New Features

• Per-endpoint Markdown documentation, designed for use with AI assistants. Each endpoint can now be exported as a clean Markdown snippet containing the cURL and Controller request examples, parameter list, response shape, and object reference.
• "Copy for LLM" and "View as Markdown" buttons added to every endpoint — copy the endpoint's full Markdown to your clipboard, or open the raw Markdown in a new tab to share or paste into your AI tool of choice.
• Resource pages now have a sticky table of contents listing all endpoints, so you can jump between endpoints without scrolling back to the top. Responsive layout on narrower screens.
• Redesigned API documentation layout. Endpoint details on the left, live example request and response on the right — easier to scan, easier to compare an endpoint's parameters against its example output.
• Per-endpoint Markdown now includes the Controller (Liquid) example alongside the cURL example, matching what the HTML docs show.
• Search behaviour for list endpoints is now documented on the API Overview page — which fields are searchable, how search_by / keyword / exact interact, and how search combines with pagination and sort.

Improvements

• Endpoint parameters are now split into clearly-labelled Path Parameters, Body Fields, and Query Parameters sections — no more confusion about which values go in the URL versus the JSON body.
• Every endpoint now has a single canonical URL — /admin/api/<module>/<resource>#<endpoint>. Older URLs redirect there automatically so existing bookmarks and shared links keep working.
• Markdown export's Object section now matches the HTML resource reference — nested fields show with dot notation, object-type parents are typed correctly, and list-only query parameters no longer leak into the response shape.
• Sidebar navigation and dark mode now hold up cleanly across every module.
• Parent-resource path parameters (e.g. event_uuid on event sponsors, cart_uuid on cart items) now show a description instead of rendering blank.
• Body Fields in the Markdown export are cleaner on POST and PATCH endpoints — fixed duplicate rows and broken dot-notation paths on resources with object references.
• Body Fields no longer lists response-only file metadata (.file_name, .extension, .url) under upload fields. The information is still available in the resource's response Object reference where it belongs.
• Test Request panel cleaned up — the API URL preview now uses the same code-block styling as the Example Request, and the payload editor stays in sync with the URL preview.
• Overview and Module Versions pages now share consistent page spacing with the rest of the docs.
• Dark mode polish across the sticky example panel and sidebar.

Security

• Upgraded the axios HTTP client from 0.27.x (end-of-life) to 1.16.0, picking up two years of security patches and bug fixes.
• Removed the bundled jQuery 1.12.4 dependency (end-of-life since 2016, multiple unpatched vulnerabilities).

Bug Fixes

• Controller examples are now valid Liquid out of the box — placeholder values are properly quoted so copy-pasting the example works without manual edits.
• DELETE endpoint cURL examples no longer include an empty request body flag.
• Locale data cached in the browser is no longer wiped when a localisation request fails — previous translations stay loaded until a successful refresh.

New feature

• Event Stream now records every create / update / delete made through the v2 API, matching the coverage already in place for admin-UI actions.
• Add POST /crm/api/v2/custom-fields/contacts endpoint.
• Add POST /crm/api/v2/custom-fields/companies endpoint.
• v2 Activity responses now expose created_by (set once at creation, immutable on edit) alongside last_updated_by, so the original creator stays visible after the activity has been edited.

Security

• Upgrade axios to ^1.16.0 to pick up upstream security patches; admin UI now handles 401 responses cleanly without throwing.
• Admin sessions opened via 2FA or SSO now respect the configured platform session timeout.
• Breaking — v2 API authentication failures now return an inline 401 JSON response ({"error":"unauthorized"}) on the original URL across all HTTP methods. Previously the response was a 302 redirect to the login page; clients that followed the redirect must update to handle the 401 directly.

Breaking changes

• v2 action endpoints (archive / restore / complete / open on contacts, companies, tasks) switched from PATCH to POST. PATCH on these URLs now returns 405. API clients must update to POST.
• v2 DELETE endpoints now return 204 No Content (was 200 with body). DELETE against a missing resource returns 404 with a documented JSON body, and against a structurally invalid uuid returns 400 with a clean JSON body.
• Custom-fields create error response key changed from errors (array) to singular error (string). Clients that parse the errors array on this endpoint must switch to error.

Improvements

• CRM address autocomplete migrated to the new Google Places API (PlaceAutocompleteElement), keeping the feature working as Google retires the legacy widget.
• Settings → Instance Configuration: the page no longer flashes a "Failed to fetch Instance Configuration Details" error during the backend's reconnect heartbeat, and now connects through the production WebSocket endpoint.
• v2 API documentation refreshed across the board to match the v5.14.1 contract — HTTP methods, URL bases, request/response examples, body-field tables, and field-mapping notes have all been corrected and aligned with what the API actually returns.

Bug fixes

• Fix broken redirects when the configured old_url contained a leading slash (was producing double-slash URLs).
• Fix table pagination crash on CRM Tasks, CRM Activities, Tasks List, and Dashboard when loading a page.
• Task detail panel and edit drawer now reflect changes immediately after saving an edit, without needing a page reload.
• Partial PATCH on /v2/contacts/{uuid} now preserves every untouched property — previously, sending only the field you wanted to change could either return a 400 error or null out the rest of the contact.
• Fix task edit drawer showing the wrong due date for tasks that already had one stored.
• Partial PATCH on /v2/tasks/{uuid} and /v2/tasks/comments/{uuid} no longer returns 400 when the request body omits a field; untouched properties are preserved, matching the contacts behaviour.

