Skip to main content

Changelog

For detailed release history, see the 1clawAI GitHub repositories.

API stability

The /v1 API is stable. Breaking changes would be accompanied by a new version prefix or clear deprecation notices. New optional fields or endpoints are added in a backward-compatible way.

2026-04 (latest)

  • Updated: POST /v1/agents/enrollhuman_email is optional. With email, a pending enrollment is created and Allow/Deny links are sent; the JSON response may include approval_url as a fallback if email is delayed. Name only creates a link-only pending enrollment; the response includes approval_url for the human to open while signed in to approve into their org.
  • Updated: Database migration allows nullable org/user/email on pending_agent_enrollments for link-only rows; global cap on link-only pendings via ONECLAW_MAX_LINK_ONLY_PENDING_ENROLLMENTS (default 100).
  • Updated: CLI agent enroll--email is optional; prints approval_url when returned.
  • Docs: Quickstart for agents, Agent self-onboarding, Give an agent access, OpenClaw.

MPC Secret Storage

  • New: Multi-Party Computation (MPC) secret storage — split secret DEKs across multiple HSM providers so no single provider holds the complete key. Three custody modes: 2of2_client_custody (XOR split, client holds one share), 2of3_multi_hsm (Shamir 2-of-3 across GCP KMS + AWS KMS + Azure Key Vault, fully server-side), 2of3_client_custody (Shamir 2-of-3 with client share).
  • New: POST /v1/vaults/{id}/mpc — enable MPC on a vault (user-only, Business/Enterprise tiers).
  • New: client_share returned in SecretCreatedResponse for client custody modes. Must be stored securely — only returned once. Required via X-Client-Share header on read.
  • New: Crypto modules — mpc_provider.rs (orchestrates split/reconstruct), shamir.rs (Shamir secret sharing over GF(256)), xor_split.rs (XOR 2-of-2), hsm_aws.rs (AWS KMS CryptoProvider), hsm_azure.rs (Azure Key Vault CryptoProvider).
  • New: Database tables vault_mpc_keks and secret_dek_shares (migration 063).
  • New: MPC guide in documentation.

GDPR Data Export

  • New: POST /v1/auth/export-data — authenticated endpoint that returns a JSON archive of the calling user's personal data (profile, org membership, vaults, agents, policies, audit events, shares, billing). For GDPR data portability compliance.
  • Updated: DELETE /v1/auth/me already handles account deletion with cascade cleanup (right-to-erasure).
  • Updated: Compliance documentation now covers GDPR support.

Security hardening (2026-04-15)

  • New: Agent token auto-revocation on policy changes — when an access policy targeting an agent is created, updated, or deleted, all of that agent's active JWTs are automatically revoked via the agent_active_tokens table (migration 066). The agent must re-exchange credentials to get a fresh token with updated scopes. Eliminates stale-scope window.
  • New: KMS key rotation — GCP KMS vault KEKs are now created with a 90-day automatic rotation schedule and next_rotation_time. Existing ciphertext remains decryptable (KMS retains all versions).
  • New: KMS CRC32C verification — all wrap_dek, unwrap_dek, and sign KMS operations now send CRC32C of input data and verify response CRC32C. Detects in-transit corruption or tampering. Added crc32c and prost-types crates.
  • New: Audit insert hardening — migration 067 creates a restricted vault_app database role (no BYPASSRLS) and a SECURITY DEFINER function insert_audit_event. Direct INSERT on audit_events is revoked from vault_app, preventing log fabrication from compromised connections.
  • Fixed: Shroud user-supplied blocked_patterns compiled via RegexBuilder with 256KiB size limit (ReDoS protection).
  • Fixed: x402 facilitator verify now passes actual atomic USDC amounts. Settlement moved before broadcast in submit_transaction.

2026-03

Live demo

  • New: Interactive demo page at 1claw.xyz/demo — three panels (Vault secret retrieval, Shroud prompt injection + secret redaction, Intents TEE transaction signing) with preset buttons, no signup required.

