1 of 100

Backend API

The Keeper Backend API is a core component of the Keeper platform, utilized by each of the client applications for authentication, syncing and core platform features.

Backend API Version 17.6

Released on May 18, 2025

New Features

KA-6804: API support for Biometric passkey login method
KA-6464: API support for Editable One-Time Share feature
KA-6890: API support for Crowdstrike NG SIEM integration
KA-5994: API support for automatically rotating a password after Connection and Tunnel close
KA-4855: API Support for new Wi-Fi Password record type
KA-5783: API support for Google Chronicle SIEM integration
KA-6495: API support for new Notification Center feature
KA-6529: API support for new Device Management features
KA-6373: API support for new role enforcement policies preventing the transfer of personal and business information between linked Business and Personal vaults:
- RESTRICT_PERSONAL_USING_BUSINESS_DOMAINS - domains that are not allowed
- WARN_PERSONAL_USING_BUSINESS_DOMAINS - domains that should trigger a warning
- RESTRICT_PERSONAL_USING_BUSINESS_SITES - sites that are not allowed
- WARN_PERSONAL_USING_BUSINESS_SITES - sites that should trigger a warning
KA-6224: Support for RESTRICT_TOTP_FIELD role enforcement policy which allows the Keeper administrator to restrict the use of TOTP fields in Keeper records.
DU-444: Added support for USE_DEFAULT_BROWSER_FOR_SSO enforcement policy
KA-6747: Implemented pagination for SCIM groups

Improvements

KA-5013: The string “Province of China” has been removed from location data provided by IP2location
KA-5776: The Log Analytics Agent has been retired and migrated to Azure Monitor Agent. Functionality remains the same with a different provider
KA-5922: Created API functionality for deactivating an alias from a user who may no longer want the account being accessible from the alias.
KA-6036: User Names are now trimmed when they are created with extra non-printable characters.
KA-6095: Registering a device in a region now raises an error if the device is already registered in the region with a different token
KA-6326: Backend is now implementing structured delays in sync behavior when large numbers of users have to sync a change to a record or folder
KA-6384: All instances of a server using the Trust Manager have been removed and the Trust Manager has been deprecated
KA-6410: Check added for updates to primary third party libraries.
KA-6565: Migrated the current AWS MySQL to AWS wrapper
KA-6643: Upgraded KeeperApp with new Protobuf version
KA-6707: Added Rust SDK Client Version identifier to backend
KA-6750: Updated all primary third party libraries
KA-6818: Clean up of PAM Enforcement to check for a valid PAM License
KA-6875: Introduced handling for legacy rotation enforcement and backwards compatibility of old clients before PAM
TRAN-5254: Finnish and Swedish translation add for new SSO Connect Sync message
TRAN-5579: Changed wording for multiple languages for “Contact your administrator”
TRAN-6856: Support File strings updated in all supported languages
TRAN-6857: Language changes in support messages were updated in all supported languages
KA-6760: Created a new error message when deleting PAM configurations without KSM enforcement
KA-6732: Updated support email address to the support URL
TRAN-7002: String updates translated to Finnish, Italian and Swedish
TRAN-7003: A string message translation updated for US, GB and Germany

Bug Fixes

KA-6898: Sharing relationships are currently not bi-directional. Establishing a share in one direction should also allow it in the reverse direction.
KA-5583: Improvement to prevent restored deleted shared folders and records from corrupting the vault
KA-5642: Restriction to enforce license use to initial email account for enterprise licenses. Restricts changing email to a restricted domain.
KA-5680: Implements new checks for multiple node endpoint checks and returns all item checks that prevent the node from being deleted
KA-5802: Fix to the audit event client logging for unsaved compliance report export
KA-5848: Implements “Add and Remove” a user to a team with the Manage Teams permission
KA-5865: Updated “throttled” text in message dialog to the correct translation of the client language
KA-5943: SCIM now normalizes email when logging audit events and converts emails to lowercase characters
KA-5984: Added Granular Role Enforcement for directly shared records when “Cannot share or receive” is enforced on account
KA-6034: Improved how Legacy records are added to a subfolder without generating "access denied" error
KA-6041: Transaction is now created on success when adding a role managed node
KA-6064: An audit log is now created when a new username is created or replaced by an existing one
KA-6065: Audit Events are now generated for a pending user deletion
KA-6066: SCIM no longer generates “enable_user” for event for every User Patch
KA-6116: Fixed Automator to not error out when a team encrypted team user is null
KA-6119: Fixed issue when get deleted shared folders and records API returns incorrect data for folders and shared teams
KA-6145 : Fixed issue with legacy domain specific policies not converting properly
KA-6170: Fixed issue where two active users were able to have active sessions on a device without calling logout before calling start login
KA-6238: Fixed issue where editing a user bypasses domain reservations
KA-6239: Fixed issue where a SCIM admin can edit a user's email to a personal address
KA-6306: Fixed issue with deleted records still being displayed in the console and BreachWatch audit dashboard table
KA-6327: Fixed issue where a user was able to create a one-time share with view only permissions in a shared folder
KA-6431: Fixed external logging error of connection errors on setup to AWS S3
KA-6612: Fixed error in sync response for change owner results
KA-6717: Fixed issue with adding and deleting images to general records
KA-6719: Fixed issue with upload counts and file usage when uploading and saving files
KA-6740: Fixed Security Score data that was not syncing properly between clients
KA-6742: Created validation for Privileged Access Manager Add-on License Limit after purchase
KA-6748: Fixed transfer issue with “null import key” error in table
KA-6755: Fixed issue with update time in a record reference
KA-6758: Fixed issue with SSH Agent ARAM events reported as Client Report Events
KA-6797: Fixed Commander issue with imports of folder, imported folders and records. Partial Sync Down fails for imported record
KA-6805: Optimized large requests for set_ecc_key_pairs
KA-6817: Fixed issue with exception when moving enterprise from California to US
KA-6823: Fixed issue with Role Polices not allowing connections when sharing PAM resource records
KA-6830: Fixed issue with trial users needing a PAM license validation
KA-6886: Fixed Push Server Errors where we were unable to decrypt encrypted payload
KA-6889: Fixed Exception errors during attempted log of get enterprise setting
KA-6894: Fixed randomly delayed password strength data in console
KA-6916: Fixed issue with Elliptical Curve adding and updating records
KA-6936: Fixed 500 error for invalid origin and destination in initiate pre-transfer
KA-6943: Fixed exception error when sending notification requesting device verification
KA-6602: Fixed issue where a user is able to approve device through email after a request was declined through a vault notification dialog
KA-6856 : Fixed issue where Automator was skipped and a manual device approval occured after MFA timeout

