Changelog

February 2026 - Live Streams & Auth API Updates

Documentation: Platform Types (SKU reference)

• Current SKUs per platform: Platform Types now includes a dedicated section Current SKUs each platform looks like with SKU list per platform and access window per SKU. Any one listed SKU active within its access window grants access.

Platforms and SKUs:

Access window per SKU (days from last_purchased_date):

Live Streams

• Live endpoints split: “Currently live” is now available in two ways:
  • By status: GET /v1/livestreams/public/live returns streams whose status field is live (explicitly marked live).
  • By schedule: GET /v1/livestreams/public/live/scheduled returns streams that are in their scheduled window (current time between start and end; for recurring, within the correct occurrence). Supports optional query param timezone (IANA, e.g. America/New_York) to evaluate in that timezone. Cancelled streams are never returned.
• Host / hostId: Query parameters host and hostId are both supported for filtering by educator (host) ID. In responses, hostId is the educator user ObjectId; host is populated by the API (object or legacy string). When creating or updating livestreams, only hostId is accepted; do not send educator name in host.
• Documentation: Live Streams Guide — query params and response callout updated; live-by-status and live-by-schedule endpoints documented.

Authentication & User Management

• Single sign-on (SSO): Endpoints POST /v1/auth/signin-sso and GET /v1/auth/signin-sso for signing in by customer ID or user ID (no password). Request must include backoffice accessToken and refreshToken (required). Single URL: GET accepts the same params as query string. Livestream redirect: When platform=livestream, the backend builds the redirect URL with a JWT containing all SSO data (user, tokens, userId, sessionId). Redirect is to {LIVESTREAM_SSO_REDIRECT_URL}/sso?token={jwt}. The livestream app verifies the JWT with the same JWT secret and reads the payload. JWT is short-lived (5 min). See Authentication – Sign In (Single Sign-On).
• 4xx forwarding: The API gateway now forwards 4xx status codes and error messages from the auth service. Validation and auth errors (e.g. duplicate email, invalid credentials) return the correct status (400, 401, 403, 404) instead of 500.
• Admin user management: Create and update user endpoints support:
  • Create User: Optional username (auto-generated from email if omitted), customerId, permissions, role (user, educator, admin).
  • Update User: customerId and optional email for mapping users to the backoffice; educator fields (educator_title, educator_bio, skills, etc.).
• Admin base path: User management is under /v1/admin/auth/users (replacing deprecated /v1/admin/users).
• Documentation: Authentication — Admin User Management section and 4xx callout; User Profile — admin endpoints updated to /v1/admin/auth/users and mapping note.

January 2026 - Inner Circle (Educators) API

New Features

Educators API (Inner Circle)

• New /v1/educators endpoints for educator management
• Educator profile fields: educator_title, educator_bio, banner_image, specialty, skills, socials
• Follow/unfollow educators with automatic notification subscriptions
• Educator-specific announcements and stories
• Dedicated educator chatrooms
• Tips/donations to educators (integrated with wallet service)

New Endpoints:

New Educator Profile Fields:

Documentation: Educators (Inner Circle) Guide

December 2025 - API Updates

API Changes

Live Streams API Updates

• Category field is now a plain text input (not a dropdown)
• Added event_id field for external event integration (e.g., Vimeo)
• Added startTime field in datetime-local format
• Added endDate and duration fields for better time management
• Enhanced recurring stream support with recurrencePattern and recurrenceEnd
• Livestream objects support optional thumbnail and banner_image (image URLs) for create/update and in responses

Updated Endpoints:

• POST /v1/livestreams - Create livestream (updated request body)
• PUT /v1/livestreams/:livestreamId - Update livestream (updated request body)

Documentation: Live Streams Guide

User Roles & Permissions API

• New permission-based access control system
• Permission distribution endpoint for analytics
• User count by permission endpoint
• Filter users by permissions

New Endpoints:

• GET /v1/user/:userId/permissions - Get user permissions
• POST /v1/user/:userId/permissions/assign - Assign permissions
• POST /v1/user/:userId/permissions/unassign - Unassign permissions
• PUT /v1/user/:userId/permissions - Set all permissions (replace)
• GET /v1/user/permissions/distribution - Get permission distribution
• GET /v1/user/permissions/:permission/count - Get user count by permission
• GET /v1/admin/auth/users/permissions/distribution - Admin endpoint for permission distribution

