Release Notes 2026

​

Version 2026.04.0

REMOVED FEATURES

• Automatic deletion of audit logs and ACL audit logs via Purge Jobs has been removed. These logs are critical for compliance and should not be automatically deleted. Manual cleanup scripts are available in the database growth management documentation.
• The option to disable database writing for audit and login logs in General Settings has been removed. These logs are now always persisted to the database.

FEATURED NEW FEATURES

• ​

  Java 25 Migration (APNZ-5897)

All components of the Apinizer platform (API Manager, Gateway Worker, Cache Server, Integration, API Portal) have been upgraded to Java 25. Virtual thread support, modern JDK features, and performance improvements have been delivered.

• ​

  Security Hardening (APNZ-5736, APNZ-5737, APNZ-5738)

Dependencies with known vulnerabilities identified during security scanning have been upgraded to their latest versions. Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR), and Stack Trace Leak vulnerabilities have been resolved. innerHTML sanitization, endpoint-based project authorization checks, and prevention of technical detail leakage from error messages have been implemented.

• ​

  Full Elasticsearch 7, 8, and 9 Support (APNZ-5642, APNZ-5728, APNZ-5898)

The Elasticsearch client infrastructure has been restructured to fully support ES 7.x, 8.x, and 9.x versions. ILM, index templates, failover, and all analytics screens have been tested across all three versions.

• ​

  Message Builder Policy (APNZ-5783)

A new policy has been added that enables dynamic construction of request and response messages. Flexible message templates can be created with JEXL expression support, JSONPath, context variables, and conditional logic. See.

• ​

  Error Message Customization (APNZ-5798, APNZ-5940, APNZ-5888)

Return formats (JSON/XML) for error messages in policies can now be customized. Information about why each error type may occur has been added. Format selection is also available for undefined or unexpected errors. Repetitive and semantically similar error messages have been consolidated and simplified. See.

• ​

  API Promotion Module (APNZ-5851)

The API Promotion module has been added, enabling the transfer and management of API definitions across different environments. See.

• ​

  Advanced Logging Features (APNZ-5942, APNZ-6033, APNZ-6020)

An API Proxy-based log settings tab has been added. A log policy has been created. Metadata fields in log settings have been redesigned and descriptive warning messages have been added. See. NEW FEATURES

• Default values for API Gateway routing, connection pool, retry, circuit breaker, health check, sticky session, gRPC, and WebSocket behaviors can now be centrally configured under System Settings. See
• TCP Connectivity Test History records can now be automatically cleaned via Purge Jobs. Configure retention period in Application Log Cleanup Tasks settings.
• Scheduled report sending has been added to Report Generator. Existing reports can now be selected and sent to connectors on a scheduled basis. (APNZ-5914) See.
• JSON Schema Validation policy now supports automatic retrieval of schema information from the API’s OpenAPI definition file. (APNZ-5913) See.
• Querying API Proxy information via APIOps Management API is now supported. (APNZ-5819) See.
• Environment Variable APIOps service has been added. Environment Variables can now be managed via APIOps. (APNZ-5828) See.
• The ability to add cacert certificates to the API Manager JVM has been introduced. Certificates trusted by the API Manager can now be added from the management screen. (APNZ-5831) See.
• The ability to upload keystores to API Manager has been added to the Keystore screen. (APNZ-5909) See.
• SQL text search has been added to the DB2API screen. It is now possible to search which API a SQL query is used in. (APNZ-4168)
• “Proxy Name” criteria has been added to the API Traffic Advanced Filter. Filtering by API Proxy name is now available on the general traffic screen. (APNZ-4957) See.
• Dynamic TTL calculation from response has been added to the REST API Cache policy. (APNZ-6005) See.
• Log policy has been added. (APNZ-6033) See.
• An option to return undefined or unexpected errors in JSON or XML format has been added. (APNZ-5940) See.
• TCP Connectivity Test screen has been added. TCP and TLS connection tests can now be performed from Gateway pods to target servers. (APNZ-5960) See.
• Login audit records can now be sent to external systems via connectors. (APNZ-4054) See.
• API Definition File Access Control has been added. Access to definition files such as WSDL and OpenAPI per API Proxy can now be restricted at three levels: open to everyone, authentication required, or completely hidden. (APNZ-5944)

