Changelog
All notable changes to the Qpher platform are documented here. This changelog follows the Keep a Changelog format.
2026-04-20 — Multi-factor authentication and step-up re-verification
Added
- Multi-factor authentication (MFA) — TOTP (RFC 6238) with any authenticator app, 10 single-use recovery codes, and email OTP as a last-resort fallback after two failed primary attempts. Available on both the SaaS Portal and the Vault iOS app. See Security → Multi-Factor Authentication.
- Step-up re-verification for sensitive actions — subscription
checkout / cancel, API key rotation, team-member removal, password change,
and PQC key rotation each require a second proof of presence before they
take effect. A step-up token lasts 5 minutes, is single-use, and is carried
via the
X-Step-Up-Tokenheader. See API Reference → Authentication. - New endpoint
POST /api/v1/auth/step-up— exchange a TOTP code (or password, if MFA is not enabled) for a step-up token. - New endpoint
POST /api/v1/auth/change-password— change the account password while signed in, with a step-up check before the write and automatic revocation of all existing sessions after the change. - Enterprise org policy —
require_mfaon the tenant policy rejects logins from members who have not enrolled, with a 7-day grace period for existing members and no grace period for new invites. Enterprise and Enterprise+ plans only.
Changed
ERR_MFA_011is now reserved for the Enterprise+ plan gate onrequire_mfa. Earlier versions overloaded this code.
Deprecated
ERR_MFA_002andERR_MFA_006are merged intoERR_MFA_001("Invalid code") to prevent factor-type enumeration from error messages. The legacy codes remain in the catalogue for a six-month deprecation window — treat any of them as equivalent toERR_MFA_001.
Notes
- API-key integrations (SDKs and the
qpherCLI) are not affected by step-up. TheX-Step-Up-Tokenrequirement andERR_MFA_013response apply only to Portal JWT sessions. API keys remain the highest-trust credential and bypass step-up by design.
[1.0.0] -- 2026-02-15
Added
- Kyber768 KEM encryption and decryption -- Quantum-resistant key encapsulation using NIST FIPS 203 (ML-KEM-768). Supports standard and deterministic modes.
- Dilithium3 digital signatures -- Quantum-resistant signing and verification using NIST FIPS 204 (ML-DSA-65).
- Key management -- Full PQC key lifecycle: generate, rotate, retire, and archive. Explicit key versioning required on all operations.
- Non-exportable private keys -- Private keys encrypted at rest with AES-256-GCM and stored exclusively inside the KMS-Orchestrator. No export API.
- Tenant API -- Multi-tenant Organization management with API key creation and rotation.
- API Gateway -- 7-stage authentication and authorization pipeline with per-tenant rate limiting.
- Zero Trust Policy Engine -- Per-request authorization with fail-closed design. Plan-based access control and quota enforcement.
- Billing integration -- Stripe-powered billing with five plans: Free, Starter ($99/mo), Growth ($179/mo), Pro ($299/mo), and Enterprise (from $999/mo). Annual billing with 20% discount.
- User Portal -- Web dashboard at portal.qpher.ai for managing keys, viewing usage, and configuring billing.
- Python SDK -- Official Python client library for Qpher APIs.
- Node.js SDK -- Official Node.js client library for Qpher APIs.
- Go SDK -- Official Go client library for Qpher APIs.
- Audit logging -- Structured audit logs with 180-day retention for all cryptographic operations and administrative actions.
- Documentation site -- Developer documentation at docs.qpher.ai with API reference, guides, and SDK documentation.
This changelog is updated with each release. For questions about specific changes, contact support@qpher.ai.