Backend API Version 17.5

Released on April 16, 2025

New Features

API support for Endpoint Privilege Manager

Backend API Version 17.4

Released on April 8, 2025

Features

KA-6747: Added support for pagination with SCIM Group APIs
KA-5776: Support for new Azure Monitor SIEM integration which replaces the legacy Azure Sentinel integration. See setup guide.

Improvements

KA-6239: Added additional security protection with SCIM API. SCIM provisioning now requires domain reservation on any affected email domains. Learn more about Domain Reservation.
KA-6238: Added additional protection against changing emails without domain reservation.

Bug Fixes

KA-6856: Fixed issue where Keeper Automator occasionally didn't approve a user's device. This was caused by a timeout when providing MFA code.
KA-6065: Fixed issue where deleting a pending user doesn't generate an ARAM event
KA-6064: Fixed issue where changing an email from SCIM doesn't generate ARAM event
KA-5848: Fixed issue where you can't add or remove a user to a team with only "Manage Teams" admin permission.
KA-5327: Fixed issue where a user was able to create a one-time share in certain edge cases when having view-only shared folder permissions.

Backend API Version 17.3.5

Released on March 25, 2025

This release addressed several performance updates on the backend.

Improvements

KA-6880, KA-6877, KA-6869, KA-6873, KA-6018: Performance updates

Bug Fixes

KA-6897: Error received by users when trying to activate KeeperPAM

Backend API Version 17.3.2

Released on Feb 14, 2025

Improvements

KA-6399: Updated phone number parsing library
KA-6802: Automatically enable all PAM enforcements for new Keeper Administrator roles
DU-498: Increased throttle limits for security data APIs

Bug Fixes

KA-6702: Include protocols values during KeeperPAM start/stop ARAM events
KA-6346: Prevent creation of one-time shares of ownerless records
KA-6745: Filtering of App UID and Gateway UID in ARAM event logs
KA-6760: Prevent users without KSM from deleting a PAM Configuration

Backend API Version 17.3.1

Released on Feb 13, 2025

Bug Fixes

KA-6783: Resolved query deletions that caused MySQL database errors in production
KA-6796: Removed popup on mobile users regarding storage limits

Backend API Version 17.3

Release on Feb 4, 2025

Notable Changes

KA-5713: New Keeper Enterprise tenants have the "Vault Transfer" policy enabled by default on the Keeper Administrator role and MSP Subscription Manager role (for MSP tenants). Within the tenant, the "All Users" role will have Vault Transfer enabled by default.

Bug Fixes

KA-6659: Password Rotation failed when using a shared record in certain scenarios
KA-6701: Enterprise region transfer issues
KA-6708: Error creating teams via Automator
KA-6155: Bug fixes related to Sharing enforcement policies with outside user
KA-6043: Unable to move a user between two active SSO nodes
KA-5973: MSP admin launched into MC cannot perform transfer on MC user who inherited transfer role through a team
KA-6476: Device approval push not sent to Android and iOS clients during signup
KA-6630: Keeper Sharing Notice email 'Sign Up' embedded link is broken
KA-6685: New Business Account Setup is not completing after Email Verification
KA-6010: Improved accuracy of file storage limits when adding and deleting files

Security Updates

Version 17.x of all Keeper deployments includes the capability to migrate legacy RSA encrypted keys to EC. Keeper will be forcing migration of legacy data in a future release after users have been given adequate time to upgrade. Emails will be sent to all customers to ensure that they are using the most up-to-date version of Keeper software.

Other Improvements

KA-6398: Updated library for phone number parsing
KA-6679: Deprecated APIs for v17 clients
KA-5891: Allow end-users to request more storage from their Keeper admin
KA-6735: Improved logging

Backend API Version 17.2

Released on December 20, 2024

Features

KA-5992: KeeperPAM ARAM events
KA-5959: PAM functionality on time-limited access for PAM record types
KA-6070: Role policies to create one-time shares and self-destructing records

Improvements

KA-5700: Endpoint to detect and correct security score inconsistencies

Bug Fixes

KA-6018: Accessing one-time shares after expiration should not generate ARAM events
KA-6101: Display root company logo in one-time share inside subnode users
KA-6142: Rotation history showing empty in Admin Console
KA-5843: Not receiving alerts for certain events
KA-6280: Allow data modifications with KSM using apps with over 30k records

