API Changelog

All notable changes to the Qarion REST API are documented here. Each entry is tagged with one of:

Tag	Meaning
🔴 breaking	Backwards-incompatible change — update your integration
🟢 added	New endpoint or field
🟡 changed	Non-breaking behaviour change
⚪ deprecated	Scheduled for removal in a future release
🔵 fixed	Bug fix in an existing endpoint

2026-02-17

🟢 added — Rate Limiting

Global rate limiting is now enforced on all API endpoints.

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
Requests exceeding the limit receive a 429 Too Many Requests response with a Retry-After header.
API keys support configurable rate limit tiers (standard, premium, internal).
See the Rate Limiting Guide for details.

🟢 added — API Key Rate Limit Tier

POST /api-keys/me/api-keys now accepts an optional rate_limit_tier field.
PATCH /api-keys/me/api-keys/{key_id} allows updating the tier.
GET /api-keys/me/api-keys response now includes rate_limit_tier.

2026-02-16

🟢 added — SSO & Identity Provider Integration

GET /sso/providers — list configured SSO providers.
POST /sso/providers — register a new SAML/OIDC provider.
GET /sso/callback — SSO authentication callback.
SCIM 2.0 provisioning endpoints under /scim/v2/.

🟢 added — Source System Deletion

DELETE /spaces/{slug}/source-systems/{id} — delete a source system with cascade unlinking of connectors.

🟡 changed — Connector Creation Response

The post-creation banner for quality connectors now correctly prompts users to set up data quality checks instead of suggesting a sync run.

🔵 fixed — JWT Token Refresh

POST /auth/refresh — new endpoint for silent JWT token refresh.
The frontend API client now automatically retries requests on 401 after refreshing the token.

🔵 fixed — Timezone Handling

expire_product_access now uses timezone-naive datetimes when interacting with TIMESTAMP WITHOUT TIME ZONE columns, fixing intermittent DataError exceptions.

🔵 fixed — SLA Freshness Check

check_sla_freshness task now gracefully handles contracts with NULL sla_minutes values instead of raising a TypeError.

2026-02-15

🟢 added — Onboarding Checklist & Guided Tours

Floating onboarding checklist widget with progress tracking.
Contextual tooltips anchored to UI elements on hover.
Admin guided tour (sequential multi-step tooltips).
Dismissible inline hint banners integrated with onboarding context.

🟢 added — Impersonation

POST /admin/impersonate/{user_id} — impersonate a user (superadmin only).
Impersonation tokens are blocked from sensitive routes (API key management, credential changes, token refresh).

🟢 added — Permission Export & Import

GET /admin/permissions/export — export permission rules as JSON.
POST /admin/permissions/import — import permission rules from JSON.

🟢 added — Cross-Instance SSO

Users can authenticate once and access multiple instances without re-login.

Staying Up to Date

Subscribe to the Qarion status page for real-time notifications about API changes and incidents.

2026-02-17​

🟢 added — Rate Limiting​

🟢 added — API Key Rate Limit Tier​

2026-02-16​

🟢 added — SSO & Identity Provider Integration​

🟢 added — Source System Deletion​

🟡 changed — Connector Creation Response​

🔵 fixed — JWT Token Refresh​

🔵 fixed — Timezone Handling​

🔵 fixed — SLA Freshness Check​

2026-02-15​

🟢 added — Onboarding Checklist & Guided Tours​

🟢 added — Impersonation​

🟢 added — Permission Export & Import​

🟢 added — Cross-Instance SSO​