    3. If required, call the appropriate method:
       - DynamicSDK.instance.stepUpAuth.promptStepUpAuth(requestedScopes)
       - DynamicSDK.instance.stepUpAuth.verifyTotpMfa
       - DynamicSDK.instance.stepUpAuth.verifyPasskeyMfa
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Kotlin">
    ```
    I need to add step-up authentication to my Dynamic SDK headless Kotlin integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using:
       sdk.stepUpAuth.isStepUpRequired(scope)
       with the appropriate scope string:
       'wallet:export', 'wallet:sign', 'credential:link', 'credential:unlink'
    3. If required, call the appropriate method:
       - sdk.stepUpAuth.promptStepUpAuth(requestedScopes) — let SDK decide
       - sdk.stepUpAuth.verifyTotpMfa(code, deviceId, requestedScopes)
       - sdk.stepUpAuth.verifyPasskeyMfa(requestedScopes)
       - sdk.stepUpAuth.verifyOtp(verificationToken, requestedScopes)
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Swift">
    ```
    I need to add step-up authentication to my Dynamic SDK headless
    Swift integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where sensitive actions occur — wallet export, wallet sign,
       credential linking and unlinking
    2. Before each sensitive action, add a check using:
       sdk.stepUpAuth.isStepUpRequired(scope:)
       with the appropriate scope string:
       'wallet:export', 'wallet:sign', 'credential:link', 'credential:unlink'
    3. If required, call the appropriate method:
       - sdk.stepUpAuth.promptStepUpAuth(requestedScopes:) — let SDK decide
       - sdk.stepUpAuth.verifyTotpMfa(code:deviceId:requestedScopes:)
       - sdk.stepUpAuth.verifyPasskeyMfa(requestedScopes:)
       - sdk.stepUpAuth.verifyOtp(verificationToken:requestedScopes:)
    4. The SDK stores and attaches the token automatically — no manual
       token handling needed
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>
</Tabs>

***

### Step 2: Scaffold device registration screen

<Tabs>
  <Tab title="React">
    ```
    I need to add a device registration screen to my Dynamic SDK headless
    React integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where I handle the authentication flow and user state
    2. Add a check for device registration using `isDeviceRegistrationRequired`
       from `@dynamic-labs-sdk/client` alongside `useDynamicClient`
    3. If registration is required, render a "Check your email" screen —
       the SDK sends the verification link automatically, no additional API call needed
    4. Wire up the following events using `useDynamicEvents`:
       - `deviceRegistrationCompleted` — user verified in this tab, proceed to app
       - `deviceRegistrationCompletedInAnotherTab` — user clicked link in another tab, update UI
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="JavaScript">
    ```
    I need to add a device registration flow to my Dynamic SDK headless
    JavaScript integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. On app load, add a redirect check using `detectDeviceRegistrationRedirect`
       from `@dynamic-labs-sdk/client`
    2. If the redirect is detected, call `getDeviceRegistrationTokenFromUrl`
       to extract the token and pass it to `completeDeviceRegistration`
    3. Before sensitive auth flows, check `isDeviceRegistrationRequired` —
       if true, render a "Check your email" screen
       The SDK sends the verification link automatically, no additional API call needed
    4. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="React Native">
    ```
    I need to add a device registration screen to my Dynamic SDK headless
    React Native integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where I handle the authentication flow and user state
    2. Add a check using `client.deviceRegistration.isRequired()`
    3. If required, call `client.deviceRegistration.handle()` and render
       a "Check your email" screen — the SDK sends the verification link automatically
    4. Handle the completion event to navigate the user forward once verified
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Flutter">
    ```
    I need to add a device registration screen to my Dynamic SDK headless
    Flutter integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where I handle the authentication flow and user state
    2. Add a check using `DynamicSDK.instance.deviceRegistration.isRequired()`
    3. If required, call `DynamicSDK.instance.deviceRegistration.handle()`
       and render a "Check your email" screen —
       the SDK sends the verification link automatically
    4. Handle the completion callback to navigate the user forward once verified
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Kotlin">
    ```
    I need to add a device registration screen to my Dynamic SDK headless
    Kotlin integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where I handle the authentication flow and user state
    2. Add a one-time check using `sdk.deviceRegistration.isDeviceRegistrationRequired`
    3. For reactive UI, observe the flow:
       `sdk.deviceRegistration.isDeviceRegistrationRequiredChanges`
    4. If registration is required, render a DeviceRegistrationBanner or
       TrustedDevicesScreen composable —
       the SDK sends the verification email automatically
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>

  <Tab title="Swift">
    ```
    I need to add a device registration screen to my Dynamic SDK headless
    Swift integration as part of the 2026_04_01 API upgrade.

    If you have the Dynamic MCP installed, use it to reference the latest API.
    Otherwise reference: https://www.dynamic.xyz/docs/llms.txt

    In my codebase:
    1. Find where I handle the authentication flow and user state
    2. Add a one-time check using `sdk.deviceRegistration.isDeviceRegistrationRequired`
    3. For reactive UI, observe as an async stream:
       `sdk.deviceRegistration.isDeviceRegistrationRequiredChanges`
    4. If registration is required, render a DeviceRegistrationBanner or
       TrustedDevicesView —
       the SDK sends the verification email automatically
    5. Do not modify any files outside of the auth flow

    After making changes, summarize what was added and flag anything that
    needs manual review.
    ```
  </Tab>
</Tabs>

***

### Headless integrations

If you have an existing headless integration, you only need to implement two new screens introduced in `2026_04_01`. See the [implementation guides](#implementation-guides) above for your SDK's step-up authentication and device registration guides.

***

## Migrating from action-based MFA to step-up authentication

<Info>
  This section is only relevant if you previously used **action-based MFA** to protect sensitive wallet operations. If you didn't, you can skip this.
</Info>

See the full [MFA migration guide](/overview/migrations/api/2026_04_01-mfa-migration).