Various security fixes from NCC Group and Cybertest pen tests

Backend API Version 17.1

Released on October 25, 2024

Features

KA-5914: Risk Management Dashboard APIs

Bug Fixes

KA-6358: iOS version restore push/sync to Vault is causing attachment errors

Backend API Version 16.12

Released on March 5, 2024

Features

KA-5180: New ARAM event for alternate master password creation

Bug Fixes

KA-5512, KA-5521: Compliance reports fixes, including that folder UID displays properly for shared folder with only teams and users with no records don’t display as blank values in user criteria section
KA-5636, KA-5673: Fixed cases where record transfer email notification contained incorrect URL and/or UID
KA-5792: Restoring a sub-folder that was previously deleted now restores all shortcuts
KA-5888: Users are able to share a record outside of the enterprise even if assigned to a role that restricts receiving items from outside the enterprise
KA-5889: Shared folder is removed from vault immediately after deletion rather than only after full sync
KA-5901: Team role-mapping properly restricts one-time share usage
KA-5918: Bulk user actions have privilege checks enforced
KA-5938: If a user is a member of two roles with passphrase generator restrictions, the resulting rules for the user are both accounted for
KA-5945: If a legacy consumer user already exists with an invalid email address (for example, .con instead of .com), we allow the user to login and change their email

Improvements

KA-4349: Support FriendlyName as SAML2 IDP attribute for Cloud SSO
KA-5266: Extended support for large numbers of users being modified concurrently
KA-5537: SCIM is prevented from creating the same user twice
KA-5553: When a user changes their logout timer, push to all devices instantly
KA-5709: Display support package information in the Admin Console
KA-5757: Accessibility improvements to color and spinner on certain Cloud SSO screens

Backend API Version 16.11

Released on January 10, 2024

Features

KA-3754, KA-5157: Support for our new Time-Limited Access feature
KA-5689: Support for new Granular Sharing Enforcements feature
KA-5519: Cloud SSO Configuration shall be node-unique non-shareable across different SSO nodes IF In Use
KA-5741, KA-5836: Support for Team Approvals (team creation) via Keeper Automator
KA-5628: Support for Security Key as the only two-factor method
DU-352: Added support for new policy "Disable ability to create duplicate" (DISABLE_CREATE_DUPLICATE)

Bug Fixes

KA-5350, KA-5694: Certain audit event reports which consolidate information are returning too many events. For example: audit-report --report-type=span --event-type=record_password_change --column=record_uid --column=audit_event_type --record-uid=<RECORD_UID>
KA-5438: Error when deleting a Cloud SSO instance from an empty node tree
KA-5692: If a MSP admin launches into an MC and attempt to perform an account transfer they are getting error “This user is not in a role that has the “Can Be Transferred” enforcement turned on error and cannot complete the transfer.
KA-5804: Support for some hardware security keys that failed due to "invalid size"
KA-5769: Some users receive 400 error on get_team_members (viewing team members in the vault user interface)

Security Updates

KA-4055: Added additional API changes to support server-side verification when a user is prompted for master password re-entry in certain scenarios. This is a low severity finding from Bugcrowd. Releated client tickets VAUL-6192, EM-6185.

Backend API Version 16.10

Released on July 27, 2023

Bug Fixes

KA-4968: In Keeper MSP: The list of Share Admins is not properly including the Managed Company admins, only the MSP share admins.
KA-5322: Customers on a free trial were unable to access Record History and restore a record.
KA-5506: Inviting a consumer account to an enterprise, then editing a user's email causes an error.
KA-5482: "Disable email invites" was ignored by the "Automatically resend email invitations".
KA-5460: Stay-logged-in works one time after restricting it via an enterprise role enforcement.
KA-5146: User located on a sub-node with root node "Keeper Administrator" role isn’t able to perform Share Admin activities on root node records within the Shared Folder that is owned by a root user.
KA-5211: Deletion of Shared Record by non-owner results in removal of associated security Data, affecting the security score.
KA-5451: ARAM reports null,null,null and 0.0.0 for On-Demand Rotation Success/Failure
KA-5028: ARAM event is not triggered when adding user to team in the scenario when it is done at the same time as the creation of the team.
KA-5287: Sub-node admin is not able to run ARAM "all security events" report
KA-5151: Enforce add-on and storage restrictions for MSP created by a distributor
KA-5134: Implement PUT for editing groups via SCIM requests.
KA-5376: Protection against creation of on-prem SSO accounts containing invalid data
KA-4571: Invalid invites are sent to users in nodes with incomplete SSO provisioning set up
KA-5420: Linked records are not showing in the user's deleted items when the record is deleted that contains links.
KA-4652: User counts in the billing history page do not appear in the Billing History page 'Users” column.

Security Improvements

KA-5497: User Presence now supported on FIDO2 security keys: Users who login with a Security Key that have a PIN configured, will now be requested to enter their PIN. The server now responds with "Preferred" instead of "Discouraged" in regards to User Presence. To learn more about this feature, read about it on the Yubico website.
KA-5368: Bugcrowd report: User able to sign in to web vault after enabling platform restriction, as long as the session is still active.
KA-5395: IP AllowList restriction allowed session resumption (stay logged in) to occur even when the IP address is restricted.
KA-5341: If "stay logged in" enforcement is changed by the admin, the effect is not immediate. This information was being cached for some time in the Keeper infrastructure.
KA-4682: If you deny 5 Keeper Push device approvals, no more device approval pushes are sent until the account owner acknowledges and re-activates device approvals via an automated email.
KA-5474: Recovery process timeout was increased to 15 minutes from 10 minutes.
KA-5455: PAM rotation APIs can be used even if a user is not within a provisioned role.
KA-5408: Locked users should not be able to use KSM secrets manager API
KA-5418: Within the Enterprise, ensure that rotation APIs can only be executed by user with edit rights on the record.
KA-5409: Secrets Manager User with removed permissions can still edit and create applications.

