# Developer Changelog
RSS Feed, Atom Feed, JSON Feed
- Directory API
DEPRECATED: /blacklisted_access_tokens
Action required UpdateThe API endpoints
GET/POST /blacklisted_access_tokensis deprecated and got renamed toGET/POST /revoked_access_tokens. The attribute also got renamed torevoked_token_ids. The old API endpoints get deleted on the 1st of August.
Further Reading: Directory API Reference Revoked Access Tokens - Directory API
DEPRECATED: site_id in machines
Action required UpdateThe site is now part of machine ownership and should therefore be set together via
machines/{machine_id}/ownership. That is why we now also offer a PATCHmachines/{machine_id}/ownershipso that the site ID can be changed.
We will allow the site to be set in the machine until April 6, 2020. After that, setting the site will only be possible in the ownership.
Further Reading: Directory API ReferencePOST /machines/{machine_id}/ownership - Directory API
OAuth Credentials: Name and description
New UpdateFrom now on, a non-public description can be added when creating or modifying OAuth credentials.
In addition, a name with a maximum of 4 characters can optionally be added. This extends the audience (aud) of the JSON Web token. If the audience wasmy_appit can now also bemy_app/{credentials_name}if a name is given. The name must be unique within your app. However, other apps may have the same name, so you need to check the app name as well.
If you want to test your JWT, try our interactive JWT Verifier. - Directory API
In Redirect Flow and Device Flow an organization can be pre-selected
New UpdateIt is now allowed to pass an Organization ID in Redirect Flow and Device Flow, so the user does not have to select the organization in Zaikio.
The organizational ID is then passed as a scope as in Client Credentials Flow. For example:Org/5345a2a-8786-5b46-a1e2-516658fde390.directory.organization.r
It is only possible to set organizations where the current user is also the admin. - Directory API
API returns if email of person was confirmed
New UpdateWe already return the email in our API. In addition, there is a new attribute
email_confirmed, which indicates whether the user has confirmed the given email. No emails should be sent or the identity should be confirmed based on an email as long as this email has not also been confirmed. - Directory API
Person Bearer: Restrictions on sites and machines
Action required UpdateIf you use an Access Token with Person Bearer, it is no longer possible to perform every action for security reasons. If the bearer is a normal member of an organization (not an admin) then it is no longer possible:
-POST /machines​/{machine_id}​/machine_ownership
-POST /sites
-PATCH /sites/{site_id}
If these requests now fail a 403 Forbidden is returned. Every other endpoint works as before. If an admin is the bearer, there is no change. - Directory API
First name can be null
Action required UpdateSince many countries do not have first names, we are now making this field optional for all members. This means in the API response the
first_namecan benull. We recommend to always use thefull_nameto display a name. - Directory API
New: Create Organizations
NewIt is now possible to create new organizations with a Person Access Token. For this purpose the new scope
directory.organizations.wis required. The current user will then automatically become the owner of the organization.
In addition, the app that issued the token will connect directly with desired OAuth Scopes and Event Subscriptions from the directory. This means that after creation you can directly request an Organization Access Token via the Client Credentials Flow.
Further Reading: Directory API ReferencePOST /person/organizations - Directory API
New: Revoke OAuth Access Tokens
NewYou can now use our new security feature to revoke OAuth Access Tokens. If an access token is accidentally leaked, you should revoke it immediately.
Further Reading: Directory API ReferencePOST /blacklisted_access_tokens - Directory Events
New: Loom events for member lifecycle events
NewWe now offer 3 new Loom events. Furthermore it is now possible to access a single membership via the API using the UUID.:
directory.member_joined
directory.member_roles_updated
directory.member_left
Further Reading: Receiving Events with Loom, Reference of Directory Events - Directory API
New: sites write OAuth Scope and endpoint
New UpdateYou can now also create and update sites using the directory API. To do this, you need one of the new OAuth scopes such as
directory.sites.wordirectory.sites.rw.
Further Reading: Directory API Reference - Directory API
New: sites read OAuth Scope
New UpdateThe directory now offers a new OAuth Scope called
directory.sites.rwhich can only read information from the sites.
A new endpoint has also been added to return information of a single page (/api/v1/sites/{site_id}).
Also, addresses can now be retrieved for each site if they have been added.
Furthermore, thesite_idis now also returned for the machines, if a site has been assigned to the machine.
Further Reading: Directory API Reference - Directory API
Users can not connect to foreign and unreviewed Apps in production
Action required UpdateIt is no longer allowed for users to connect to any App in production environment. As the zaikio platform we have to make sure that all apps comply with our security standards and that malicious apps do not connect.
However, organizations and members can connect to self-created apps at any time (i.e. the vendor is the own organization). In addition, all apps can connect in the sandbox environment, since no sensitive data is stored there.
