Changelog

Public API changes, new features, and notable fixes. We follow semantic versioning — breaking changes only ship with a major version bump.
v1.0.0 2026-04-20 Launch

First public release. TrustFlow is live at api.trust-flow.dev.

  • Core endpointPOST /v1/evaluate with 7 risk factors, SCA logic, and per-tenant rules.
  • Multi-tenancy — Isolated state, rate limits, and rules per API key.
  • Agent identity — Ed25519, HMAC, and JWS verification with trusted issuer registry (POST /v1/identity/*).
  • Webhooks — HMAC-SHA256 signed delivery with exponential backoff retry.
  • Dashboard — Live metrics, transaction explorer, and rule editor at /dashboard.
  • SDKs — Python and Node.js with automatic retries and typed responses.
  • Compliance — PSD2/SCA thresholds, full audit trail via trace_id, GDPR data export endpoints.
v0.9.0 2026-04-15 Beta

Closed beta with design partners.

  • Added — Stripe billing integration for usage-based metering.
  • Added — GraphQL endpoint at /v1/graphql for complex querying of transactions and usage.
  • Added — Sandbox keys (tf_test_*) with deterministic responses for CI pipelines.
  • Improved — Evaluate p50 latency reduced from 38ms to 22ms.
v0.8.0 2026-04-08 Improved Security
  • Security — Per-tenant trusted issuer registry (previously global). Cross-tenant issuer collisions are now impossible by construction.
  • Improved — Signup is rate-limited per IP (5/hour, 10/day) to prevent enumeration attacks.
  • Added — API key rotation at POST /v1/auth/rotate with 5-minute grace period for old key.
  • Added — HSTS, CSP, and strict CORS in all responses.
v0.7.0 2026-04-01 Added
  • Added — Batch evaluate at POST /v1/evaluate/batch (up to 100 transactions per call).
  • Added — Rules engine with custom conditions: amount ranges, category allowlists, time-of-day, velocity buckets.
  • Added — SSO via SAML/OIDC for the dashboard (enterprise plan).
  • Improved — Audit log retention extended to 90 days on the Pro plan.
v0.6.0 2026-03-22 Added
  • Added — Webhook delivery engine with HMAC-SHA256 signing and 5-retry exponential backoff.
  • Added — Events: transaction.evaluated, transaction.declined, sca.required, rule.triggered.
  • Added — Circuit breaker per webhook — auto-disables after 5 consecutive failures.
v0.5.0 2026-03-10 Added
  • Added — Agent identity verification: Ed25519 signing, JWS (RS256/ES256/EdDSA), HMAC-SHA256.
  • Added — Risk bonus for verified agents (score reduction scaled by issuer trust).
  • Added — Built-in SDK helpers for signing canonical payloads (sdk/trustflow/agent_identity.py).

Older versions (v0.1–v0.4) predate the public repo. See the GitHub release history for details once open-sourced.

Subscribe to changes

We publish release notes here and via email to all tenants. For machine-readable updates, poll GET /health — the version field reflects the deployed API version.