# Changelog

## 2.2.0

- Allow refresh tokens to be sent on a separate cookie
- Automatic token refresh if the access token is expired and the cookie header contains a valid refresh token

## 2.1.0

- Allow access to Gateway functions like authenticate, get_cookie_auth, get_header_auth, redirect, deny
- Allow Gateway to deny a request in case no redirect url is specified

## 2.0.0

Complete redesign

## 1.1.0

add user_id to res.connection, so request handlers can access the current user

## 1.0.0

initial release