Back to API Docs

API Changelog

History of changes to the FluffyStack API. New releases at the top.

Versioning policy

  • All current endpoints live under /v1/.
  • Backwards-compatible changes (new endpoints, new optional response fields) bump the minor version (1.x) and do NOT break existing consumers.
  • Breaking changes would ship under a new /v2/ prefix. The old /v1/ stays live indefinitely.
  • Bookmark this page to stay up to date with API changes.

v1.2.0

Frontend export gating — all exports now require sign-in (free account). Browsing, searching, comparing, and building service lists remain free.

Changed

All export actions on the website now require authentication. This mirrors the API gating: read-only catalogue access is open, but generating downloadable artefacts (SCP, Azure Policy, GCP Org Policy, Terraform, JSON, Markdown, migration target lists) requires a free account. The Service Builder shows a 'Sign in to export' prompt; the Migration Assistant shows a 'Sign in to export' button.

Changed

Account page 'What can you do with an API key?' section rewritten to 'What does signing in unlock?' — now accurately reflects both website and API gating.

v1.1.0

OAuth authentication, API key management, rate limiting, and account management.

Added

GitHub and Google OAuth sign-in. Users authenticate via OAuth and receive a persistent API key (flsk_* format) for all gated endpoints.

GET /v1/auth/login/githubGET /v1/auth/login/googleGET /v1/auth/callback/githubGET /v1/auth/callback/google
Added

Account management endpoints: view profile, reveal API key, rotate key.

GET /v1/auth/mePOST /v1/auth/rotate
Added

KV-based rate limiting. Anonymous: 30 req/min by IP. Authenticated: 120 req/min by API key. X-RateLimit-* response headers on every request.

Changed

POST endpoints (policies, export, lists) now require an API key via the X-API-Key header. GET endpoints remain open.

POST /v1/policies/aws-scpPOST /v1/policies/azure-policyPOST /v1/policies/gcp-org-policyPOST /v1/export/markdownPOST /v1/lists
Changed

CORS policy updated: authenticated requests (with API key) are allowed from any origin. Unauthenticated requests still restricted to fluffystack.dev and *.pages.dev.

Security

API keys are generated using nanoid (cryptographically random, 32 chars). JWT session tokens use HMAC-SHA256 with a 64-byte secret and 7-day expiry.

v1.0.0

Initial public API release. Read-only catalogue, policy generation, service list export, and shareable approved lists.

Added

Read-only catalogue endpoints for providers, categories, and services with pagination, search, and filtering.

GET /v1/providersGET /v1/categoriesGET /v1/servicesGET /v1/services/:slug
Added

Side-by-side comparison endpoint for up to 10 services.

GET /v1/compare?ids=a,b,c
Added

Policy generation: AWS SCP, Azure Policy, GCP Org Policy from an approved service list.

POST /v1/policies/aws-scpPOST /v1/policies/azure-policyPOST /v1/policies/gcp-org-policy
Added

Markdown export of approved service lists.

POST /v1/export/markdown
Added

Shareable approved service lists with 90-day auto-expiry.

POST /v1/listsGET /v1/lists/:id
Added

Health check and status endpoints with history tracking.

GET /v1/healthGET /v1/statusGET /v1/status/history
Fixed

AWS SCP: removed invalid _comment top-level key that caused AWS Organisations to reject the policy. Provenance now carried in the grammar-valid Id field.

Fixed

Azure Policy: removed policyType (can't be set), changed mode from "Indexed" to "all" (covers all resource types), removed empty parameters object.

Fixed

GCP Org Policy: removed invalid _comment top-level key that caused the Resource Manager API to reject the policy.

Missing something? Send us feedback