CHANGES AND IMPROVEMENTS

• Audit logs and login logs are now always saved to the database. The option to disable database writing for audit logs (audit_event), ACL audit logs (history_acl), and login logs in General Settings has been removed. Connector routing for these log types remains available as an optional feature.
• Trace Screen Redesign: The API tracing (trace) screen has been redesigned. Policy durations, API Call details, and skip states can now be monitored visually. (APNZ-3565) See.
• Library Updates: Spring Boot 3.5.x, Angular 19, PrimeNG 19, and numerous third-party dependencies have been updated.
• Context and Global Environment Variable Expansions: The use of environment variables and context variables with $ has been expanded across API Call, Test Console, policies, and all configuration screens. (APNZ-5776, APNZ-5788) See.
• mTLS Support in Test Console and API Call: SSL/TLS settings are now presented through a unified component across all screens. (APNZ-5778) See.
• Environment Variable Support for Credentials: Environment-specific values can now be used in credential definitions. (APNZ-5806) See.
• Show first error / show all errors option added to XML Schema Validation. (APNZ-5887) See.
• Import Process Improvement: The “overwrite existing” option only takes the differences; a clean import adds the API Proxy as a new one. (APNZ-5954) See.
• API Proxy Creation Routing UX Improvement: Routing addresses are displayed in table format and can be edited inline. (APNZ-5955) See.
• Diff View in Deployment History: Differences from the previous version can now be visually compared. (APNZ-5982)
• Time Management for JOSE Policies: Time management parameters have been added to JOSE Implementation and Validation policies. (APNZ-5793) See. See.
• Request/Response Body Read Behavior: Performance improvements were made to the read behavior of incoming request and outgoing response bodies. (APNZ-5935)
• System Properties Table: System properties can now be managed in a central table and default values can be retrieved from this table. (APNZ-5919) See.
• Management API Improvements: APIOps endpoints have been expanded and improved. (APNZ-5937) See.
• Various improvements have been made to the DB2API Creator screen. (APNZ-3525)
• New search filters have been added to the API Proxy screen. (APNZ-5422)
• API Proxy Group list can now be exported. (APNZ-4493)
• A search field has been added to the Uptime Monitor list. (APNZ-5197)
• Status code 200 is now selected by default in Uptime Monitor assertions. (APNZ-4659)
• A policy delete option has been added to the Policy Actions menu. (APNZ-4798)
• The “API Traffic By Interval” page can now also be viewed from within a project. (APNZ-4986) See.
• Visual improvements have been made to the Clients with No Requests page. (APNZ-4570)
• The API Manager environment has been added to the SSL environment selection. (APNZ-5751) See.
• Automatic restart of pods when SSL is enabled in Remote Gateway environments has been prevented; a manual restart warning is now shown instead. (APNZ-5853) See.
• Read timeout error message fix: Correct error classification instead of SSL Expired. (APNZ-5957)
• Certificate sending support has been added to Test Console. (APNZ-6019) See.
• PoolingHttpClientConnectionManager connection validation improvement has been made. (APNZ-5835)
• Automatic propagation of Gateway access URL changes to the worker is now supported. (APNZ-5838) See.
• API Portal LB Cache fix: Cache-Control and Last-Modified headers have been corrected. (APNZ-5569)
• Validation UX improvement when adding multiple endpoints in no-spec APIs. (APNZ-5702)
• “Showing X - Y of Z items” display in paginator has been corrected. (APNZ-5927)
• SQL query formatting issue in the DB2API screen has been resolved. (APNZ-5577)
• Image upload support has been added to API Portal. (APNZ-5604)
• Error messages shown when a database connection is disabled have been improved. (APNZ-5771)
• The design of metadata fields in log settings has been reviewed and warning messages have been added. (APNZ-6020) See.