Query Parameters:

• GET /v1/user?permissions=educator - Filter users by permissions

Documentation: Permissions Guide

Wallet Funding Security

• Password validation for wallet funding operations
• Funding keys stored in MongoDB funding_keys collection
• One-time use funding keys with expiration support

Updated Endpoints:

• POST /v1/user/validate-password - Validate funding key (checks funding_keys collection)

Security:

• Funding keys are validated against the funding_keys collection
• Keys are marked as used after validation
• Expired keys are automatically rejected

Bug Fixes

• Fixed 404 error on /v1/admin/auth/users/permissions/distribution endpoint
• Fixed 500 error on /v1/admin/permissions endpoint with improved error handling and fallback

October 2025 - Major Platform Updates

New Features

Password Reset System

• Email-based password reset with 6-digit verification codes
• Secure SHA-256 code hashing
• Rate limiting (2 minutes between requests, max 5/day)
• 1-hour code expiration
• API key authentication for public endpoints
• Session invalidation on password reset
• Beautiful HTML email templates

New Endpoints:

• POST /auth/forgot-password - Request reset code
• POST /auth/validate-reset-code - Validate code
• POST /auth/reset-password - Reset password
• POST /auth/change-password - Change password (authenticated)

Documentation: Password Reset Guide

Email Service Microservice

• Dedicated email service separated from auth-service
• Multi-provider support (Mailjet and SendGrid)
• Transactional template support
• Event-driven architecture
• Automatic retry on failure
• Centralized email management

Features:

• Switch providers via feature flag
• Use custom HTML or transactional templates
• Event-based email triggering
• Professional email designs
• Delivery monitoring

Documentation: Email Service Guide

Push Notification Service

• Firebase Cloud Messaging integration
• Device token management
• Topic-based subscriptions
• User preference controls
• Multi-platform support (iOS, Android, Web)
• Event-driven notifications

New Endpoints:

• POST /push-notifications/register - Register device
• DELETE /push-notifications/unregister - Unregister device
• PUT /push-notifications/preferences - Update preferences
• POST /push-notifications/subscribe - Subscribe to topic
• POST /push-notifications/unsubscribe - Unsubscribe from topic
• GET /push-notifications/devices - Get user devices
• POST /push-notifications/test - Test notification

Documentation: Notifications Guide

Platform Types & Service Access

• Multi-platform authentication
• Service-specific access control
• Platform-based session management
• Service expiration handling

Platforms:

• Mobile App (Service IDs: 34 AND 35)
• Live Platform (Service ID: 35)
• Back Office (Service ID: 34)

Documentation: Platform Types

Security Enhancements

Data Security

• Secure database queries
• Cache key management
• S3 object organization
• Events include proper context
• Complete audit trail

API Key Authentication

• Public endpoints now require x-api-key header
• Prevents unauthorized access to sensitive operations
• Per-client rate limiting capability
• Support for multiple API keys

Affected Endpoints:

• /auth/forgot-password
• /auth/validate-reset-code
• /auth/reset-password

Documentation: API Key Setup

Session Management Improvements

• Platform-specific sessions
• Device tracking
• Multi-device support
• Selective sign-out (by platform or device)

Architecture Changes

Microservices Added

1. Email Service (Port 3011)

   • Event-driven email delivery
   • Multi-provider support
   • Transactional templates
   • Comprehensive logging

2. Notification Service (Port 3005)

   • Push notifications
   • In-app notifications
   • Notification preferences
   • User-scoped data

Service Updates

• All microservices now support independent deployment
• Shared directory copied to each service for independent deployment
• Environment-aware database connections
• Redis caching

Event-Driven Communication

• RabbitMQ event bus
• Asynchronous processing
• Automatic retry logic
• Event schemas for all actions
• Proper context in all events

Email System

Email Events

• email.password-reset - Password reset emails
• email.password-changed - Password change confirmations
• email.welcome - Welcome new users
• email.notification - Generic notifications

Email Providers

• Mailjet - Default, EU-based, GDPR compliant
• SendGrid - Alternative, high volume support
• Feature Flag - Easy provider switching

Email Templates

• Professional HTML designs
• Mobile-responsive layouts
• Plain text fallbacks
• Brand consistency