Onboarding wizard improvements

  • Updated: Agent wizard is now 4 steps: register → save credentials → grant vault access (creates read policy) → connection snippets. Ensures agents don't start with zero access.
  • Updated: Vault wizard is now 4 steps: create vault → store secret → grant agent access (creates read policy) → next steps.
  • New: .env import on vault detail page — paste a .env file to bulk-create secrets with configurable path prefix.

Google OAuth JWKS

  • Updated: POST /v1/auth/google now verifies the Google ID token locally via Google's JWKS (RS256 signature, audience, issuer, expiry). Replaces the previous tokeninfo endpoint call. More reliable (no URL length limits).

SSO (WorkOS)

  • New: WorkOS SAML/OIDC SSO — GET /v1/auth/sso/authorize, callback handler, "Sign in with SSO" button on login page.

Security fixes (2026-03-16 audit)

  • Fixed (C-3): Dashboard auth bypass — PUBLIC_PAGES prefix match for "/" matched all paths. Now uses exact match.
  • Fixed (C-4): MFA token replay — MFA challenge tokens are now single-use (jti revoked after verification).
  • Fixed (C-5): Cross-vault IDOR — agent JWTs with empty vault_ids no longer grant unrestricted access; vault IDs are derived from access policies.
  • Fixed (H-19): Ed25519 SPKI DER parsing uses proper ASN.1 validation instead of a heuristic.
  • New: signing_key_path validation restricts Intents API key paths to keys/*, wallets/*, or agents/{id}/keys/*.
  • New: Shroud strips sensitive headers (authorization, cookies, IP headers) before forwarding to upstream LLM providers.

x402 marketplace compatibility

  • Updated: 402 Payment Required response body now aligns with docs.g402.ai and x402scan: x402Version, accepts[] with maxAmountRequired (atomic units), resource (full URL), payTo, maxTimeoutSeconds, asset, description, mimeType. Enables registration on x402 marketplaces.
  • Updated: On paid routes, x402 middleware runs before auth so unauthenticated requests receive 402 (with payment details) instead of 401. Scanners and buyers can discover and pay without a token.
  • New: Optional x402.asset (DB/API) and X402_ASSET env — default is Base USDC. Used in 402 accepts[].asset.
  • Updated: SDK PaymentAccept and auto-pay logic support the new 402 shape; maxAmountRequired (atomic) with fallback to legacy price (USD). Custom X402Signer implementations should use maxAmountRequired and asset.
  • Updated: Dashboard proxy passes discovery paths (/openapi.json, /.well-known/x402) through without /v1 prefix so vault discovery routes are reachable at api.1claw.xyz.

2026-02

Tenderly Transaction Simulation

  • New: POST /v1/agents/:agent_id/transactions/simulate — pre-flight simulation of EVM transactions via Tenderly. Returns balance changes, gas estimates, decoded errors, and a Tenderly dashboard deep-link. No signing or broadcasting occurs.
  • New: POST /v1/agents/:agent_id/transactions/simulate-bundle — simulate multiple sequential transactions (e.g. approve + swap).
  • New: simulate_first flag on POST /v1/agents/:agent_id/transactions — runs a Tenderly simulation before signing. If the simulation reverts, returns HTTP 422 and does not sign. Org admins can enforce this as mandatory via the intents_api.require_simulation setting.
  • New: EIP-1559 (Type 2) transaction signing — set max_fee_per_gas and max_priority_fee_per_gas instead of legacy gas_price.
  • New: Automatic nonce resolution via eth_getTransactionCount RPC when nonce is omitted.
  • New: Address derivation from private key (secp256k1) — the simulation endpoint resolves the from address without exposing the key.
  • New: simulate_transaction MCP tool and simulate_first argument on the submit_transaction MCP tool (defaults to true).
  • New: simulateTransaction() and simulateBundle() methods in the TypeScript SDK.
  • New: Dashboard Transaction Builder on the agent detail page — simulate, review balance changes, then confirm and send.
  • New: Transaction history table on the agent detail page with simulation status badges and tx hash copy.

