API Changelog

All notable changes to the Qarion REST API are documented here. Each entry is tagged with one of:

Tag	Meaning
🔴 breaking	Backwards-incompatible change — update your integration
🟢 added	New endpoint or field
🟡 changed	Non-breaking behaviour change
⚪ deprecated	Scheduled for removal in a future release
🔵 fixed	Bug fix in an existing endpoint

2026-03-02

🔴 breaking — API Versioning

All API endpoints are now served under the /api/v1.0/ prefix. Legacy unversioned paths remain functional via automatic deprecation redirects (308 Permanent Redirect) but will be removed in a future release.

All endpoints are now available at /api/v1.0/{path}.
Legacy paths (e.g., /auth/login) redirect to /api/v1.0/auth/login.
SDK and frontend clients have been updated to use versioned URLs.

🟢 added — AI Feedback Endpoints

New endpoints for collecting and analyzing user feedback on AI-generated suggestions.

POST /ai-feedback — submit feedback (any authenticated user).
GET /ai-feedback/stats — aggregated acceptance rates by feature (superadmin).
GET /ai-feedback/export — export all feedback as CSV or JSON (superadmin).
GET /ai-feedback — paginated feedback list (superadmin).
See the AI Feedback API Reference for details.

🟢 added — Anomaly Explanation

POST /alerts/{id}/explain — generate an AI-powered root-cause hypothesis for anomaly/trend alerts.
Gathers context signals from sync events, upstream anomalies, quality failures, and schema drift.
Results are cached in alert metadata.

🟢 added — AI Literacy Tracking Fields

User model now includes ai_literacy_status, ai_literacy_program, ai_literacy_completion_date, and ai_literacy_next_renewal fields.
PATCH /users/{id} and GET /users/{id} include the new fields.
Inbound webhook endpoint updates literacy status automatically from LMS completions.

🟢 added — Operations Logging Governance

Product model now includes logging_event_types, logging_last_reviewed, and logging_notes fields for AI system products.
Logging governance data is linked as evidence in conformity assessments (Article 12).

🟢 added — Pivot Table Queries

Visual Pivot Table Builder in the Query Editor generates pivot SQL with rows, columns, values, and filters.
POST /query/execute now accepts pivot configurations in the visual query config.

2026-02-17

🟢 added — Rate Limiting

Global rate limiting is now enforced on all API endpoints.

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
Requests exceeding the limit receive a 429 Too Many Requests response with a Retry-After header.
API keys support configurable rate limit tiers (standard, premium, internal).
See the Rate Limiting Guide for details.

🟢 added — API Key Rate Limit Tier

POST /api-keys/me/api-keys now accepts an optional rate_limit_tier field.
PATCH /api-keys/me/api-keys/{key_id} allows updating the tier.
GET /api-keys/me/api-keys response now includes rate_limit_tier.

2026-02-16

🟢 added — SSO & Identity Provider Integration

GET /sso/providers — list configured SSO providers.
POST /sso/providers — register a new SAML/OIDC provider.
GET /sso/callback — SSO authentication callback.
SCIM 2.0 provisioning endpoints under /scim/v2/.

🟢 added — Source System Deletion

DELETE /spaces/{slug}/source-systems/{id} — delete a source system with cascade unlinking of connectors.

🟡 changed — Connector Creation Response

The post-creation banner for quality connectors now correctly prompts users to set up data quality checks instead of suggesting a sync run.

🔵 fixed — JWT Token Refresh

POST /auth/refresh — new endpoint for silent JWT token refresh.
The frontend API client now automatically retries requests on 401 after refreshing the token.

🔵 fixed — Timezone Handling

expire_product_access now uses timezone-naive datetimes when interacting with TIMESTAMP WITHOUT TIME ZONE columns, fixing intermittent DataError exceptions.

🔵 fixed — SLA Freshness Check

check_sla_freshness task now gracefully handles contracts with NULL sla_minutes values instead of raising a TypeError.

2026-02-15

🟢 added — Onboarding Checklist & Guided Tours

Floating onboarding checklist widget with progress tracking.
Contextual tooltips anchored to UI elements on hover.
Admin guided tour (sequential multi-step tooltips).
Dismissible inline hint banners integrated with onboarding context.

🟢 added — Impersonation

POST /admin/impersonate/{user_id} — impersonate a user (superadmin only).
Impersonation tokens are blocked from sensitive routes (API key management, credential changes, token refresh).

🟢 added — Permission Export & Import

GET /admin/permissions/export — export permission rules as JSON.
POST /admin/permissions/import — import permission rules from JSON.

🟢 added — Cross-Instance SSO

Users can authenticate once and access multiple instances without re-login.

Staying Up to Date

Subscribe to the Qarion status page for real-time notifications about API changes and incidents.

2026-03-02​

🔴 breaking — API Versioning​

🟢 added — AI Feedback Endpoints​

🟢 added — Anomaly Explanation​

🟢 added — AI Literacy Tracking Fields​

🟢 added — Operations Logging Governance​

🟢 added — Pivot Table Queries​

2026-02-17​

🟢 added — Rate Limiting​

🟢 added — API Key Rate Limit Tier​

2026-02-16​

🟢 added — SSO & Identity Provider Integration​

🟢 added — Source System Deletion​

🟡 changed — Connector Creation Response​

🔵 fixed — JWT Token Refresh​

🔵 fixed — Timezone Handling​

🔵 fixed — SLA Freshness Check​

2026-02-15​

🟢 added — Onboarding Checklist & Guided Tours​

🟢 added — Impersonation​

🟢 added — Permission Export & Import​

🟢 added — Cross-Instance SSO​