API changelog API changelog Most-recent changes first. Breaking changes are flagged BREAKING. 2026-06-11 Added - Personal Access Tokens (PATs). Long-lived pat… bearer tokens minted from Settings → API. Same downstream surface as OAuth — works on every /v1/public/ endpoint. See PAT setup for the auth pattern. - integrationsource column on usage logs. Every API-attributed usage row now carries the originating OAuth client name or pat: so users can see "what called me" in the activity dashboard. - Admin security events feed — for internal ops use. Not in the public API surface. Changed - /v1/public/ routes now accept both Bearer pat… and Bearer tokens. Token shape is detected by prefix — no API change for existing OAuth callers. 2026-06-09 Added - OpenAPI 3.1 spec at /v1/public/openapi.json. Generated from the same code that serves the endpoints, so it's always in sync. Import into Postman / Insomnia / Swagger UI. - Activity dashboard at Settings → API → Activity. Per-client + per-tool breakdown over a 7/30/90-day window, plus a 20-row recent-events timeline. Fixed - Auth-code replay cascade revocation now correctly invalidates the entire token chain (OAuth 2.1 §6.1). - Spawn-on-timeout path no longer leaves drain goroutines pinned when the inline path exits early. 2026-06-04 Added - MCP server at /mcp. JSON-RPC 2.0 over Streamable HTTP per the MCP 2025-06-18 spec. Tools: niyraask, niyraexecute, niyrafollowup, niyramemories, niyraremember, niyragettask. - OAuth 2.1 authorization server at /oauth/authorize + /oauth/token. PKCE S256 required for public clients. RFC 8707 audience binding (resource parameter). - Dynamic Client Registration (RFC 7591) at /oauth/register. Self-service — no manual review. - Discovery endpoints: /.well-known/oauth-authorization-server (RFC 8414), /.well-known/jwks.json. - Revocation endpoint at /oauth/revoke (RFC 7009). - Introspection endpoint at /oauth/introspect (RFC 7662). Initial scope catalog - niyra:ask - niyra:execute - niyra:followup - niyra:memories:read - niyra:memories:write - niyra:tasks:read Versioning The public API is under the /v1/public/ path. Breaking changes will land under /v2/public/, with /v1/public/ continuing to work for at least 12 months after /v2/public/ reaches general availability. Non-breaking changes (new optional fields, new endpoints, looser validation) can land in /v1/public/* at any time. Subscribe Watch this page for updates. A formal subscription mechanism (email + RSS) lands in a future release.