Changelog
Copy page
Dated changes to the EntryBit API — new endpoints, scopes, and behavior. Newest first.
Updated
Notable changes to the EntryBit API, newest first. Breaking changes are called out explicitly; additive changes (new endpoints, new optional fields, new scopes) are not breaking. Machine-readable history lives in the OpenAPI spec.
2026-07 — Initial public release
The first public release of the EntryBit developer platform. Shipped:
- OAuth 2.0 / OpenID Connect provider. A full authorization server with the authorization-code flow and PKCE (S256) required for every client. Endpoints:
/api/oauth/authorize,/api/oauth/token,/api/oauth/userinfo,/api/oauth/introspect,/api/oauth/revoke, and RP-initiated/api/oauth/logout. RS256 signing, rotating refresh tokens with reuse detection, andiss(RFC 9207) on all authorization responses. - Discovery & JWKS.
/.well-known/openid-configuration(and the RFC 8414 alias) plus/.well-known/jwks.jsonfor offline token verification. - The
/api/v1resource API. User-delegated passes (list,create,get,revoke) and invitations, Bearer-authenticated withpasses:*andinvites:readscopes. - Organization API keys. Server-to-server
/api/v1/org/*endpoints (org-wide passes + facilities) authenticated witheb_sk_…keys carrying least-privilegeorg:*scopes, with optional expiry and source-IP allowlists. - Self-service client registration. Org admins register their own OAuth apps in Settings → Team → OAuth apps (Register an app) — public or confidential, tenant-scoped, up to 50 per org.
- OpenID Connect identity.
id_tokenwithamr(how the user authenticated) andauth_time, scope-gated identity claims, and the UserInfo endpoint. - Published OpenAPI 3.1 specification and LLM-friendly
llms.txtresources.