Changelog

This page lists every meaningful change to the Public API surface. Additive changes (new fields, new endpoints, new optional parameters) ship without a version bump; breaking changes ship as a new major version (/v2/) and are announced here well in advance.

Each entry tags whether it is:

• Added — new endpoint, field, scope, or event
• Changed — behaviour modified in a backwards-compatible way
• Deprecated — still works, but slated for removal in a future major
• Removed — endpoint or field gone (only in a major bump)
• Fixed — bug fix that changes observable behaviour
• Security — hardening worth flagging to integrators

2026-06-01

Security — openapi.json, /docs (Swagger UI), and /redoc are now disabled in production. The Lynkist backend hosts internal, dashboard and Public API routers in a single FastAPI process, so a public OpenAPI document would enumerate every internal route, request schema, and field name. A filtered, public-API-only OpenAPI explorer is on the roadmap. In dev/staging the explorers continue to work.

Added — First comprehensive Developer Hub release, covering the existing API surface:

• Per-resource API reference pages: Contacts, Templates, Messages, Media, Campaigns, Webhook management.
• Rate Limits page documenting per-plan quotas and the five X-RateLimit-* headers emitted on every response.
• Authentication rewritten with the real key format (lk_sk_{env}_{40-hex}), the 12-scope catalogue, the 4 preset bundles, and IP-allowlist behaviour.
• Webhooks rewritten with the real 22-event catalog (contacts, follow-ups, messages, campaigns, lifecycle), the actual signature recipe (sha256(secret, "{ts}.{body}") → sha256=<hex>), the five X-Lynkist-* headers, and the real retry curve (1m / 5m / 30m / 2h / 6h, then abandon).
• Errors rewritten to document the real {"detail": …} response envelope (string in most cases, object form on scope denial).

Earlier

Prior to this release, the Public API surface evolved in lockstep with the dashboard and was documented only in code. The endpoint catalogue documented today reflects the deployed surface as of 2026-06-01.

Anything older than the dates above is not separately enumerated — open a GitHub issue if you need a specific historical confirmation.

Roadmap (not yet shipped)

These are tracked elsewhere; this list is included to set expectations and reduce duplicate support questions. Dates are not committed — they shift.

• Template approval webhooks (template.approved, template.rejected, template.disabled). The events exist in the catalogue plan but the domain code does not emit them yet.
• Per-resource OpenAPI explorer. A FastAPI sub-app containing only public_api_router, mounted at a public URL with Swagger UI.
• Live plan-tier resolution. Today every tenant gets the default (60/min, 1000/day) budget; the wiring from billing to get_rate_limits_for_tenant is queued.
• Cursor-based pagination for list endpoints. Offset pagination works fine at current scales but will start to bite once tenants cross seven-figure object counts.
• OAuth-style delegated access for third-party integrations operating across multiple tenants.
• Conversations API — read inbound messages and reply within the 24-hour session window from the API.

If something here is blocking your integration, mention it in a support ticket — concrete demand moves dates.