# Tenzir Platform v1.15.0

This release adds support for reading externally-supplied JWT tokens from a header, instead of manually clicking on the *Log In* button.

## 🚀 Features

### Persistent widget time range

Dec 17, 2025 · [@gitryder](https://github.com/gitryder), [@avaq](https://github.com/avaq)

The selected time range for the widgets now persists across page reloads and navigation, so you don’t have to reselect it each time.

### Add support for passing multiple issuer URLs

Dec 17, 2025 · [@lava](https://github.com/lava)

The Tenzir Platform can now accept JWTs from multiple independent issuers. This is useful in situations where the CLI and UI users are served by two different OIDC providers.

To configure multiple OIDC providers, set the `TENZIR_PLATFORM_OIDC_TRUSTED_AUDIENCES` environment variable in your `.env` file to a list of issuer configurations:

```dotenv
TENZIR_PLATFORM_OIDC_TRUSTED_AUDIENCES='[{"issuer": "https://accounts.google.com", "audiences": ["audience1"]}, {"issuer": "https://cloud.google.com/iap", "audiences": ["audience2", "audience3"]}]'
```

Note that the previous way of setting a single JSON object with `issuer` and `audiences` keys for this variable is still supported, so no change is required if you only want to use a single issuer.

### Add support for login via externally-supplied JWTs

Dec 17, 2025 · [@lava](https://github.com/lava)

You can now configure the Tenzir Platform to accept externally-supplied JWTs, instead of presenting a *Login* button and performing the OIDC flow itself. This is done by setting the `PRIVATE_JWT_FROM_HEADER` environment variable of the Tenzir UI service to the name of a header containing the external JWT.

This is useful for situations where access to the Tenzir Platform is already protected by an external authentication proxy that provides identity information to the application. In this case, the provided information can now be used directly instead of going through a second round of logins.

For example, to use this feature in combination with Google Cloud IAP, you would set `PRIVATE_JWT_FROM_HEADER=X-Goog-IAP-JWT-Assertion` and set the trusted issuer in the platform to `{"issuer":"https://cloud.google.com/iap","audiences":["<your_iap_audience>"]}`, where the audience string depends on your IAP configuration but would typically look like `"/projects/<project_number>/global/backendServices/<oauth_client_id>"`.

## 🔧 Changes

### Dashboard error handling improvements

Dec 17, 2025 · [@avaq](https://github.com/avaq)

Improve error handling related to loading dashboard data, adding cells to the dashboard, and saving/deleting dashboards.

## 🐞 Bug Fixes

### Fix nodes not changing/disappearing after editing/deleting them

Dec 17, 2025 · [@avaq](https://github.com/avaq)

Fix an issue where the node wouldn’t disappear from the list of nodes after the node was deleted, or would update itself after being renamed, from the dropdown menu (while the side bar was collapsed).

[ Download on GitHub ](https://github.com/tenzir/platform/releases/tag/v1.15.0)

[Get the release artifacts and source code.](https://github.com/tenzir/platform/releases/tag/v1.15.0)