Skip to main content

Changelog

Product updates and improvements

Feature

Short-form domains: zw.st and zewst.id

  • New zw.st/m/{token} short URL for magic-link emails — SMS-friendly and easier to copy/paste
  • zewst.id mirrors account.zewstid.com at every path (zewst.id/profile, zewst.id/security, etc.)
  • api.zw.st is now a permanent alias for api.zewstid.com — both work for SDK and direct API calls
  • Existing URLs continue to work — no client changes required
Improvement

Brand-prefixed API keys (zw_live_*, zw_test_*)

  • Newly issued production keys use the zw_live_ prefix; sandbox keys use zw_test_
  • Existing sk_live_ / sk_sandbox_ keys remain valid indefinitely — no migration required
  • API reference, SDK examples, and the user-API-keys guide updated to show the new format
Feature

Self-serve service-account scope grants + FGA/RBAC authorization

  • Application owners can create service accounts and grant declared scopes from the developer portal — no support ticket required
  • Zanzibar-style fine-grained authorization (FGA) with per-app model editor and tuple explorer
  • RBAC role definitions sync to JWT resource_access claims via Keycloak
  • New SDK hooks: useAuthz() for runtime FGA checks, useRBAC() for JWT-based role checks
  • New /authz REST endpoints for check, list-objects, list-users, expand
FeatureImprovement

Pre-Launch Polish

  • Added system status page with real-time health monitoring
  • Added API reference documentation
  • Added developer audit logs with filtering and pagination
  • Added privacy policy, terms of service, security, and compliance pages
  • Improved pricing alignment across all pages
  • Removed unverified compliance claims from landing page
FeatureSDK v0.9.0

Popup & Embedded Sign-In (Phase 19)

  • Added popup-based sign-in for embedded authentication
  • New compact login theme optimized for popup windows (500x700)
  • SDK v0.9.0 with PopupSignIn component for Next.js
  • postMessage-based auth code relay for seamless integration
FeatureImprovement

Agent Hardening (Sprint 11)

  • Agent kill switch for instant revocation
  • Human-in-the-loop (HITL) approval flows
  • Just-in-time (JIT) credential provisioning
  • Rich Authorization Requests (RAR) support
  • Workload Identity Federation (WIF)
  • Intent metadata for agent actions
FeatureBreaking ChangeSDK v0.8.0

Google Model Migration

  • All apps now redirect to auth.zewstid.com for authentication
  • Removed ROPC password grant (all auth via OAuth redirect)
  • SDK v0.8.0 with breaking changes (removed createZewstIDHandlers, embedded SignIn)
  • Cross-portal SSO via browser session cookies
  • Custom identity provider image with SPIs and themes baked in
Fix

Security Fixes

  • Fixed rate limiter counter bug in Redis pipeline parsing
  • Fixed password reset token race condition with atomic GETDEL
  • Fixed webhook SSRF vulnerability with URL validation
  • Added role-based access control to admin dashboard
  • Fixed MFA cookie bypass with HMAC-signed tokens