BUG FIXES Comprehensive stability, performance and usability improvements have been made across the platform. Fixes have been applied in many areas including policy management, API Portal, test console, routing, project management, audit logs, report screens and connection management. APNZ-5787 : Fixed XML Schema Validation race condition issue. APNZ-5868 : Fixed SSE streaming connections being unexpectedly terminated and hop-by-hop HTTP headers not being filtered. APNZ-5928 : Fixed template message corruption after REST-to-SOAP reparse. APNZ-5686 : Fixed Manager UI freezing when attempting to add multiple proxies. APNZ-5749, APNZ-5629 : Fixed issues with assigning the same relative path to multiple projects and relative path conflict handling. APNZ-5646 : Elasticsearch deprecation warning logs have been resolved. APNZ-5811 : Fixed TLS connection error in mail sending. APNZ-5830 : Fixed the issue where principal information was not displayed in Audit Records after project deletion. APNZ-5900 : Fixed analytics permission issue in the System Admin role. APNZ-5863 : Fixed the issue where endpoint categories in API Proxies were not reflected in API Portal. APNZ-5917 : Fixed issues with API Proxy duplication. APNZ-5924 : Fixed null value returned when retrieving a private key using the Environment Private Key Map variable in scripts. APNZ-5750 : Fixed the Enable Redirect feature working inversely in API Proxy connection settings. APNZ-5791 : Fixed NTLM authentication not working in certain cases in routing. APNZ-5959 : Fixed the issue where rollback to a previous deployment was not working. APNZ-5951 : Fixed log search not working in certain cases in regions 1 and 2. APNZ-5877 : Fixed Client-Ban feature not working. APNZ-4076 : Fixed Report Generator not working in certain cases. APNZ-4700 : Fixed the issue where login audit logs were not being recorded in certain cases.

---

​

Version 2026.01.01

Release Date: January 22, 2026 FEATURED NEW FEATURES

• ​

  API Manager Application Authorization System

The authorization system in the Apinizer API Manager application has been renewed. Authorization now works based on the asset category + action model. Components with similar functions have been grouped under asset categories (API Management, Connections, Identity and Access Control, etc.) and specific actions (View, Manage, Deploy/Undeploy, Execute, Export/Import) have been defined for each category. This provides a more flexible, detailed, and secure authorization management. See.

• ​

  Cache Server Definition in Namespace Independent from Gateway

The requirement for worker pods that serve as the gateway function in the Apinizer application infrastructure and Hazelcast pods used for cache operations to be in the same namespace has been removed. Worker pods and cache pods can now be managed in separate namespaces. This provides a more flexible infrastructure configuration. See.

• ​

  Multi-API Portal Support

Support for managing multiple independent API Portals from a single Apinizer installation has been added. This enables offering customized portal experiences for different business units or customer groups. See.

• ​

  Advanced Routing Features

API Gateway routing capabilities have been enriched with Sticky Session (Session Affinity), Exponential Retry Delay, and Active Health Check mechanisms. This makes traffic management more flexible, resilient, and intelligent. See.

• ​

  APIOps Management API Improvements

In line with the vision that all administrative functions of Apinizer can be performed through APIOps Management APIs; full API support has been added for Credential Secrets management, Keys/Keystores operations, and JWK configurations. Additionally, the ability to create and update JWK from certificate, public key, private key, and keystore has been added. See. NEW FEATURES

• ​

  Upstream Sticky Session (Session Affinity)

Sticky Session support has been added to ensure that clients are always routed to the same backend address. Session state management required for backend structures can now work efficiently through the Gateway with Cookie-based, IP Hash, and Hybrid methods. See.

• ​

  Upstream Active Health Check Mechanism

Active Health Check mechanism has been added that periodically checks the health status of backend services. Backend addresses that are not working correctly are automatically removed from traffic and reintroduced when they recover. See.

