API Changelog
Changes to the Align Public API v1. This log is updated with every change. Breaking changes are not introduced within v1 — they ship under /api/v2. All changes listed here are additive.
Convention for contributors: add a new ## YYYY-MM-DD section at the top of this file with a brief description of the change. Reference the internal task number in parentheses where applicable.
2026-06-04
Added — Entry deployment stage tracking (ALN-64)
- Entry response objects now include a
deploymentStagefield ("testing"|"staging"|"production"|null). The field is set automatically by the Railway deployment webhook or the GitHubdeployment_statuswebhook when a matching entry is deployed to a tracked environment. It is read-only via the API —deploymentStageis ignored inPOST /api/v1/projects/:id/entriesandPATCH /api/v1/entries/:idbodies.
Added — MCP server compliance (ALN-59, ALN-60, ALN-67)
GET /.well-known/oauth-protected-resource— returns RFC 9728 OAuth Protected Resource metadata. Used by MCP clients (Claude.ai, CODEX) to discover the token endpoint before connecting.GET /mcp/privacy— redirects to the Align privacy policy. Required for CODEX marketplace listing.- All 22 MCP tools now carry OpenAPI-compatible tool annotations (
title,readOnlyHint,openWorldHint,destructiveHint). Clients that support tool annotations can use these to surface safe-for-automation indicators in their UI. - MCP endpoints now enforce an origin allowlist and return
403 Forbiddenfor requests from unlisted origins.
2026-05-14
Added — Release Evidence signing key management
GET /api/settings/evidence-key— returns whether a signing key is configured and its key prefix (evk_<prefix>). Requires admin role.POST /api/settings/evidence-key— generate (or rotate) the organisation-level HMAC signing key for release evidence packages. Issuing a new key automatically revokes the previous one. The full key (evk_<64hex>) is returned once; store it in your secrets manager immediately.- Evidence responses now include
X-Align-Evidence-Signature: sha256=<hex>andX-Align-Evidence-Key-Prefix: evk_<prefix>headers when a signing key is configured.
Note: These endpoints are session-authenticated platform-settings routes (
/api/settings/) — they are not part of the public v1 API and do not appear in the OpenAPI spec. They are accessible to org admins via the Align web app only.
2026-05-10
Added — Snapshot (report) endpoints (Task #303)
GET /api/v1/projects/:id/snapshots— list report snapshots for a project, paginated. Each snapshot includesnarrativeSource('ai'or'template') and the generated summary text.
The narrativeSource field indicates whether the executive summary was produced by GPT-4.1 or fell back to the template generator (e.g. when the AI provider is unavailable or the prompt was redacted).
Note: Individual snapshot retrieval (
GET /api/v1/snapshots/:id) is not yet available in the public API. Use the project list endpoint and filter client-side byid.
2026-05-07
Added — Wiki page endpoints (Task #302)
GET /api/v1/projects/:id/wiki-pages— list wiki pages for a project, paginated.POST /api/v1/projects/:id/wiki-pages— create a wiki page. Required fields:title. Optional:content(Markdown).GET /api/v1/wiki-pages/:id— retrieve a single wiki page with full Markdown content.PATCH /api/v1/wiki-pages/:id— update title or content.DELETE /api/v1/wiki-pages/:id— delete a wiki page.
2026-05-03
Added — Agreement endpoints (Task #301)
GET /api/v1/projects/:id/agreements— list agreements for a project, paginated. Returnsid,title,status, andcreatedAt.GET /api/v1/agreements/:id— retrieve a single agreement's metadata (does not return the signed document binary).
Note: Agreement creation and sending require the Dropbox Sign integration to be configured. Creating agreements via the API is not yet supported in v1.
2026-04-28
Added — Audit event endpoints (Task #300)
GET /api/v1/audit-events— list audit events across the organisation, paginated. SupportsentityType,action, andactorIdquery filters.GET /api/v1/projects/:id/audit-events— list audit events scoped to a specific project.
Audit events include actorType: 'api_key' and apiKeyId in metadata when the action was performed via an API key.
2026-04-21
Added — User list endpoint (Task #299)
GET /api/v1/users— list users in the organisation, paginated. Returnsid,name,email,role,organizationId, andcreatedAt. Sensitive fields (password hash, MFA secrets) are excluded.GET /api/v1/users/:id— retrieve a single user.
Organisation-scoped keys see all users. Project-scoped keys see only members of their scoped project.
2026-04-15
Added — Global search endpoint
GET /api/v1/search?q=<query>— search across projects, entries, releases, and wiki pages. Returns up to 25 results withtype,id,title,projectId, andurlfields.
2026-04-10
Added — Outbound webhook subscriptions
GET /api/v1/webhooks— list webhook subscriptions.POST /api/v1/webhooks— create a subscription.hmacSecretis returned once on creation.PATCH /api/v1/webhooks/:id— updatedestinationUrl,eventNames,enabled, ordescription.DELETE /api/v1/webhooks/:id— delete a subscription.POST /api/v1/webhooks/:id/rotate-secret— rotate the HMAC secret; new secret returned once.
2026-04-01
Added — Release evidence endpoint
GET /api/v1/releases/:id/evidence— retrieve a structured evidence package for a release, including the approval chain, quality checklists, entry summary, and GitHub evidence (commits, PRs, CI results).
2026-03-20
Added — Core resource endpoints (initial v1 launch)
Initial set of endpoints released:
GET /api/v1/me— API key identityGET|POST /api/v1/projects— list and create projectsGET|PATCH|DELETE /api/v1/projects/:idGET|POST /api/v1/projects/:id/entries— list and create entriesGET|PATCH|DELETE /api/v1/entries/:idGET|POST /api/v1/entries/:id/commentsGET|DELETE /api/v1/comments/:idGET /api/v1/entries/:id/attachmentsGET|POST /api/v1/projects/:id/releasesGET|PATCH|DELETE /api/v1/releases/:id