Transaction replay protection & response hardening

  • New: Idempotency-Key header on POST /v1/agents/:agent_id/transactions — duplicate requests with the same key within 24 hours return the cached response (200) instead of signing and broadcasting again. In-progress duplicates return 409 Conflict.
  • New: Server-side nonce serialization — when nonce is omitted, the server atomically reserves the next nonce per agent+chain+address via SELECT FOR UPDATE locking, preventing nonce collisions between concurrent requests.
  • New: signed_tx redacted by default — GET transaction endpoints omit the raw signed transaction hex. Pass ?include_signed_tx=true to include it. The initial POST submission always returns it.
  • New: transaction_idempotency and nonce_tracker database tables (migrations 034, 035).
  • New: Nightly cleanup of expired idempotency keys (>48h) in the existing credit expiry background job.
  • Updated: SDK submitTransaction() auto-generates an Idempotency-Key header (UUID). Callers can override via options.idempotencyKey.
  • Updated: MCP submit_transaction tool auto-generates an Idempotency-Key header.
  • Updated: OpenAPI spec documents Idempotency-Key header and include_signed_tx query parameter.

Admin user management

  • New: DELETE /v1/admin/users/:user_id — platform admins can delete users. Cascades: delete share links created by the user, clear agents.created_by, then delete the user (device_auth_codes and user_api_keys CASCADE in DB). Cannot delete self or the last owner of the platform org.
  • New: scripts/cleanup-test-users.sh — removes test users by display name. Auth via ONECLAW_TOKEN or ADMIN_EMAIL + ADMIN_PASSWORD. Use --dry-run to list only.

Security audit hardening

  • New: Per-agent transaction guardrails — tx_allowed_chains, tx_to_allowlist, tx_max_value_eth, tx_daily_limit_eth enforced before signing.
  • New: Audit hash chain — each event stores prev_event_id and SHA-256 integrity_hash for tamper detection.
  • New: x402 payment replay protection — payment proofs deduplicated via SHA-256 before facilitator verification.
  • New: Authorization enforcement on delete_secret, list_secrets, and list_versions (policy check, not just org membership).
  • Improved: CORS defaults to https://1claw.xyz in production (no more permissive Any fallback).
  • Improved: CSP removes unsafe-inline and unsafe-eval from script-src.
  • Improved: Global rate limiting middleware applied to all API routes.
  • Improved: Dependency overrides for minimatch, ajv, hono to address known CVEs.

Dashboard UX — CopyableId

  • New: One-click copy for every UUID, path, and identifier across the dashboard. Vault IDs, agent IDs, principal IDs, audit actor/resource IDs, API key prefixes, secret paths, and user/org IDs in the sidebar — all clickable with tooltip confirmation.

Quota exemption for platform admin orgs

  • New: CallerIdentity.quota_exempt flag resolved at authentication time. Platform admin org (and its agents) bypasses all billing checks. Cleaner than per-route overrides — single source of truth in auth middleware.

Policy UI improvements

  • New: Vault selector dropdown on Create Access Policy page — pick any vault, not just the one in the URL.
  • New: Agent principal picker — select from existing agents or type a custom agent ID.
  • New: Edit policy dialog — update permissions, conditions (JSON), and expiry on existing policies.
  • New: Delete policy from the policies list page.

Agent integration guide

  • New: Agent detail page in the dashboard now includes a tabbed integration guide with copy-paste code snippets for TypeScript SDK, Python, curl, and MCP configuration.

PolyForm Noncommercial License

Organization migration

  • All repositories moved to the 1clawAI GitHub organization.

Email notifications

  • New: Transactional emails via Resend for account and security events.
  • Welcome email on signup (email/password and Google OAuth).
  • Share invite email when a secret is shared by email.
  • Share access notification to the creator when a shared secret is accessed.
  • Password change confirmation email.
  • API key creation notification email.
  • Emails are fire-and-forget (non-blocking) and silently skipped when no RESEND_API_KEY is configured.