• ​

  Upstream Exponential Retry Delay

“Exponential Backoff” feature has been added that places increasing delays between retry operations performed in error situations. This provides the necessary time for backend services to recover under heavy load. See.

• ​

  Environment Diagnostic Screen

Diagnostic screen has been added to monitor the operational status, resource consumption, and health metrics of API Gateway environments. (APNZ-5665, APNZ-5649) See.

• When certificate, public key, private key, or keystore is updated via APIOps Management API, if there is a related JWK, the ability to update these JWKs or delete the relationship has been added. See.
• Feature has been added to globally enable/disable the display of log details on the API Traffic screen from General Settings. See.
• Audit logs are now kept for operations involving API Proxy Traffic Log settings.
• Search options with ends_with and wildcard have been added to FTP Read and List operations. See.
• Client Route Report has been enhanced to find conflicting path values of API Proxies with similar relative path values.
• API Portal Overview page has been enhanced. See.
• Client data read timeout and no-request timeout after connection establishment have been made configurable in Gateway Runtime environments. These parameters allow customization of Gateway pod timeout behaviors. See.

CHANGES AND IMPROVEMENTS

• URL Path Handling Improvement: The URL path processing mechanism in API Gateway has been improved to handle trailing slash values more consistently.
• Elasticsearch Version Update: ES client version has been upgraded from 7.9.2 to 7.17.29; ES7 and ES8 versions are now fully supported.
• Global Deploy Improvement: When global policies are updated, an option has been added to deploy only API Proxies that are already published in the relevant environment or all API Proxies. This prevents API Proxies that are not deployed from being accidentally deployed.
• Asynchronous Operation Resource Management: Thread usage of tasks running asynchronously in Script and API Call policies has been limited, increasing system stability.
• Detailed confirmation and warning that restart is required for changes to be applied have been added to the API Root Context change section in General Settings. See.
• Load balancing is now always done locally (per pod). Distributed cache usage has been removed for performance. See.
• Indication of disabled methods in API Proxy Group has been enabled. See.
• Styling work has been done on large text areas in areas such as test console and data operations.
• Detailed confirmation has been added for save&republish operation after entering host alias. See.
• Visual design improvements have been made on the probe screen of the Kubernetes Resources page. See.
• Monthly-daily reporting feature has been added to API Portal Usage Statistics.
• Ability to download account information in Excel format from API Portal Accounts/Developers page has been enabled.
• In export/import operations via APIOps Management API, “-imported” word is no longer added to DB2API definitions.
• Customizable Landing Page feature has been added for API Portal. See.
• In XML Schema Validation policy errors, related element and path information has been added to the error message.
• Audit logs kept for operations performed with APIOps Management APIs have been detailed.
• Error messages in API Manager LDAP settings have been made more detailed. More information is now provided in error messages to facilitate troubleshooting. See.
• Timeout field has been added to LDAP connection configuration. Connection timeout durations are now configurable. See.

