Skip to content

Changelog

העתקת עמוד

Dated changes to the EntryBit API — new endpoints, scopes, and behavior. Newest first.

עודכן

Notable changes to the EntryBit API, newest first. Breaking changes are called out explicitly; additive changes (new endpoints, new optional fields, new scopes) are not breaking. Machine-readable history lives in the OpenAPI spec.

2026-07 — Initial public release

The first public release of the EntryBit developer platform. Shipped:

  • OAuth 2.0 / OpenID Connect provider. A full authorization server with the authorization-code flow and PKCE (S256) required for every client. Endpoints: /api/oauth/authorize, /api/oauth/token, /api/oauth/userinfo, /api/oauth/introspect, /api/oauth/revoke, and RP-initiated /api/oauth/logout. RS256 signing, rotating refresh tokens with reuse detection, and iss (RFC 9207) on all authorization responses.
  • Discovery & JWKS. /.well-known/openid-configuration (and the RFC 8414 alias) plus /.well-known/jwks.json for offline token verification.
  • The /api/v1 resource API. User-delegated passes (list, create, get, revoke) and invitations, Bearer-authenticated with passes:* and invites:read scopes.
  • Organization API keys. Server-to-server /api/v1/org/* endpoints (org-wide passes + facilities) authenticated with eb_sk_… keys carrying least-privilege org:* scopes, with optional expiry and source-IP allowlists.
  • Self-service client registration. Org admins register their own OAuth apps in Settings → Team → OAuth apps (Register an app) — public or confidential, tenant-scoped, up to 50 per org.
  • OpenID Connect identity. id_token with amr (how the user authenticated) and auth_time, scope-gated identity claims, and the UserInfo endpoint.
  • Published OpenAPI 3.1 specification and LLM-friendly llms.txt resources.