Changelog
User-visible changes to ScaiVault, newest first. Versioning is API-path based — breaking changes ship under a new path version (v2) and don't disturb v1 callers.
SDK releases — 2026-06-01#
Three rounds of SDK work landed this release. See the per-language CHANGELOGs in each SDK package for the full detail.
API-key authentication. All three SDKs now accept ScaiVault key_… API keys in addition to ScaiKey JWTs. The SDK auto-detects the key_ prefix on token and routes to X-API-Key; you can also pass the credential as the explicit api_key / apiKey / ApiKey argument. Before this release, passing an API key as the bearer token would 401 (the server tried to JWT-parse it).
Response-shape audit. Every SDK response type was re-validated against the API's Pydantic response models. 73 missing-field gaps were closed across the three SDKs (notably on Certificate, IssuedCertificate, Subscription, FederationBackend, DynamicEngine/Role, Lease, ACMEAccount/Order, AuditSummary, GeneratedSecret). The SDK no longer silently drops fields on deserialize.
Feature parity. The JavaScript and .NET SDKs are now at full parity with the Python SDK — all 127 endpoints covered. New operation clients: acme, federation, identity, subscriptions, webhooks, batch, plus dynamic.testEngine, pki.renewCertificate, and pki.deleteCA. JS/.NET PKI CSR endpoints moved from the deprecated /pki/csr/... alias to the canonical /pki/csrs/....
Server fix. SecretResponse (returned by PUT/GET /secrets/{path}) now includes id, matching the list-endpoint shape. The asymmetry had caused the SDK's typed Secret model to crash on deserialize when used via client.secrets.write() / .read().
Package downloads — scailabs.ai/downloads:
| SDK | Version |
|---|---|
Python (scaivault-sdk) |
1.6.1 |
JavaScript / TypeScript (@scaivault/sdk) |
1.8.0 |
.NET (ScaiVault.Sdk) |
1.8.0 |
1.0.0 — 2026-05-17#
Public launch.
Available API surfaces. Secrets (CRUD, versioning, expiration, soft-delete with recovery, batch read), Policies (path-pattern rules with IP/MFA/time-window conditions), Rotation (auto and event-driven, with grace periods and warn-before notifications), PKI (internal CA hierarchy + ACME via Let's Encrypt/ZeroSSL/BuyPass/Google + CSR workflow + trust anchors + CRL/OCSP), Dynamic Secrets (Postgres/MySQL/MongoDB/Redis/AWS/Azure/GCP/SSH), Federation (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — proxy or sync mode), Webhooks and Subscriptions, Audit log with export to S3/GCS/Azure.
Clients shipped. Python, JavaScript/TypeScript, .NET. Python and .NET fully cover the API; JavaScript covers everything except a handful of admin-only operations. CLI (scaivault) and MCP server (67 tools) for shell and agent integration.
Identity. Authentication delegated to ScaiKey. Three-level tenancy (partner / tenant / identity). Identity cache synced from ScaiKey, kept fresh by webhooks plus a 15-minute background reconciliation.
Crypto. Envelope encryption with per-row data keys wrapped by a KMS-held root. AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit, and PKCS#11 HSMs (including TPM 2.0) supported.
Limits. Default rate limits per identity per endpoint category — see Rate Limiting. Quotas per tenant — see Multi-tenancy.
Public docs. This site.
What's next#
We track upcoming work in our public roadmap. The shape and content of the API is stable; ongoing work is operational (more DNS providers, more dynamic engines, more federation backends).