Breaking Changes

• Renamed external API v2 routes from /all_assets/api/v2/... to /asset/api/v2/... for a cleaner public API surface. External integrators must update their base path.

New Features

• Added GET /asset/api/v2/credentials so external API consumers can retrieve the S3 presigned-POST credentials required by the Add Asset flow. Listed in the API documentation under a new "Assets Credentials" section.

New Features

• Move Import Tickets from All Events page to Tickets page.
• Add additional fields to Advanced Filter for Tickets.
• Add link to CRM records on Ticket Details drawer.
• Add Event Name to Tickets export and fix import header mismatch.
• Render Events list date columns in device-local time.
• Show selected timezone on date field labels; update API doc descriptions.
• Sort display field options alphabetically by default.

Improvements

• Update v2 API update endpoints from PUT to PATCH.
• Remove event_uuid from Add Event Tickets example payload; move to controller_payload.
• Regenerate ticket PDF on contact assignment; add loading toast on View PDF.
• Update Sponsors list card layout to group company and sponsorship details.
• Load venue contacts from live venue record when editing event.
• Style circular avatar image on Sponsors and Speakers info cards; add initials fallback.
• Refine sponsor link layout, hit area, and ellipsis truncation.
• Update sponsor card company name and top-alignment styles.
• Update sponsor card link, separator, computation wrapper, and button alignment styles.
• Apply sponsor card styling to Speaker list cards.
• Centre-align Speakers card content and set inner gap.
• Venue contact card: hover/remove action, compact treatment, and button alignment.
• Fix venue contacts card on Event Venue tab.
• Fix duplicate contact re-selection in Assign Contact drawer.
• Enforce required fields on Events, Speakers, and Sponsors PATCH mutations.
• Enforce required fields on Tickets PATCH.
• Enforce question and answer as required on FAQs PATCH.
• Update delete confirmation modal content for tickets.
• Rename area card buttons; update delete confirmation modal for venues.
• Update delete confirmation modal content for system fields.
• Simplify delete pricing tier confirmation dialog text.
• Update division and pricing tier card action button labels.

Bug Fixes

• Fix sponsor link click opening edit drawer.
• Fix group ticket PDF empty content when created via API.
• Fix custom field time/datetime inputs to follow localization time format.
• Fix expense API docs showing incorrect required state for fields.
• Revert System Fields update endpoints from PATCH to PUT.
• Fix filter chips showing UUIDs for Purchased By Contact and Company fields.
• Fix failed to fetch data when filtering by Purchased By Contact/Company.
• Fix Category advanced filter showing invalid text conditions.
• Roll back Tax fields to conditional required and fix Tax* (%) label.
• Fix advanced filter chips not displaying dates using localization settings.
• Fix drawer delete not working on add event ticket list.
• Fix group ticket capacity error handling and drawer delete.
• Fix image upload failing on mobile.
• Fix date format in ticket PDF templates using day instead of month.
• Fix Company label in ticket contact details info table.
• Fix CRM Contact not prefilled when editing a speaker.
• Fix gross/net/tax calculation for expense and revenue fields in Events table.
• Fix page heading gross/net/tax totals and tax column display.
• Fix delete confirmation modals and wrong item deletion bugs.
• Fix ticket delete/PDF bulk action modal titles and button labels.
• Fix event date input/display timezone interpretation.

Improvement

• Faster related_records: Reduced object allocations in related_records, improving performance up to 4x.

• Asset cache invalidation now per-instance: Changed the internal implementation of cache invalidation for assets. The updated=... query parameter appended by the asset_url (and asset_path) filter is now derived from a per-instance assets_updated_at timestamp that is bumped whenever assets change, instead of being derived per asset. This means all asset URLs are invalidated together when any asset is updated, ensuring CDN caches stay consistent.

• Batched page loading on deploy: Pages are now loaded in batches during deploy, providing better support for very large deploys - particularly those containing pages generated by Static Site Generators (SSG).

• Faster Instance Clone asset dump: The asset manifest step of pos-cli clone is significantly faster, reducing the time spent in the export phase of cloning instances with large numbers of assets.

• InstanceClone clone-record status on export failure: Previously, InstanceClone could leave the target instance's clone record in pending indefinitely when export failed (for example due to an oversized file). Failures are now surfaced cleanly as a terminal failed status with a sanitized error message, so pos-cli polling resolves instead of hanging.

New Feature

• cache_control argument for admin_assets_create and admin_asset_update mutations: When provided, the value (for example max-age=31536000, public) is stored in the asset's metadata and applied as the Cache-Control header on the underlying object in the file storage provider (S3, R2, etc.), allowing CDNs and browsers to cache assets according to your policy.

• authorization_policies argument for admin_page_create and admin_page_update mutations: Authorization policies can now be associated with a page by name (the same identifier used in Liquid frontmatter, e.g. page_policy or modules/my_module/page_policy), in addition to the existing authorization_policy_ids. Names and ids can be combined; all provided names must resolve to existing AuthorizationPolicy records.

Deprecation

• Deprecated url argument in admin_assets_create: Asset URLs are now derived from the asset name and the per-instance CDN, so the argument is ignored. Upload bytes via admin_assets_presign_urls first, then call admin_assets_create without the url argument. The argument will be removed in a future release.