Features

KA-5208: Support for MSP Accounts in GovCloud
KA-5479: Backend support for Exabeam SIEM provider. Console UI update coming.
KA-5473: Support for shared folder array in permission changes (for Keeper Commander "apply-membership" bulk command in ticket KC-590).
KA-5171, KA-5172: APIs to provide the Admin Console and Commander with a user's 2FA and transfer acceptance setting. Will be implemented in the UI in a later release.
KA-5189: Endpoint to allow the Admin Console to flush security scores and re-calculate. Will be included in a future Admin Console release.
KA-5386: Added 2 more ARAM events related to MSP distributor billing:
- User ${username} activates MSP for enterprise ${enterprise}
- User ${username} deactivated MSP for enterprise ${enterprise}
KA-5426: New ARAM events for Keeper Secrets Manager client devices:
- app_client_record_create
- app_client_record_update
- app_client_record_delete
- app_client_folder_remove_record
- app_client_folder_update
- app_client_folder_delete
KA-5143: Support for MSP "Business Starter" plan. Not yet implemented in the UI.
KA-5222: Support for APIs to remove files and linked records from Keeper Secrets Manager.
KA-5461: Support for an optional "path" parameter when setting up Splunk SIEM endpoints. "https://" + host + ":" + port + (path=="" ? "/services/collector" : path)
KA-5456: SCIM "Get Group" command fails when a team is located in a subnode under SCIM node.
KA-5500: Improved language in Sharing Notice emails.
KA-5265: Support for new role enforcement policy MASTER_PASSWORD_MINIMUM_LENGTH_NO_PROMPT This role enforcement will allow a role to not require the user to immediately change their master password if the length of their password is less than the minimum.
KA-5541: Support for sending "minutes" instead of "milliseconds" for logout timer setting.
KA-5573: Support for logging into SSO Cloud from the user's default web browser when using Keeper Desktop. This new feature will be incorporated into an upcoming Keeper Desktop release 16.10.4.

Backend API Version 16.9.14

Released on June 29, 2023

Bug Fixes

Fixed an issue where the shared attachments are also deleted if the original owner's account is deleted

Backend API Version 16.9.13

Released on June 23, 2023

Improvements

Set the default throttle for JSON API calls to 10 calls per 5 seconds

Backend API Version 16.9.12

Released on June 13, 2023

Bug Fixes

Fixed an issue where newly created accounts where having trouble logging in
- This was due to the auth key being generated twice and overwriting the original value
- This issue was only observed in AU

Backend API Version 16.9.11

Released June 08, 2023

Bug Fixes

Resolved issue where the Web Vault automatically logouts after setting the logout timer on the browser extension and exiting

Backend API Version 16.9.10

Released on June 05, 2023

Improvements

Optimized DB queries when deleting users with 50k+ records to prevent unnecessary load and stress on server

Bug Fixes

Users are now added to groups when the user is created with a SCIM POST call
Resolved issue where the user_folder_shared_folder query does not flag root folder

Backend API Version 16.9.9

Released on May 30, 2023

Bug Fixes

KA-5338: Delegated admin can affect SSO configuration in other nodes through configurations.
KA-5360: When share admin transfers ownership of a record, incremental sync missing transferred record UID, causing record to appear/disappear on both side vaults until full sync happened (on a background or next login).
KA-5424, KA-5421: Improved sync performance by removing queries for non-enterprise users.
KA-5419: After an Admin deletes a user from the admin console and then re-creates that user with the same user email the user is unable to successfully create the account a second time. The user will see network connection errors in the Vault and we see server errors on the backend.
KA-5453: Allow longer custom email invite templates, up to 5,000 chars.
KA-5468: Add role enforcement to disallow importing of shared folders from LastPass. The role policy name is RESTRICT_IMPORT_SHARED_FOLDERS. This change goes with Vault ticket VAUL-5977.
KA-5470: When a user is deleted, their pending device approval queued entries are not deleted. This is causing a problem when the user is created again with the same username.
KA-5463: Commander API errors with shared_folder_update
KA-5478: Error message when a Share Admin removes a user from a shared folder.

Improvements/Changes

KA-5473: Bulk change endpoint for folder permissions, to accept an array of shared_folder object. This will provide Commander with bulk permission changes under ticket KC-590.

KA-5427, KA-5447: Logout timer improvements

The minimum logout timer for the device type (Web apps, desktop apps, mobile apps) are utilized for any device that you login to.
If the admin lowers the max allowed logout timer for a device type, the next login will enforce the lower amount across all devices of the specified type.
If the admin lowers the max allowed logout timer for a device type, this will modify the current session for all affected users.
If the admin raises the max allowed logout timer, users will not be raised higher. But the user will need to logout and login to increase their logout timer.
The role enforcement max allowed will be used as the "Default" logout timer for users.
The idle logout is by device type for a user, not specific to a device for the current user.
Logout timers shall be allowed beyond 24 hours. Any value up to 30 days will be supported.

Older

Releases notes older than last 10 releases

Older release note content is still available, but anything older than the last 10 updates is placed here.