Sharing & invite-by-email

  • New: external_email share type — share secrets with users who don't have accounts yet.
  • New: Claim-on-login — pending email shares are automatically claimed when the recipient signs up or logs in.
  • New: Share access notifications — creators are emailed each time a shared secret is accessed.
  • New: POST /v1/auth/signup — self-service account registration via email/password.

SDK rewrite (@1claw/sdk v0.2.0)

  • New: Full API parity — typed methods for all 42+ REST API endpoints.
  • Resource modules: vault, secrets, access, agents, sharing, auth, apiKeys, billing, audit, org.
  • createClient() factory with auto-authentication (API key or agent credentials).
  • { data, error, meta } response envelope on every method.
  • Typed error hierarchy: AuthError, PaymentRequiredError, NotFoundError, RateLimitError, etc.
  • x402 auto-payment support with configurable maxAutoPayUsd.
  • MCP tool layer: McpHandler and getMcpToolDefinitions() for AI agent frameworks.
  • auth.signup() for programmatic account creation.
  • sharing.create() with email support for invite-by-email.

Examples repository

  • New: examples/basic/ — TypeScript scripts for vault CRUD, secrets, billing, signup, and email sharing.
  • New: examples/nextjs-agent-secret/ — Next.js 14 app with Claude AI agent accessing vault secrets.

MCP server (@1claw/mcp)

  • New: MCP server for AI agent access to secrets via the Model Context Protocol.
  • 7 tools: list_secrets, get_secret, put_secret, delete_secret, describe_secret, rotate_and_store, get_env_bundle.
  • Browsable vault://secrets resource.
  • Dual transport: Local stdio mode (Claude Desktop, Cursor) and hosted HTTP streaming mode (mcp.1claw.xyz).
  • Per-session authentication in hosted mode — each connection gets its own vault client.
  • Auto-deploy to Cloud Run via GitHub Actions.

Billing & usage tracking

  • New: Usage tracking middleware records every authenticated API request.
  • New: Free tier — 1,000 requests/month per organization.
  • New: x402 Payment Required responses when free tier is exhausted, with on-chain payment on Base (EIP-155:8453).
  • New: Billing API — GET /v1/billing/usage (summary) and GET /v1/billing/history (event log).
  • Unified billing across dashboard, SDK, and MCP — all count against the same quota.

Vault API

  • Added POST /v1/agents/:agent_id/rotate-key endpoint for agent key rotation.
  • Added GET /v1/billing/usage and GET /v1/billing/history endpoints.
  • Usage middleware tracks method, endpoint, principal, status code, and price per request.
  • x402 middleware enforces free tier limits and returns payment-required responses.

Infrastructure

  • Cloud Run deployment for MCP server (oneclaw-mcp).
  • Terraform resources for MCP service and domain mapping.
  • GitHub Actions workflow for MCP auto-deploy.
  • CI pipeline expanded: MCP type check, build, Docker image build and Trivy scan.

Documentation

  • New: Full MCP documentation section (overview, setup, tool reference, security, deployment).
  • New: Billing & usage guide.
  • New: Deploying updates guide.
  • Updated intro, MCP integration guide, and changelog.
  • Updated llms.txt and llms-full.txt with MCP and billing content.

Initial release (2026-02 early)

  • Vault API: vaults, secrets (CRUD + versioning), policies, agents, sharing, audit log, org management.
  • Human auth: email/password, Google OAuth, personal API keys (1ck_).
  • Agent auth: agent API keys (ocv_) exchanged for short-lived JWTs.
  • Envelope encryption with Cloud KMS (or SoftHSM for local dev).
  • Dashboard: Next.js with full secret management UI.
  • TypeScript SDK (@1claw/sdk).
  • Docusaurus docs site.
  • Terraform infrastructure (Supabase, GCP, Vercel).