Notification System

Notification Topics

• GENERAL - Platform announcements
• TRADE_IDEAS - Trading signals
• EDUCATION - Courses and lessons
• COMMUNITIES - Community posts
• SESSIONS - Live sessions
• CHATROOM - Chat messages

Event-Driven Notifications

Automatic notifications for:

• New user registration
• New trade ideas
• Trade closures
• Course creation
• Lesson completion
• Community posts
• Post reactions
• Live sessions
• Chat messages

Breaking Changes

Authentication Headers

Changed: All API requests require API key and JWT token

Required Headers:

curl https://api-gateway.prod.1houseglobalservices.com/v1/user/profile \
  -H "X-API-Key: your-api-key" \
  -H "Authorization: Bearer your-token"

Migration: Ensure all API requests include X-API-Key header. Contact administrator for your API key.

Authentication Endpoints

Changed: Sign-in now requires platform parameter

Before:

{
  "email": "user@example.com",
  "password": "password"
}

After:

{
  "email": "user@example.com",
  "password": "password",
  "platform": "app"  // Required
}

Migration: Update all sign-in calls to include platform parameter.

Password Reset Endpoints

Changed: Password reset endpoints now require x-api-key header

Before:

POST /auth/forgot-password
Content-Type: application/json

After:

POST /auth/forgot-password
Content-Type: application/json
x-api-key: your-api-key  # Required

Migration: Add x-api-key header to all password reset requests. Contact administrator for API key.

Performance Improvements

• Event-driven processing reduces response times
• Async email sending doesn't block API responses
• Push notifications delivered in real-time
• Better scalability with dedicated services

Bug Fixes

• Fixed session management for multi-device scenarios
• Improved error handling in authentication flow
• Better validation for password reset codes
• Enhanced security for public endpoints

Migration Guide

Migration Guide

All clients should ensure proper authentication:

1. Add API Key Header - Include X-API-Key in all requests
2. Get API Key - Contact administrator to obtain your API key
3. Update all API calls - Add API key header to every request
4. Test thoroughly - Verify all endpoints work with API key

Example Update:

fetch('/v1/user/profile', {
  headers: {
    'X-API-Key': 'your-api-key',
    'Authorization': 'Bearer your-token'
  }
});

For Mobile Apps

1. Add API key - Include X-API-Key header in all requests
2. Update sign-in calls - Add platform: "app"
3. Add API key - Include x-api-key for password reset
4. Register for push - Implement device registration
5. Handle deep links - Navigate based on notification type

For Web Apps

1. Add API key - Include X-API-Key header in all requests
2. Update sign-in - Add platform parameter
3. Store API key - Add to environment variables
4. Update password reset - Use new 3-step flow
5. Test thoroughly - Verify all auth flows work

For Backend Services

1. Add API Key - Include X-API-Key in all service-to-service calls
2. Use events - Publish email events instead of direct calls
3. Update dependencies - No changes needed
4. Monitor logs - Watch for event processing
5. Test email delivery - Verify emails are sent

Deprecation Notice

Deprecated Endpoints (To be removed in future versions)

None currently. All new features are additive.

Upcoming Features

Q4 2025

• Two-factor authentication (2FA)
• Social authentication (Google, Apple)
• Email preference center
• Advanced notification scheduling
• SMS notifications
• Webhook support

Q1 2026

• API rate limiting dashboard
• Advanced analytics
• Custom email templates per brand
• Multi-language support
• Notification templates
• A/B testing for emails

Version History

v1.2.0 (November 2025)

• Single-tenant architecture - Simplified architecture
• Environment-aware configuration - Automatic dev/staging/prod routing
• API key authentication - All requests require X-API-Key
• Database configuration - Environment-specific databases
• All services updated - 17 microservices fully operational

v1.1.0 (October 2025)

• Added password reset system
• Added email service microservice
• Added push notification service
• Added platform-based authentication
• Added API key authentication
• Enhanced security features

v1.0.0 (Previous)

• Initial platform launch
• Basic authentication
• User management
• Trading features
• Education system
• Community features

Support

For questions about changes:

1. Review updated documentation
2. Check migration guide above
3. Test in staging environment
4. Contact platform support

Stay Updated

• Check this changelog regularly
• Monitor service status
• Review documentation updates
• Subscribe to platform announcements

Last Updated: November 2025