BUG FIXES APNZ-5695 : The issue where REST-2-SOAP example bodies were incorrectly created during the transfer of API Proxy Group spec to Postman has been fixed. APNZ-5694 : The issue where Template Message comes empty in REST-2-SOAP-2-REST configurations has been resolved. APNZ-5693 : The issue where example request bodies (Example Request Body) for API Proxies could not be displayed in Test Console has been fixed. APNZ-5687 : The issue where both API Proxy and Proxy Group access were blocked when direct gateway access was restricted has been fixed. APNZ-5685 : The error in the Management API Access URL deletion operation in environment settings has been fixed. APNZ-5684 : The issue where method information belonging to the wrong API Proxy was retrieved in the test console when there were multiple API Proxies created from the same DB2API, Mock API, or Script API has been fixed. APNZ-5682 : The issue where data was not saved after pasting content in new key (Key) definitions in the Secret menu has been fixed. APNZ-5659 : The issue where mandatory fields could be saved without being checked in API Portal settings has been prevented. APNZ-5650 : The issue where the “Headers to be deleted” field in API Call policy was not saved has been fixed. APNZ-5648 : The visual shift that occurred when searching for users on the Project Members page has been fixed. APNZ-5644 : The memory (OutOfMemory) issue that occurred during parsing of very large Swagger/OpenAPI files containing more than 500 endpoints has been resolved. APNZ-5641 : The listing issue that occurred on the gateway environments page when having limited kubernetes service permissions has been fixed. APNZ-5593 : The issue where logo URL redirects in API Portal did not work and could not be customized has been fixed. APNZ-5581 : Deficiencies related to user authorization and data security in API Portal have been resolved. APNZ-5576 : The issue where the trailing ”;” character was deleted in the DB2API SQL query field has been fixed. APNZ-5571 : Thread safety improvement has been made in JSON library usage. APNZ-5570 : Backward compatibility has been provided for the HTTP client class used in custom scripts. APNZ-5567 : The issue where the SOAP binding name changed when the WSDL service address changed has been resolved. APNZ-5565 : The issue where locked users in API Portal could perform operations through the gateway has been prevented. APNZ-5550 : The issue where changes made in API Portal view settings were reset after login has been resolved. APNZ-5535 : The issue where API Proxy traffic trace logs were stored longer than the configured duration has been fixed. APNZ-5509 : The issue where API Proxy traffic trace mode did not automatically close has been fixed. APNZ-5523 : The issue where a successful response was returned when a file was not found in FTP Read policy has been resolved. APNZ-5513 : The issue where SOAP message header deletion was incomplete when the delete header setting was selected in WS-Security Sign Validation policy has been fixed. APNZ-5473 : The issue where port settings were corrupted after SSL was enabled in gateway environments has been fixed. APNZ-5454 : Filtering issues on the Notifications page have been fixed. APNZ-5451 : The issue where API Proxies did not transition to redeploy status when policies were imported to API Proxies has been resolved. APNZ-5447 : Old Proxy Group connections of exported/imported API Proxies have been cleaned up. APNZ-5445 : The warning message displayed in environment type changes has been fixed. APNZ-5435 : Mandatory field markings in WS-Security Sign policy have been fixed. APNZ-5427 : Recording issues on the project edit page have been resolved. APNZ-5413 : Character restrictions and validation errors in the key field entered in environment settings have been fixed. APNZ-5375 : The issue where some policy names appeared in English in Turkish language selection has been fixed. APNZ-5324 : The issue where spaces in the name field in authentication policies were not cleaned has been resolved. APNZ-5317 : The issue where security check (captcha) did not appear when attempting to login with a non-existent user on the API Manager login page has been fixed. APNZ-5211 : The saving issue in certificate updates has been resolved. APNZ-5166 : The user display error on the Rate Limit screen has been fixed. APNZ-5154 : The duplicate deployment issue in role definitions has been resolved. APNZ-5120 : The performance issue in the environment republish operation has been resolved. APNZ-5116 : Character errors in the endpoint address in the quick test tool have been fixed. APNZ-4891 : URL formatting errors in test endpoints have been fixed. APNZ-4674 : The issue where multiple selections were deleted on filtering pages has been resolved. APNZ-4661 : Key listing issues in private key management in the Secret menu have been fixed. APNZ-4653 : The data loss that occurred in Key Source selection in the Secret menu has been resolved. APNZ-4635 : The operation type update error in API Call policy has been fixed. APNZ-4587 : The issue where parameter type changes in the Design tab did not affect the format has been resolved. APNZ-4579 : The pagination deficiency on some report pages has been resolved. APNZ-4350 : The issue where timezone settings were not reflected in notification timestamps has been fixed. APNZ-4240 : Image prefix issues in Kubernetes resource settings have been fixed. APNZ-4129 : The issue where disabled methods in Proxy Group could not be displayed has been fixed. APNZ-4118 : Conditional parameter usage in authentication policies has been improved.