---
title: Changelog
path: changelog
status: published
---

# Changelog

User-visible changes to ScaiVault, newest first. Versioning is API-path based — breaking changes ship under a new path version (`v2`) and don't disturb `v1` callers.

## SDK releases — 2026-06-01

Three rounds of SDK work landed this release. See the per-language CHANGELOGs in each SDK package for the full detail.

**API-key authentication.** All three SDKs now accept ScaiVault `key_…` API keys in addition to ScaiKey JWTs. The SDK auto-detects the `key_` prefix on `token` and routes to `X-API-Key`; you can also pass the credential as the explicit `api_key` / `apiKey` / `ApiKey` argument. Before this release, passing an API key as the bearer token would 401 (the server tried to JWT-parse it).

**Response-shape audit.** Every SDK response type was re-validated against the API's Pydantic response models. 73 missing-field gaps were closed across the three SDKs (notably on `Certificate`, `IssuedCertificate`, `Subscription`, `FederationBackend`, `DynamicEngine`/`Role`, `Lease`, `ACMEAccount`/`Order`, `AuditSummary`, `GeneratedSecret`). The SDK no longer silently drops fields on deserialize.

**Feature parity.** The JavaScript and .NET SDKs are now at full parity with the Python SDK — **all 127 endpoints** covered. New operation clients: `acme`, `federation`, `identity`, `subscriptions`, `webhooks`, `batch`, plus `dynamic.testEngine`, `pki.renewCertificate`, and `pki.deleteCA`. JS/.NET PKI CSR endpoints moved from the deprecated `/pki/csr/...` alias to the canonical `/pki/csrs/...`.

**Server fix.** `SecretResponse` (returned by `PUT/GET /secrets/{path}`) now includes `id`, matching the list-endpoint shape. The asymmetry had caused the SDK's typed `Secret` model to crash on deserialize when used via `client.secrets.write()` / `.read()`.

Package downloads — [scailabs.ai/downloads](https://www.scailabs.ai/downloads):

| SDK | Version |
|---|---|
| Python (`scaivault-sdk`) | 1.6.1 |
| JavaScript / TypeScript (`@scaivault/sdk`) | 1.8.0 |
| .NET (`ScaiVault.Sdk`) | 1.8.0 |

## 1.0.0 — 2026-05-17

Public launch.

**Available API surfaces.** Secrets (CRUD, versioning, expiration, soft-delete with recovery, batch read), Policies (path-pattern rules with IP/MFA/time-window conditions), Rotation (auto and event-driven, with grace periods and warn-before notifications), PKI (internal CA hierarchy + ACME via Let's Encrypt/ZeroSSL/BuyPass/Google + CSR workflow + trust anchors + CRL/OCSP), Dynamic Secrets (Postgres/MySQL/MongoDB/Redis/AWS/Azure/GCP/SSH), Federation (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — proxy or sync mode), Webhooks and Subscriptions, Audit log with export to S3/GCS/Azure.

**Clients shipped.** Python, JavaScript/TypeScript, .NET. Python and .NET fully cover the API; JavaScript covers everything except a handful of admin-only operations. CLI (`scaivault`) and MCP server (67 tools) for shell and agent integration.

**Identity.** Authentication delegated to [ScaiKey](https://scaikey.scailabs.ai). Three-level tenancy (partner / tenant / identity). Identity cache synced from ScaiKey, kept fresh by webhooks plus a 15-minute background reconciliation.

**Crypto.** Envelope encryption with per-row data keys wrapped by a KMS-held root. AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit, and PKCS#11 HSMs (including TPM 2.0) supported.

**Limits.** Default rate limits per identity per endpoint category — see [Rate Limiting](./advanced/rate-limiting). Quotas per tenant — see [Multi-tenancy](./core-concepts/multi-tenancy).

**Public docs.** This site.

## What's next

We track upcoming work in our public roadmap. The shape and content of the API is stable; ongoing work is operational (more DNS providers, more dynamic engines, more federation backends).