Backend API Version 16.0.0

Release ETA March 15, 2021

Improvements

KA-2836: Support for new Record Types feature
KA-3862: Support for Node Isolation
KA-3857: Provide free Family Plan to all linked personal accounts
KA-2517: An audit event is created when a user is removed from a role or team
KA-3909: Support for automatic enterprise invite re-sends on the backend

Bug Fixes

KA3873: Enforcement values missing from get_enterprise_data_for_user_response
KA-3693: API requests to the backend are slow to turn on 2FA
KA-3870: IP blocked events are not being reported in Reporting & Alerts Module
KA-3880: Extending the share expiration of a user, fails to save new expiration date
KA-3869: Shared Records Report returns unwanted data
KA-3894: Admin Console crashes when the last user of a team deleted

Backend API Version 15.2.0

Estimated Release Date: January 22, 2021

Bug Fixes

KA-3782: Change SCIM GROUP PATCH implementation to return 204 Status
KA-3588: Support for SSO Connect On-Prem alias checking on email changes
KA-3578: Turning on Stay Logged In did not work the very first time
KA-3756: Stay Logged In setting not honored on particular login flows
KA-3626: Syslog push fails in EU
KA-3638: Adding ARAM event causes throttling
KA-3725: Various issues with record sharing
KA-3718: User is unable to set alternate Master Password
KA-3582: ARAM is missing the event "Removed User from Team"
KA-3607: SSO does not send SessionIndex on SAML logout
KA-3628: Entity ID fails to update when moving configuration
KA-3674: Records fail to appear in shared folder after a team is added
KA-3661: "Offline Master Password" role enforcement fails
KA-3548: Error message appears when login to US SSO Cloud account in EU region
KA-3514: Event is not triggered when delete command is used
KA-3701: MSP Admin is unable to approve SSO Cloud users from Managed Companies
KA-3719: File usage is not properly updated
KA-3726: A server error is generated when deleting a team
KA-3730: "Account Recovery Requested" ARAM event is not triggered
KA-3741: Cloud SSO users that are also admins, require Master Password to export
KA-3746: Errors are generated when deleting a record in a team shared folder
KA-2654: Backend APIs for Admin Console login for customers with over 100k users
KA-2837: Addition of new APIs for upcoming Record Types feature
KA-3316: Create user event not reported in ARAM
KA-3728: Sending hyperlink to invalid domain in some scenarios

Backend API Version 15.1.1

Estimated Released Date: December 29, 2020

Bug Fixes

KA-3692: "get_available_bridges" command fails for an MSP logged in as an MC
KA-3687: Keeper DNA push notifications are not appearing on Apple Watch for 2FA

Backend API Version 15.1.0

Released on December 21, 2020

Improvements

TRAN-3497: ARAM event added: Enterprise is out of seats
TRAN-3498: ARAM event added: Admin approved a device
KA-3654: Keeper removes pending users when SCIM provider patches user to inactive status
KA3610: Improved performance impacts due to API throttling
KA-3592: Allow Admins to provision invited users into Teams

Bug Fixes

KA-3625: MSP Keeper Admin is unable to approve SSO Cloud users from managed companies
KA-3560: SCIM email change issues
KA-3615: Broken Access Control - Change permission of other users in the same sharing record
KA-3614: Broken Access Control - Remove user in the same sharing record
KA-3624: Keeper Push fails for Cloud SSO users with DUO enabled
KA-3585: 2FA code duration preference fails for SSO Cloud users
KA-2558: Team folders are not being pushed to users upon login
KA-3637: Unable to login to Web Vault using Alternate Master Password and 2FA
KA-3235: Changed Email Address event isn't displayed in ARAM
KA-3641: Attempting to save empty shared folder record key
KA-3663: Cloud SSO accounts require two Admin approvals

Backend API Version 15.0.32

Estimated Release Date November 20, 2020

Improvements

EM-4399: BreachWatch events now include the record UID to inform Admins what records trigger BreachWatch Events

Bug Fixes

KA-3580: Re-trying an Admin Device Approval for pre-approved devices must reply success and send push
KA-3582: ARAM is missing "Removed User from Team" event
KA-3493: Log Error - users with region issues
KA-3586: File download for Enterprise users currently looks at file_plan_expiration

Backend API Version 15.0.31

Released on November 13, 2020

Improvements

KA-3553: Improved performance for SCIM filter by external ID
KA-2571: Validate a user's domain when an enterprise is created or when an enterprise user is added
KA-3583: Restrict Admins from adding teams with missing encrypted_team_key

Bug Fixes

KA-3448: Admin is able to invite a user to an enterprise when the user exists in a different region
KA-3464: "Forgot Password" flow generates error message
KA-3533: 404 error appears after logout from US SSO Cloud account
KA-3534: Log Error - NPE in SharedFolderUpdateCommand
KA-3491: A server error is generated while editing MSP user's name and email
KA-3493: User with region issues generates log error
KA-3407: Android users are prompted twice for code during 2FA setup
KA-3540: Cloud SSO IdP-initiated login URL is not displayed as expected
KA-3549: Cloud SSO does not return an error to the user if a bad IdP metadata XML file is uploaded
KA-3394: BreachWatch and Security Audits reports are not updating as expected
KA-3555: Log Error - ArrayIndexOutOfBounds in CreateAccountController
KA-3556: Log Error - NPE in ManagedNodePrivilegeRemoveCommand
KA-3554: Network error calling kinfo when user already exists locally
KA-3568: KeeperApp should prevent active SSO connections from being deleted
KA-3571: Errors are generated when a user attempts to approve existing devices via Keeper Push
KA-3573: Requests are not removed from Approval Queue once approved by Admin

