Skip to main content

Release Notes

Full changelog for all Raidiam Connect versions.

⚠️

Upcoming Breaking Changes

Future changes that may require action on your end. Review and plan ahead.

Organisation and software statement certificate endpoints replaced by key-material

v2.5.0Q3 2026

Certificate creation endpoints for both organisations and software statements have been replaced by a new key-material API. Consumers must migrate to the new endpoints before upgrading.

Removed:

  • POST /organisations/{OrganisationId}/softwarestatements/{SoftwareStatementId}/certificates/{SoftwareStatementCertificateOrKeyType}
  • GET /organisations/{OrganisationId}/certificates
  • POST /organisations/{OrganisationId}/certificates/{OrganisationCertificateType}

Replaced by:

  • GET /organisations/{OrganisationId}/key-material — list key material for an organisation
  • POST /organisations/{OrganisationId}/key-material — create new key material
  • GET /organisations/{OrganisationId}/key-material/{KeyMaterialID} — retrieve a specific key material item
  • PUT /organisations/{OrganisationId}/key-material/{KeyMaterialID} — update a key material item
  • GET /organisations/{OrganisationId}/key-material/{KeyMaterialID}/attachments — list attachments
  • POST /organisations/{OrganisationId}/key-material/{KeyMaterialID}/attachments — add an attachment
  • GET /organisations/{OrganisationId}/key-material/{KeyMaterialID}/attachments/{KeyMaterialAttachmentID} — retrieve an attachment
  • PUT /organisations/{OrganisationId}/key-material/{KeyMaterialID}/attachments/{KeyMaterialAttachmentID} — update an attachment
Note: Existing keystore endpoints will be preserved during this transition to ensure backwards compatibility.
Compare versions:

2.4.0#

Latest

This release introduces expanded audit capabilities, new certificate authority lifecycle management, and richer grant and token handling. It also delivers responsive interface improvements and clearer administrative workflows, alongside fixes addressing error handling, form validation, and data consistency.

New features#

Date-based sorting for audit log endpoint

New Feature

The audit log endpoint now fully implements the sort parameter:

  • Enables consumers to retrieve audit records sorted by date
  • API clients can now rely on deterministic ordering when querying audit history

External document links and regulatory document types supported for organisations

New Feature

Organisations can now register and manage links to external documents:

  • New Regulatory Documents tab in the UI with dedicated API endpoints
  • Each document captures: document type, a validated HTTPS URI, and an optional description
  • New Regulatory Document Types tab in Reference Data for administrators
  • Read-only users see the list without edit controls
  • Disabled by default — can be enabled per request

Certificate Authorities management in Reference Data

New Feature

A new Certificate Authorities section is available in Reference Data with full lifecycle management:

  • Create, view, update, enable and disable root CAs including PEM upload or paste
  • Unified wizard that auto-detects certificate type (root only, root with intermediate, or intermediate referencing an existing root)
  • Interactive node graph visualising the trust chain hierarchy
  • Edit the Name of a Root CA or the Chain Name of an Intermediate CA directly
  • The Intermediates tab supports View, Enable, and Disable actions with confirmation dialogs
  • Wizard correctly resumes from the intermediates step on retry without re-creating the root CA
  • Hierarchical mTLS trust constraints enforced
  • Validation covers duplicate detection, invalid file formats, and required contact fields

Audit log visibility for organisations

New Feature

Organisation records now expose an audit trail:

  • Consistent with existing audit functionality available for applications
  • Users with appropriate permissions can review a chronological history of changes made to an organisation

Organisation name added to /clients endpoint response

New Feature

The /clients endpoint response now includes an organisation_name field:

  • Populated from the organisation record
  • Allows identity providers to display the organisation name associated with a client
  • Supports distributor and representative model use cases

Audit history for application certificates, organisation roles, and organisation domains

New Feature

Audit history is now available for:

  • Application certificates — navigate between applications using a primary switcher and between certificates (identified by key type and KID) using a secondary switcher
  • Organisation roles — switcher allows navigation by role name to review historical changes
  • Organisation domains — switcher allows navigation by domain name

