Release history for the cStar REST API and webhook system.

Versioning

The API uses date-based versioning via the CStar-Version header. The current version is 2026-03-01. When the header is omitted, you get the latest version.

URL paths use /api/v1/. Breaking changes would result in /api/v2/, but we aim to keep v1 stable through additive, non-breaking changes.

May 2026

2026-05-04: OpenAPI Completeness Sprint

The biggest API documentation pass since launch. 40+ previously undocumented endpoints now have full OpenAPI definitions, plus a CI drift detector that prevents future docs/code mismatches.

What's now documented (selection):

  • Members and invites: /teams/{teamId}/members, /teams/{teamId}/invites
  • Settings: ticket statuses, quick replies, business hours, widget config, feature flags, tags, custom fields
  • Email and domain settings: /teams/{teamId}/email-settings, /teams/{teamId}/domains
  • SLA: /teams/{teamId}/sla/rules, /teams/{teamId}/sla/metrics
  • CSAT: /teams/{teamId}/csat/settings, /teams/{teamId}/csat/stats, /teams/{teamId}/csat/surveys
  • Bulk operations: /teams/{teamId}/bulk/...
  • Import/export: /teams/{teamId}/import, /teams/{teamId}/export
  • Audit: /teams/{teamId}/audit-log
  • Search: /teams/{teamId}/search
  • Activity: /teams/{teamId}/activity
  • Customer groups: /teams/{teamId}/customer-groups
  • Game endpoints: /teams/{teamId}/game/* (player stats, quests, achievements, bosses)
  • AI: /teams/{teamId}/ai-keys, /teams/{teamId}/agent/chat
  • Views: /teams/{teamId}/views
  • Billing: /teams/{teamId}/billing/...
  • Categories: /teams/{teamId}/categories
  • Community: /teams/{teamId}/community/*
  • Webhooks: /teams/{teamId}/webhooks/listen, /teams/{teamId}/webhooks/trigger-test
  • Public library extras: POST /library/{teamSlug}/articles/{slug}/view, POST /library/{teamSlug}/articles/{slug}/feedback

The complete machine-readable spec lives at static/openapi.yaml. Around 150 paths total.

2026-05-03: Domain Command Handlers (Webhook Footgun Closed)

Internal refactor with one externally visible effect: a handful of write paths that previously skipped webhook emission now emit consistently. If you've subscribed to ticket.deleted, ticket.assigned, customer.deleted, customer_group.*, article.deleted, or community_post.* events, expect them to fire reliably across every code path now (dashboard, API, bulk operations).

A regression guard runs in CI to keep the emit paths consistent going forward. No payload shapes changed.

March 2026

2026-03-01: API Versioning and Structured Errors

What changed:

  • Date-based API versioning via CStar-Version header
  • Stripe-style error responses with type, code, param, doc_url, and request_id
  • Prefixed IDs across all resources (tkt_, cus_, art_, msg_, whk_)
  • Single-resource endpoints accept both prefixed IDs and UUIDs
  • Idempotency keys via Idempotency-Key header (24-hour dedup window)
  • Metadata support on tickets, customers, and articles (Stripe-style: max 50 keys, string values, merge on PATCH)
  • expand query parameter for controlling related data inclusion
  • Test mode data isolation (test keys see only test data)

December 2025

2025-12-14: Webhooks System

New features:

  • Webhook system, originally 14 event types (now 35 across 7 categories, see Webhook Events)
  • HMAC-SHA256 signature verification on every delivery
  • Automatic retries: 6 attempts with exponential backoff (30s, 2m, 10m, 1h, 6h, 24h)
  • REST Hooks protocol for Zapier integration
  • Flat payload option for visual automation builders
  • Webhook delivery logs with request/response details
  • SSRF protection on webhook URLs (blocks private IPs, localhost, and *.local/*.internal)

New endpoints:

  • GET/POST /teams/{teamId}/webhooks: list and create webhooks
  • GET/PATCH/DELETE /teams/{teamId}/webhooks/{webhookId}: manage a webhook
  • POST /teams/{teamId}/webhooks/{webhookId}/test: test delivery
  • POST /teams/{teamId}/webhooks/subscribe: REST Hooks subscribe
  • DELETE /teams/{teamId}/webhooks/subscribe/{id}: REST Hooks unsubscribe
  • GET /teams/{teamId}/webhooks/sample/{event}: sample payloads for Zapier

2025-12-10: REST API Launch

The big one. Full REST API for tickets, customers, and articles.

Core endpoints:

  • GET/POST /teams/{teamId}/tickets: list and create tickets
  • GET/PATCH/DELETE /teams/{teamId}/tickets/{ticketId}: single ticket
  • GET/POST /teams/{teamId}/tickets/{ticketId}/messages: ticket messages
  • GET/POST /teams/{teamId}/customers: list and create customers
  • GET/PATCH/DELETE /teams/{teamId}/customers/{customerId}: single customer
  • GET/POST /teams/{teamId}/articles: list and create articles
  • GET/PATCH/DELETE /teams/{teamId}/articles/{articleId}: single article

Infrastructure:

  • API key authentication (secret and publishable keys)
  • Rate limiting: 1,000/hr for secret keys, 100/hr for publishable keys
  • Pagination with page/pageSize parameters
  • Consistent JSON envelope (success, data, meta)

Stability Commitments

Stable

  • All documented REST endpoints and their response shapes
  • Authentication method (Bearer token)
  • Rate limit headers (X-RateLimit-*)
  • Error response structure

May Evolve

  • New fields may be added to response objects (additive, non-breaking)
  • New webhook event types may be introduced
  • New query parameters may be added to list endpoints

Deprecation Policy

If we ever need to deprecate an endpoint:

  1. 90-day advance notice.
  2. Deprecation header added to affected responses.
  3. Migration guide published.
  4. Old version supported for at least 6 months.

Stay Updated

  • Watch this changelog
  • Check the CStar-Version header in responses for the current version
  • Monitor for Deprecation headers in your error handling

Related