Backend API Version 15.0.30

Expected Release Date: October 30, 2020

Bug Fixes

KA-3328: Using KeeperDNA for device approval does not work as expected
KA-3442: Log error is generated when deleting a revision
KA-3460: SAML validation errors are incorrectly being logged in the KeeperApp error log
KA-3464: Forgot Master Password flow generates error messages
KA-3508: start_login returns error after biometric login attempts to Cloud SSO accounts
KA-3512: Keeper Push does not work in attempt to enable 2FA in EU SSO Cloud account
KA-3513: A user is unable to login with SSO Cloud after being moved to an SSO node with the precondition that the user has not first logged in with their Master Password
KA-3519: A pending Enterprise user in an attempt to login to the vault receives an invalid account creation email
KA-3520: Recent Activity in account summary is missing iOS sync
KA-3521: The browser extension logout timer uses the timeout value set within the vault
KA-3509: Log Error, NPE in getManagedEnterpriseInfo

Backend API Version 15.0.29

Released October 21, 2020

Improvements

KA-15.0.29: Server communication improvements made

Backend API Version 15.0.28

Release ETA October 16, 2020

Bug Fixes

KA-3485: Fix to change Enterprise storage expiration to license expiration date
KA-3430: Inviting a reserved domain user triggers an incorrect error message
KA-3433: iOS devices do not receive "device_locked" push notifications from admin tool
KA-3436: When providing the 6-digit code from an account that is using DUO, the response displays an error
KA-3460: SAML validation errors are incorrectly being logged
KA-3447: A log error is generated when deleting a role or privilege
KA-3464: Forgot Password flow is generating several error messages
KA-3477: SQL error is generated in "ChangeMasterPasswordCommand"
KA-3480: Command returns an invalid session token type for expired Unlimited account
KA-3281: Enterprise tool search functionality is not working as expected
KA-3489: Login fails for SSO On-Prem users when IP auto-approval is turned off, or if it's ON and new IP / Device

Backend API Version 15.0.27

Released October 12, 2020

Bug Fixes

KA-3459: ARAM alerts read "unknown event" instead of the event name

Backend API Version 15.0.26

Released October 12, 2020

Bug Fixes

KA-3454: Fix for IP auto-approval broken in production

Backend API Version 15.0.25

Released October 10, 2020

Benefits & Enhancements

KA-3443: Support for SAML 2.0 IsPassive option in Cloud SSO

Bug Fixes

KA-3434: Deleting an enterprise does not release the kinfo.domain
KA-3438: Biometric login to wrong region generates "DEVICE_ACCOUNT_LOCKED" message
KA-3415: User unable to update an existing push token for a new device using device SNS registration service
KA-3393: Creation of a new user fails to trigger an ARAM event
KA-3388: Cloud SSO loses configuration parameters
KA-3377: Error message fails to appear when a user selects RSA option during 2FA setup and RSA has not yet been configured

Backend API Version 15.0.24

Released October 7, 2020

Bug Fixes

KA-3440: User invite fails when the domain is reserved by multiple enterprises
KA-3439: EU SSO Cloud user who attempts to login from the Desktop App with their email address is routed to Device Approval screen rather than their IdP
KA-3435: In an attempt to switch account after an account logout prompts user to update their password

Backend API Version 15.0.23

Released October 6, 2020

Enhancements & Benefits

KA-3423: The server will allow all access currently reserved to restrict and sync down

Bug Fixes

KA-3448: Fix to allow Admin to invite a user to an enterprise when the user exists in a different region
KA-3436: When a user provides the 6-digit code for DUO 2FA, the response displays an error message
KA-3420: When a user creates a Business trial and switches regions, they receive and error message when attempting email verification

Backend API Version 15.0.22

Released October 1, 2020

Enhancements & Benefits

KA-3362: KeeperFill Enforcement Policies - Role policies, implemented via checkboxes to enforce each of the various features and settings of the KeeperFill Browser extension.

Backend API Version 15.0.21

Released September 29, 2020

Enhancements & Benefits

KA-3387: Logic changed for session persistence
KA-3381: Biometric count and date enforcement removed
KA-3207: Various Enterprise customer invite fixes

Backend API Version 15.0.20

Released September 22, 2020

Bug Fixes

KA-3359: Correct SSO accounts transition from pending_enterprise_user to enterprise_user
KA-3358: send_email_verification link is being rejected
KA-3271: Deleting user from v10 admin tool doesn't fully delete user
KA-3233: Error message is received when a new user attempts to accept and create a family account via email invite's deep link.

Backend API Version 15.0.19

Released September 18, 2020

Bug Fixes

KA-3350: Alternate Master Password login 500 internal server error
KA-3351: user_account_summary error

Backend API Version 15.0.18

Released September 18, 2020

Features & Enhancements

KA-2906: Service Logger implemented as short term in-database logger
KA-2873: DAO layer implemented for new Cloud SSO data objects
KA-3314: Significant Cloud SSO logging improvements
KA-3273: Implemented prefix-based SCIM role mapping
KA-3214: Support signature embedded in the SAML response
KA-3210: Role enforcement created to disallow v2 clients
KA-3133: Without recovery data, removing a user from Cloud SSO node is prevented

Bug Fixes

KA-3343: Azure email formatting causes SSO to throw exception
KA-3332: Database error received during enterprise_delete
KA-3329: In attempt to delete SCIM user, user is locked instead of deleted
KA-3301: Master Password re-entry fails for biometrics
KA-3284: get_user account_information fails to return pending devices
KA-3264: Prevent account enumeration via 2FA throttle

Backend API Version 15.0.17

Released September 12, 2020

Bug Fixes

KA-3310: Request to create a user fails due to ECC validator; emails not received

Backend API Version 15.0.16

Released September 12, 2020

Bug Fixes

KA-3307: Account summary returning null for Family Plan admin
KA-3300: 2FA users who enter a "0" leading their area code during setup, don't receive SMS messages
KA-3267: SCIM PATCH add username exception in production log

Backend API Version 15.0.15

Released September 11, 2020

Enhancements & Benefits

KA-3283: Support for deleting invited user via SCIM PUT
KA-3263: Role enforcement policy created to disable account recovery
KA-3237: ARAM event created for "Enterprise is out of seats"
KA-3263: ARAM event created for Admin approved a device"
KA-3182: Endpoint created that allows a support tool user to verify a user's 2FA code

Bug Fixes

KA-3304: SAML Logout returns 404 with no IdP logout endpoint configured
KA-3294: Logout timer enforcement on Desktop logs user out at max duration instead of max idle
KA-3274: Email change landing page contains incorrect string
KA-3242: SSO logout doesn't redirect to IdP to perform logout from mobile client
KA-2994: Throttled re-authentication enforcement in vault is persistent on next log in.