In order for your app to be available in production, you have to bring your app into the review process (this can be done on the detail page of your app). In order for us to activate the app, however, it should be usable (i.e. you provide a redirect flow and/or an API with appropriate documentation). For this purpose we will contact you. - Directory API
Person: new attribute unit_system and locale en-US
New UpdateThe person endpoint now returns a new attribute named
unit_system. This can be eithermetricorimperial. Each person can manage this setting themselves.
There is also a new locale that the user can select:en-US. This new locale can be used to display different date formats, for example.
Further Reading: Directory API Reference - Directory API
Country code and currency for all organization and person responses
NewFrom now on, all responses from organisations and persons will contain a
country_codeand acurrencyattribute, the currency attribute being derived from the country code. The attributes can benullif the country was not provided by the organisation or person.
Further Reading: Directory API Reference - Directory Events
New Connection Lifecycle Loom Events
NewWith our new Loom Events it is now possible to be notified when a connection has been established or revoked. In addition, we now send a new event when an access token is revoked. It is recommended to use this event for security reasons.
Further Reading: Receiving Events with Loom, Reference of Directory Events - Loom API
Loom API migrated to loom.zaikio.com
Action required UpdateThe Loom event changed its domain to
loom.zaikio.com(respectivelyloom.sandbox.zaikio.comfor the sandbox environment). - Directory API
JWT Issuer (iss) changes from CP to ZAI
Action required UpdateJSON web tokens created by the directory are now issued by
ZAI, before it wasCP. Since you most likely do not work with this attribute, nothing needs to be done. - Directory API
New connections endpoint and connected attribute
NewIt is now possible to retrieve all connections for an app. To do this, a GET request must be made to
/api/v1/connectionsor/api/v1/connections/Person-abc-def-ghi. This request must be authenticated by Basic Auth (the Client Id must be the username and the Client Secret the password, this is only possible if the credentials are confidential).
Additionally, there is theconnectedattribute in all API replies sent. So it is for example possible to see via a GET/api/v1/personrequest which organizations of the person are already connected to the app that requested the access token. Please check the Directory API Reference for more details. - Directory API
Event Webhook URL is now managed in the App configuration
Action required UpdateIn the past each Event Subscription had to define its own Webhook URL. Now each App needs to define only one Webhook URL in its configuration and this Webhook URL will be used to deliver all Events.
Note: At the moment this Webhook URL is only required when you want to add an Event Subscription to your App. In the future there will be events types that sent to all Apps and Apps will not need to explicitly subscribe to these event types. Therefore we will need to require all Apps having a Webhook URL soon. - Directory API
Client Credentials Flow: The bearer must first grant access to the app
Action required UpdateRequested scopes by the Client Credentials Flow must be granted beforehand, otherwise the scope error
ungranted_scope(see scope errors) will be returned.
This means that the person or organization must have successfully accepted the scopes in advance through a Redirect Flow (or through the Device Flow) for this app.
This authorization can also be done later directly through the Directory App (via Connections), if the App has been approved by the Zaikio Team. If you want to participate, please contact us directly. - Directory API
OAuth Scopes in directory are limited to certain bearer types
Action required UpdateAs documented in the Directory API Reference these directory some scopes will only be available for certain Bearer types (otherwise an
unavailable_scope_for_bearer_typeerror will be returned):
directory.person.r=> only forPerson
directory.organization.r,directory.organization_members.r=> only forOrganization
This does not change the functionality, as these scopes will not work with another Bearer type. - Directory API
Accept only desired scopes
Action required UpdateRequested scopes must be created as
Desired Scopesin the directory app, otherwise a new scope errorscope_is_not_included_in_desired_scopes(see scope errors) is returned. - Directory API
Delegations only usable for confidential clients
Action required UpdateThe Delegation access flow only accepts access tokens to delegate that were created with OAuth confidential credentials. If you try to access this endpoint without an access token that was created with OAuth confidential credentials, it will return from now on a 403 (Forbidden).
- Loom API
Events require valid subject
Action required UpdateFrom now on it is required that the JSON body includes a valid
subjectwhen posting events to the Loom API. The `subject identifies the Person or Organization in which context the event was triggered. The event will only be delivered to Apps that are connected to the subject and that have granted access to the specific event type. Read more - Directory API
On behalf of Person for Client Credentials Flow released
NewThe Client Credentials Flow provides now the option of issuing a token for an organisation, which also references a person and specifies their roles in the context of this organisation in the JWT. Read more
- Directory API
Private apps take effect
Action required UpdateFrom now
Privateapps can only be accessed by the organisation that created the app, or any of it's members. If you want everybody to be able to access your app please switch toExternalin the app's details pane. - Directory API
Scope Restriction
Action required UpdateScopes for all Directory API endpoints will now take effect. If you don't send the right scopes yet, please check the Directory API Reference. You find a list of scopes and bearers that are required for each endpoint.
- Directory API
Roles endpoint
NewYou can now access the public endpoint
GET /rolesto view all roles. Please check the Directory API Reference for more details. - Directory API
Organization endpoint
NewYou can now access
GET /organizationto view an organization's name and other meta data. Please check the Directory API Reference for more details.