📘 Public beta · Endpoints are stable; OpenAPI specs and SDKs ship monthly. See changelog →
Changelog

Changelog

All notable changes to the public REST API + webhook contracts. We follow semver at the spec level — minor releases are backwards-compatible additions, major releases (rare) are breaking.

Subscribe via RSS: /changelog.rss

2026-05 — Identity face-match BYO references

Identity Platform

  • Added POST /api/identity/face/match now accepts referenceImage (base64) or referenceEmbedding (float[512]) for client-supplied references. Useful for banks migrating from legacy biometric vendors who want to keep reference photos under their own control.
  • Added referenceSource field on match response (enrollment | pool | image | embedding).
  • Changed Match endpoint now returns perReference[] array showing similarity against each candidate ref, not just the best.

AML

  • Added POST /api/transactions/evaluate now supports persist: false for dry-run scoring without alert creation.

Anti-Fraud

  • Added POST /api/test-evaluate for deterministic scenario-injected testing without persisting alerts.

Bank Statement

  • Added Native parser for OCBC ONE Mobile statements (8th native bank).
  • Improved Bank detection confidence now uses font-metric fingerprinting in addition to header recognition.

Orchestration

  • Added subflow node type — inline-execute another workflow as a child step.

AI Automation

  • Added silenceWindowSec + dedupKey on webhook subscriptions for high-volume event suppression.

2026-04 — Webhook prefix migration starts

Cross-product

  • Deprecated Product-prefixed signature headers (X-Identity-Signature, X-QEDI-Signature, X-BankStatement-Signature, etc.). Migrate to unified X-Quantum-Signature. Both keep working for 12 months. Doc'd at Webhooks.
  • Added X-Quantum-Trace-Id header propagation through Orchestration and AI Automation service_call steps. Lets you correlate cross-service audit logs.

Identity Platform

  • Added POST /api/identity/auth/step-up — canonical atomic liveness + match endpoint. Supersedes the two-call pattern.

AML

  • Changed Decision policy now exposes txReviewScore, txEscalateScore, txSarScore explicitly. The cashThresholdIdr is now a string (bigint) for orgs with very large thresholds.
  • Added POST /api/sar-filings/{id}/acknowledge for recording PPATK ack receipts.

Anti-Fraud

  • Added POST /api/sdk-config returns remote SDK config (certificate pins, probe toggles) for the device SDKs.
  • Added Attestation verdict (pass | fail) on device sessions when AppAttest or Play Integrity token was provided.

2026-03 — Bank Statement consolidations

Bank Statement

  • Added Consolidation groups: POST /api/consolidations, GET /api/consolidations/{id}/consolidated — merge multi-month statements into a single ledger view with monthly buckets and category breakdown. Designed for loan underwriting integrations.
  • Added auto_create_group=true form field on upload — auto-creates a consolidation group when uploading multiple files at once.
  • Added consolidation.completed webhook event.

Document Intelligence

  • Added Template system: POST /api/templates lets orgs define custom document schemas with field-level confidence thresholds.

AI Automation

  • Added Cron triggers: 5-field cron expressions with per-org timezone. GET /api/cron-preview for expression validation.

2026-02 — Webhook idempotency

Cross-product

  • Added Every webhook event carries an idempotent id field that's stable across retries. Use it as your event-dedupe key.
  • Changed Webhook retry policy unified: 5 attempts with exponential backoff (10s · 30s · 2m · 10m · 1h). Doc'd at Webhooks.

Anti-Fraud

  • Added Device SDK: @quantum-elixir/device-sdk-rn for React Native, native iOS + Android SDKs. Two-command RN install.

Bank Statement

  • Added Native parsers for BTN (8th native bank slot, later promoted).

2026-01 — Initial public release

First public, customer-integrable release of the seven-product Quantum Elixir suite.

Identity — KTP capture, face liveness, face match, KYC tiers, webhooks. AML — Screening, transaction evaluate, alerts, cases, SAR filing (goAML XML), watchlists. Anti-Fraud — Risk evaluate, device SDK (RN + native), rules, alerts, cases, allow/block lists. Document Intelligence — Upload, extraction, templates, 18 built-in Indonesian document types. Bank Statement — 7 native parsers (BCA · Mandiri · BRI · BNI · Permata · Danamon · BTN), AI fallback. Orchestration — Workflows, executions, human approvals, service connections. AI Automation — Flows, runs, agents, conversations, cron + webhook + API triggers.

Deprecation policy

Anything in the public API that's marked Deprecated stays working for at least 12 months from the deprecation announcement. We notify via this changelog, the dashboard's deprecation banner, and direct email to the org admin.

Earlier (private beta)

Pre-2026-01 history is private beta and not documented here. Customers on private-beta SDKs were upgraded to the 2026-01 GA contract via a migration window — contact us if you need archived spec versions for audit.

Production checklistStatus