Backend API Version 15.0.14

Released September 6, 2020

Bug Fixes

KA-3270: New JIT Cloud SSO users are prompted for device approval during onboarding
KA-3269: Uninvited Cloud SSO users receive region_redirect error message
KA-3268: Non-JIT Cloud SSO users receive error message at login

Backend API Version 15.0.12

Released September 5, 2020

Bug Fixes

KA-3265: EU users logging into US are not properly routed to the appropriate region

Backend API Version 15.0.11

Released September 4, 2020

Bug Fixes

KA-32632: Web app version 15.0.1 is receiving errors upon login
KA-3259: DUO IP-based bypass mode generates 500 error
KA- 3257: 2FA approval method produces error and enumeration

Backend API Version 15.0.10

Released September 3, 2020

Bug Fixes

KA-3255: 2FA is bypassed when alternate Master Password is used
KA-3252: RSA SecurID fails with Login_v3

Backend API Version 15.0.9

ETA for release: Sept 8, 2020

The Backend API version 15.0.9 release is focused on Login V3 and SSO Cloud APIs.

Features & Benefits

Cloud SSO Connect General Availability (GA) More information available here: https://docs.keeper.io/sso-connect-cloud/
Login V3 General Availability (GA) More information available here: https://docs.keeper.io/enterprise-guide/login-api-v3
KA-3173: Support for session persistence
KA-3079: IdP-initiated login for Cloud SSO accounts
KA-3086: New Enterprise role policies (disable_onboarding, disable_commander)
KA-2468: Support for 24-hour logout timer period
KA-3177: Added ARAM event for "Device requires Admin approval".
KA-3188: Backend support for device linking (auto-login of resumable sessions)

Bug Fixes

KA-3061: Better handling of invalid email addresses
KA-3130: Login V3 support for SSO-Master-Password logins
KA-3141: Ignore password expiration for SSO users
KA-3128: Do not redirect users to incomplete SSO Cloud configuration
KA-3134: Support for Region Redirect on SSO Domain login
KA-3088: Resolve missing Sign On URL in Cloud SSO metadata file for Azure
KA-3147: Throttling configuration for SSO Domain name
KA-3161: Duo Push web socket message not received by vault during account recovery
KA-3163: Changing Keeper SAML SP endpoint from kepr.co to keepersecurity.com
KA-2516: Master Password regex causing loop on iOS devices
KA-3175: Improved throttling on email verification codes

Backend API Version 15.0.7

Released on August 13, 2020

Bug Fixes

KA-3094: Improved handling of SSO data for users when moved out of SSO node and back into SSO node (retains data).
KA-3103: Editing a shared folder name or color changes default permissions.
KA-3093: Very slow login when thousands of shared folders are present in the vault.
KA-3099: Improved handling of migration from US to EU data centers
KA-2960: Addition of alias_add event for adding alias username/emails
KA-3097: Improved handling of login to US SSO account from EU vault
KA-3074: Added events for Device Approval
KA-3110: Prevent admin from moving user from on-prem SSO to Cloud SSO
KA-3022: Submitting verification code for pending invited user returning 403 error

Features

Backend support for Keeper SSO Connect Cloud

Backend API Version 14.12.6

Released May 15 & July 2, 2020

Subsequent releases 14.12.7 - 14.12.13 are also included in the following release notes.

Bug Fixes

Fixed: Unable to run custom reports in ARAM.
Fixed: Device verification must be forced on.
Fixed: SCIM group provisioning is unsuccessful.

Backend API Version 14.12.5

Released May 15, 2020

Bug Fixes

Fixed: Domain name not provided in login error message for SSO.
Fixed: Error message received when attempting the "Forgot Password" flow.
Fixed: Internal server error on add users for SCD Provisioning

Backend API Version 14.12.1

Released April 24 & 27, 2020

Subsequent releases 14.12.2 - 14.12.4 are also included in the following release notes.

Bug Fixes

Fixed: Unable to register new users on current chat clients.
Fixed: SSO (pre version 14.2.1) is not validating IP and device link for Enterprise.
Fixed: Transferred direct shared records do not show up in both root and transferred folders.
Fixed: Adding a 2FA duration to an enforcement generates server errors.

Backend API Version 14.12.0

Released April 24, 2020

Features & Benefits

Team Roles - This release introduces a major improvement geared toward increasing the efficiency of managing role enforcements. Enterprise Admins now have the ability to manage enforcements more precisely by assigning teams to roles. Furthermore, a user who is a member of a team assigned to a role will assume the enforcement of that given role.
Master Password Re-entry Enforcement - This role enforcement allows Admins to further enhance their security policies by requiring users to re-enter their Master Password in order to unmask or copy a password. Once unmasked, the password will be re-masked after 30 seconds have passed.
Account Transfer Improvement - A transferred account will be replicated in its structure and content and all data will be housed in a dedicated transfer folder that includes deleted records and record history.
Web Vault & Desktop App Import Prevention - This role enforcement allows Admins to restrict users from importing data from the Web Vault and Desktop App.

