Skip to content
Niyra
← All docs

API changelog

Breaking changes, new endpoints, and deprecations for the Niyra public API.

API changelog

Most-recent changes first. Breaking changes are flagged BREAKING.

2026-06-11

Added

  • Personal Access Tokens (PATs). Long-lived pat_… bearer tokens minted from Settings → API. Same downstream surface as OAuth — works on every /v1/public/* endpoint. See PAT setup for the auth pattern.
  • integration_source column on usage logs. Every API-attributed usage row now carries the originating OAuth client name or pat:<name> so users can see "what called me" in the activity dashboard.
  • Admin security events feed — for internal ops use. Not in the public API surface.

Changed

  • /v1/public/* routes now accept both Bearer pat_… and Bearer <jwt> tokens. Token shape is detected by prefix — no API change for existing OAuth callers.

2026-06-09

Added

  • OpenAPI 3.1 spec at /v1/public/openapi.json. Generated from the same code that serves the endpoints, so it's always in sync. Import into Postman / Insomnia / Swagger UI.
  • Activity dashboard at Settings → API → Activity. Per-client + per-tool breakdown over a 7/30/90-day window, plus a 20-row recent-events timeline.

Fixed

  • Auth-code replay cascade revocation now correctly invalidates the entire token chain (OAuth 2.1 §6.1).
  • Spawn-on-timeout path no longer leaves drain goroutines pinned when the inline path exits early.

2026-06-04

Added

  • MCP server at /mcp. JSON-RPC 2.0 over Streamable HTTP per the MCP 2025-06-18 spec. Tools: niyra_ask, niyra_execute, niyra_followup, niyra_memories, niyra_remember, niyra_get_task.
  • OAuth 2.1 authorization server at /oauth/authorize + /oauth/token. PKCE S256 required for public clients. RFC 8707 audience binding (resource parameter).
  • Dynamic Client Registration (RFC 7591) at /oauth/register. Self-service — no manual review.
  • Discovery endpoints: /.well-known/oauth-authorization-server (RFC 8414), /.well-known/jwks.json.
  • Revocation endpoint at /oauth/revoke (RFC 7009).
  • Introspection endpoint at /oauth/introspect (RFC 7662).

Initial scope catalog

  • niyra:ask
  • niyra:execute
  • niyra:followup
  • niyra:memories:read
  • niyra:memories:write
  • niyra:tasks:read

Versioning

The public API is under the /v1/public/* path. Breaking changes will land under /v2/public/*, with /v1/public/* continuing to work for at least 12 months after /v2/public/* reaches general availability.

Non-breaking changes (new optional fields, new endpoints, looser validation) can land in /v1/public/* at any time.

Subscribe

Watch this page for updates. A formal subscription mechanism (email + RSS) lands in a future release.

FAQ

What's Niyra's deprecation policy?
90 days minimum from public deprecation notice to removal. Breaking changes ship behind a new major version path, never silently.
For AI:.md.txt