Skip to main content

Changelog

Product updates and improvements

FeatureImprovement

Surface catch-up release — portals, SDKs, marketing

  • Developer portal: 4 new doc pages — User Invite (M2M flow), <UserButton />, Audit Events catalog, SDK Early Access (dev tag)
  • Developer portal: per-app /applications/[id]/api-keys + /applications/[id]/invites pages, both linked from the app card
  • User portal (account.zewstid.com): /api-keys to manage keys apps have issued for you, /invites informational page, "Manage API Keys" tile in Data & Privacy
  • New gateway endpoints: GET /users/me/api-keys + DELETE /users/me/api-keys/:keyId
  • @zewstid/id-node 0.4.0 — new ZewstIDInvites class (send, read, accept) wraps the M2M invite endpoints
  • SDK README parity for @zewstid/id-react and @zewstid/id-react-native — explicit table of nextjs-only features
  • Example app gets /api-keys-demo, /protected-demo (FGA-gated route pattern), /invite-demo
  • Marketing: homepage features include Embedded Sign-In, FGA, API Keys, M2M Invites, Self-Serve Orgs. New /orgs landing page.
FeatureImprovement

API keys + related — go-live

  • User-scoped API keys: third-party apps can now issue zw_live_ / zw_test_ keys to their end-users via M2M, instead of building their own key management
  • App-declared scopes + platform scope catalog — each app declares which scopes it issues
  • Service-account grants moved to FGA — instant revocation across all in-flight tokens
  • Embedded sign-in (<EmbeddedSignIn /> and <PopupSignIn /> in @zewstid/id-nextjs)
  • Drop-in <ApiKeysManager /> React component for self-serve key management in your own app
  • Structured audit log for key issue + revoke (90-day Redis retention, queryable by user/org/time)
  • New introspection endpoint at /api/v1/api-keys/introspect — validate keys + bump usage counters atomically
  • SDK publishing now branch-routed: develop → npm.zewst.in with `dev` dist-tag, main → npmjs.org with `latest`
Feature

Short-form domains: zw.st and zewst.id

  • New zw.st/m/{token} short URL for magic-link emails — SMS-friendly and easier to copy/paste
  • zewst.id mirrors account.zewstid.com at every path (zewst.id/profile, zewst.id/security, etc.)
  • api.zw.st is now a permanent alias for api.zewstid.com — both work for SDK and direct API calls
  • Existing URLs continue to work — no client changes required
Improvement

Brand-prefixed API keys (zw_live_*, zw_test_*)

  • Newly issued production keys use the zw_live_ prefix; sandbox keys use zw_test_
  • Existing sk_live_ / sk_sandbox_ keys remain valid indefinitely — no migration required
  • API reference, SDK examples, and the user-API-keys guide updated to show the new format
Feature

Self-serve service-account scope grants + FGA/RBAC authorization

  • Application owners can create service accounts and grant declared scopes from the developer portal — no support ticket required
  • Zanzibar-style fine-grained authorization (FGA) with per-app model editor and tuple explorer
  • RBAC role definitions sync to JWT resource_access claims via Keycloak
  • New SDK hooks: useAuthz() for runtime FGA checks, useRBAC() for JWT-based role checks
  • New /authz REST endpoints for check, list-objects, list-users, expand
FeatureImprovement

Pre-Launch Polish

  • Added system status page with real-time health monitoring
  • Added API reference documentation
  • Added developer audit logs with filtering and pagination
  • Added privacy policy, terms of service, security, and compliance pages
  • Improved pricing alignment across all pages
  • Removed unverified compliance claims from landing page
FeatureSDK v0.9.0

Popup & Embedded Sign-In (Phase 19)

  • Added popup-based sign-in for embedded authentication
  • New compact login theme optimized for popup windows (500x700)
  • SDK v0.9.0 with PopupSignIn component for Next.js
  • postMessage-based auth code relay for seamless integration
FeatureImprovement

Agent Hardening (Sprint 11)

  • Agent kill switch for instant revocation
  • Human-in-the-loop (HITL) approval flows
  • Just-in-time (JIT) credential provisioning
  • Rich Authorization Requests (RAR) support
  • Workload Identity Federation (WIF)
  • Intent metadata for agent actions
FeatureBreaking ChangeSDK v0.8.0

Google Model Migration

  • All apps now redirect to auth.zewstid.com for authentication
  • Removed ROPC password grant (all auth via OAuth redirect)
  • SDK v0.8.0 with breaking changes (removed createZewstIDHandlers, embedded SignIn)
  • Cross-portal SSO via browser session cookies
  • Custom identity provider image with SPIs and themes baked in
Fix

Security Fixes

  • Fixed rate limiter counter bug in Redis pipeline parsing
  • Fixed password reset token race condition with atomic GETDEL
  • Fixed webhook SSRF vulnerability with URL validation
  • Added role-based access control to admin dashboard
  • Fixed MFA cookie bypass with HMAC-signed tokens