Token endpoint now returns grant_id value

New Feature

The /token endpoint response now includes a grant_id field:

  • Available for code exchange and refresh token flows
  • Allows TPPs to retrieve user consents even after tokens are revoked
  • Included by default — can be disabled per environment via grant_id_in_token_response=false
  • Existing token response structures and flows are unaffected

Generic grant revocation endpoint with soft-delete

New Feature

A new generic endpoint for grant revocation is now available:

  • Operates independently of specific consent flows
  • Grants are soft-deleted on revocation, preserving history and reason (e.g. TPP-initiated, refresh token reuse, session end)
  • Configurable TTL-based expiry
  • Access tokens: 1-hour lifetime; refresh tokens and grants: 100-year lifetime
Note: A migration is required to create or drop TTL indexes depending on the soft deletion configuration.

Audit endpoint supports server certification and server roles resource types

New Feature

The audit API now supports additional resource types:

  • authorisationServerCertification resource type
  • Server roles and API resources audit tracking
  • Query using standard parameters: actionType, organisationId, resourceId, performedBy, and date range filters
Previously, requests using the server certification resource type returned a *'resource type not implemented'* error.

Enhancements#

DELETE replaces PUT for removing server resources

Enhancement

The Directory UI now uses HTTP DELETE when removing authorisation servers, API resources, and server certifications, replacing the previous behaviour of calling PUT with a status of Inactive.

  • This change is internal to the UI
  • No action required from API consumers or integrators

Responsive wizard layout across device sizes

Enhancement

Multi-step wizards now adapt their layout to the user's screen size:

  • Mobile: step numbers only
  • Small laptops: step numbers with hover tooltips for step names
  • Larger screens: full step labels displayed

Authority deactivation error includes bound domain IDs

Enhancement

When attempting to deactivate an Authority still bound to active authorisation domain mappings, the API error response now includes the IDs of all bound domains.

  • Allows administrators to identify and remove the relevant mappings before retrying

API auto-fill now uses endpoint regex format

Enhancement

The API auto-fill behaviour has been updated to fetch the registered endpoint regex format for the relevant API family, rather than the API family version.

  • Ensures auto-populated values more accurately reflect the expected endpoint structure

Bug fixes#

Invalid UUID path segments return 400 not 500

Bug Fix

Path segments expected to be UUIDs now return a clean 400 Bad Request instead of an unhandled 500 Internal Server Error.

Affected endpoints:

  • Authorisation server ID
  • Software statement ID
  • Domain user ID

Reactivation email no longer sent for already-active users

Bug Fix

Previously, sending a PUT request to set an organisation administrator's status to Active would trigger a reactivation email even if the user was already active.

  • The API now checks the user's current status and suppresses the email when no state change has occurred

Optional fields no longer submitted as empty strings

Bug Fix

When creating an authorisation server, optional fields that were edited and then cleared would be submitted as empty strings, causing an API error.

  • These fields are now correctly omitted from the request payload when left blank

Duplicate user creation under concurrent requests handled correctly

Bug Fix

A race condition could cause duplicate key violations when multiple requests attempted to initialise the same user simultaneously.

  • The platform now correctly handles this scenario and returns a 400 Bad Request response instead of an unhandled server error

Audit entries now generated for updated API resources

Bug Fix

Audit records were not being created when API Resources were updated, causing the audit endpoint to return empty results.

  • All update operations on API Resources now consistently produce audit entries retrievable via the audit API

Flags now included in replicated directory snapshots

Bug Fix

Flag values were missing from directory snapshot data replicated to Open Finance consumers.

  • Flags are now correctly returned for organisations, authorisation servers, and software statements in line with the published API specification

IDP configuration UI shows accurate API error messages

Bug Fix

When creating a new IDP configuration fails, the UI previously displayed a generic error rather than the meaningful error returned by the API.

  • The error message displayed now reflects the actual API response, giving administrators clear guidance on what needs to be corrected

2.3.0#

2.2.0#

2.1.0#

2.0.0#