Skip to main content

Changelog

All changes to /api/public/v1 are recorded here in reverse chronological order. Entries on the OpenAPI document track the same changes.

v1.1 — current

  • Initial publication of this documentation site for partners.
  • HMAC request signing is now required for every authenticated call. Unsigned requests return HTTP 403 Missing request signature. The PUBLIC_API_REQUIRE_HMAC env var exists only for local dev and defaults to true.
  • Result-token TTL raised from 300 s to 900 s (single-use semantics unchanged).
  • Policy catalog response tightened to exactly five stable fields (code, title, category, severity, compliance_frameworks).
  • GET /scenarios/{id}/results now returns evaluation_status: "evaluated" | "not_evaluated".
  • Webhook registration endpoints added under /webhooks with evaluation.complete as the first partner event.
  • Error envelope unified to { ok: false, error, detail } across all public API responses.
  • Evaluate batch size capped at 10 scenarios per call (was 100 internally).
  • Anomaly detection wired into PublicApiAuthMiddleware. Internal observability only.
  • Confirmed production host: api.flowbeacon.ai.

What "current" means

This site reflects the latest v1 surface. Additive changes (new optional fields, new endpoints, new optional headers) ship in place. Breaking changes will require a new /v2 prefix and a minimum 180-day overlap. See Versioning and stability.