API CHANGELOG
The breaking changes your team needs to know about — Issue #1 • Week of May 5, 2026
|
Welcome to the first issue of API Changelog. Each week, we monitor changelogs across Stripe, Shopify, AWS, GitHub, Twilio, and Vercel so you don't have to. This week: 1 security-critical certificate change, 1 silent default value shift, and 8 feature updates across 6 platforms.
Upcoming sunset dates, sorted by urgency. If your team uses any of these, start planning now.
| API |
Change |
Deadline |
Score |
| Twilio |
Client Auth EKU extension removal from TLS certificates |
Mar 1, 2027 |
8
|
|
TWL
Twilio TLS Certificate — Client Auth EKU Removal
|
Impact: 8/10
|
|
|
What breaks: TLS certificate validation that explicitly checks for Client Authentication Extended Key Usage (EKU) extension in Twilio's certificates will fail. Certificate pinning implementations that rely on current certificate fingerprints will break when new certificates without Client Auth EKU are deployed.
The fix: Update certificate validation logic to not require the Client Authentication EKU extension. Replace certificate pinning with certificate authority (CA) validation, or update pinned certificate fingerprints when new certificates are issued. Use standard server authentication validation instead.
Deadline: March 1, 2027 — DigiCert has extended the original timeline. You have time, but start planning now if you use custom certificate validation.
❌ Before (deprecated pattern) — Python
# Certificate validation requiring Client Auth EKU
ssl_context.check_hostname = True
ssl_context.verify_mode = ssl.CERT_REQUIRED
ssl_context.set_ciphers('HIGH:!aNULL:!eNULL')
require_client_auth_eku = True # Will fail after EKU removal
|
✅ After (migrated) — Python
# Updated validation without Client Auth EKU requirement
ssl_context.check_hostname = True
ssl_context.verify_mode = ssl.CERT_REQUIRED
ssl_context.set_ciphers('HIGH:!aNULL:!eNULL')
# Rely on standard server authentication (1.3.6.1.5.5.7.3.1)
# Remove client auth EKU check entirely
|
Source: Twilio Changelog →
|
Changes that won't trigger a status page alert but could still bite you. These are the ones nobody else tracks.
SHP
Shopify — appliesOnSubscription default changed to true
|
Impact: 6/10
|
|
|
The default value of appliesOnSubscription has changed from false to true on the DiscountCodeAppInput and DiscountAutomaticAppInput input types in the GraphQL Admin API. This applies across all active API versions.
Why it matters: Shopify says "no action is required" and that this change has no effect on checkout behaviour. That may be true for most apps. But if your app creates discount codes without explicitly setting appliesOnSubscription and relies on the old default of false, your discounts will now apply to subscriptions when they previously did not. That is a behavioural change, even if the vendor says otherwise.
What to do: If you use the Shopify discount API, check whether your code explicitly sets appliesOnSubscription. If it does, you are unaffected. If it relies on the default, test your discount behaviour now.
Source: Shopify Changelog →
|
Non-breaking additions and improvements from this week. One line each — click through for details.
|
GH
Code-to-cloud risk visibility with Microsoft Defender for Cloud is now generally available.
→
|
|
GH
GitHub MCP Server now scans for vulnerable dependencies before commits via Dependabot toolset integration.
→
|
|
VCL
Query Observability Plus metrics directly from the Vercel CLI for any team or project.
→
|
|
VCL
Open-sourced deepsec, a security harness powered by coding agents for finding vulnerabilities in large codebases.
→
|
|
SHP
Admin web vitals (LCP, INP, CLS) now available in the Dev Dashboard. FID has been retired and replaced by INP.
→
|
|
SHP
New origin and destination fields added to inventory transfer webhook payloads with updated mutation documentation.
→
|
|
AWS
CloudWatch Logs Insights now supports querying log groups by tags across all commercial regions.
→
|
|
AWS
Amazon QuickSight Generate Analysis creates dashboards from natural language prompts for Enterprise and Author Pro users.
→
|
|
AWS
Amazon WorkSpaces now enables AI agents to access desktop applications via MCP integration with enterprise governance controls.
→
|
|
AWS
MediaTailor now automatically handles server-to-server authentication with Google ad platforms without manual configuration.
→
|
|
TWL
Twilio Video JavaScript SDK now officially supports Samsung Browser, expanding compatibility to over 1 billion Galaxy devices.
→
|
|
STR
Sessions 2026 recap: new platform features including Link agent payments, programmable card issuing, and AI economic infrastructure.
→
|
|
STR
Agents can now generate one-time-use virtual cards and Shared Payment Tokens via the new Issuing API for agents.
→
|
|
Know a developer managing API integrations? Forward this to them.
API Changelog • Tracking breaking changes so you don't have to
|
