--- title: API changelog description: Breaking changes, new endpoints, and deprecations for the Niyra public API. url: /docs/api-changelog lastUpdated: 2026-06-11 --- # API changelog # API changelog Most-recent changes first. Breaking changes are flagged **BREAKING**. ## 2026-06-11 ### Added - **Personal Access Tokens (PATs)**. Long-lived `pat_…` bearer tokens minted from Settings → API. Same downstream surface as OAuth — works on every `/v1/public/*` endpoint. See [PAT setup](/docs/api-tool-niyra-ask) for the auth pattern. - **`integration_source` column on usage logs**. Every API-attributed usage row now carries the originating OAuth client name or `pat:` so users can see "what called me" in the activity dashboard. - **Admin security events feed** — for internal ops use. Not in the public API surface. ### Changed - `/v1/public/*` routes now accept both `Bearer pat_…` and `Bearer ` tokens. Token shape is detected by prefix — no API change for existing OAuth callers. ## 2026-06-09 ### Added - **OpenAPI 3.1 spec** at `/v1/public/openapi.json`. Generated from the same code that serves the endpoints, so it's always in sync. Import into Postman / Insomnia / Swagger UI. - **Activity dashboard** at Settings → API → Activity. Per-client + per-tool breakdown over a 7/30/90-day window, plus a 20-row recent-events timeline. ### Fixed - Auth-code replay cascade revocation now correctly invalidates the entire token chain (OAuth 2.1 §6.1). - Spawn-on-timeout path no longer leaves drain goroutines pinned when the inline path exits early. ## 2026-06-04 ### Added - **MCP server at `/mcp`**. JSON-RPC 2.0 over Streamable HTTP per the MCP 2025-06-18 spec. Tools: `niyra_ask`, `niyra_execute`, `niyra_followup`, `niyra_memories`, `niyra_remember`, `niyra_get_task`. - **OAuth 2.1 authorization server** at `/oauth/authorize` + `/oauth/token`. PKCE S256 required for public clients. RFC 8707 audience binding (`resource` parameter). - **Dynamic Client Registration** (RFC 7591) at `/oauth/register`. Self-service — no manual review. - **Discovery endpoints**: `/.well-known/oauth-authorization-server` (RFC 8414), `/.well-known/jwks.json`. - **Revocation endpoint** at `/oauth/revoke` (RFC 7009). - **Introspection endpoint** at `/oauth/introspect` (RFC 7662). ### Initial scope catalog - `niyra:ask` - `niyra:execute` - `niyra:followup` - `niyra:memories:read` - `niyra:memories:write` - `niyra:tasks:read` ## Versioning The public API is under the `/v1/public/*` path. Breaking changes will land under `/v2/public/*`, with `/v1/public/*` continuing to work for at least 12 months after `/v2/public/*` reaches general availability. Non-breaking changes (new optional fields, new endpoints, looser validation) can land in `/v1/public/*` at any time. ## Subscribe Watch this page for updates. A formal subscription mechanism (email + RSS) lands in a future release.