Bug Fixes

Fixed: Issue requiring an update of Google's phone number parser library to v8.11.3.
Fixed: Users are denied access when moving a record within a shared folder containing restricted team sharing capabilities.
Fixed: Business to MSP conversion fails for nodes that contain account transfer roles.
Fixed: "Added Shared Folder" events only appear under the "Added Folder" event type in ARAM.

Backend API Version 14.11.0

Released March 30, 2020

Subsequent release 14.11.1 is also included in the following release notes.

Features & Benefits

API implementation allowing Enterprise Admins to disable 2FA for their users so they no longer have to contact support to do so.
Admins able to set a role enforcement preventing users of the browser extension to enable Auto Submit and Prompt to Fill features.

Bug Fixes

Fixed: DUO 2FA experiencing intermittent failures.
Fixed: Push server is not re-registering after a fail to connect to database and is removed from database table too quickly preventing users to successfully login.
Fixed: Error received when converting nodes to Managed Company if user data is present.
Fixed: MSPs unable to pause Managed Companies as expected.
Fixed: Issue causing the new push servers to incorrectly handle the DNA push token.
Fixed: "auth_failed" appearing in Admin Console due to invalid session token detection when outbound IPs are load balanced.
Fixed: Spaces in 2FA backup code result in "server_failure".

Backend API Version 14.10.0

Released February 14 & 28, 2020

Subsequent release 14.10.1 is also included in the following release notes.

Bug Fixes

Fixed: SSO Connect JIT flag turns off when SSO settings for a node are saved.
Fixed: Issue causing Master Password complexity requirement in French to appear truncated.

Backend API Version 14.9.12

Released February 3, 2020

Subsequent release 14.9.13 is also included in the following release notes.

Bug Fixes

Fixed: Issue preventing MSP admin from logging into Managed Company if assigned a role that enforces 2FA at every log in.
Fixed: Some EU users unable to successfully login after updating their email address.
Fixed: Priority setting issue preventing successful SMS delivery method in Japan.

Backend API Version 14.9.0

Released November 28, 2019 | December 13, 21 & 23, 2019 | January 2 & 27, 2020

Subsequent releases 14.9.1, 14.9.2, 14.9.3, 14.9.4, 14.9.5. 14.9.6 14.9.7, 14.9.8, 14.9.9, 14.9.10 and 14.9.11 are also included in the following release notes.

Features & Benefits

Enabled IP range based MFA prompt rules (NCINO).
KeeperApp now responds to "/api" prefaced commands.
Support for LogRhythm SIEM provider.
API implementation for node to Managed Company conversion.

Bug Fixes

Fixed: "Bad_request" error message received on login containing ".con" in email field.
Fixed: Error occurs when user links a record from one shared folder to another.
Fixed: Text key visible in error message when a user attempts to add a record to the same shared folder it already resides in.
Fixed: An issue blocking clients that don't send in a user agent.
Fixed: An issue causing BreachWatch API to reject IE submissions.
Fixed: Crash occurs during login to various Managed Company accounts.
Fixed: User receives an SSO error message after they are moved out of an SSO for the purpose of recovering their Master Password.
Fixed: SSO new user/device access check initiates for SSO Connect >14.1.3.
Fixed: When enabling account transfer permissions and enforcement, the MSP loses the ability to launch into the Managed Company.
Fixed: Unable to move Managed Company to sub nodes without errors.
Fixed: Issue preventing imported records from inheriting the default folder settings.
Fixed: MSP receives "missing_keys" error when attempting to assign a user to a role with administrative permission.
Fixed: Error message displaying key values is received in Enterprise Console when a user attempts to add SCIM provisioning method to the Bridge.
Fixed: Support for enterprise client tool version.
Fixed: Managed Companies are duplicated when filtered by node.
Fixed: Some users in SSO nodes are unable to login as expected.

Backend API Version 14.8.2

Released November 15, 2020

Features & Benefits

Creation of new API to send email verification link.

Bug Fixes

Fixed: Root Admin receives intimate spinner in attempt to log into Managed Companies located in a sub node.
Fixed: Body of Japanese and German welcome emails for Keeper Business accounts are not translated.
Fixed: Records that are deleted from a shared folder are displaying incorrect deletion dates in Deleted Items folder.
Fixed: Adding a user to a shared folder does not send record meta data.
Fixed: Translation keys visible in some Enterprise customer email invitations.

Backend API Version 14.8.1

Released November 1, 2019

Bug Fixes

Fixed: Various visual updates to email verification messages.
Fixed: Japanese record sharing popups are not translated.
Fixed: Issue causing push notification of email change to not be received by client.

Backend API Version 14.7.16

Released November 1, 2019

Bug Fixes

Fixed: The verification link to change a user's email generates an error message
Fixed: The "record_add" command does not specify which file ID's are invalid in its response.
Fixed: When moving a record from the root into a shared folder, it is not observing the default folder settings.
Fixed: When added to a team, users do not immediately see shared folders until their next login. to the vault.

Backend API Version 14.7.11

Released on September 21, 2019

Features & Benefits

Text Message 2FA codes now include the platform requesting the code (Web Vault, Desktop App, iOS, Android, Console, etc...)
Updated template content for default Enterprise invitation
Support for Yubikey 5Ci Hardware Security Key

Bug Fixes

Fixed: Account recovery flow when customer attempts recovery in wrong geographic data center
Fixed: Admin is unable to delete a user having many record revisions
Fixed: Cannot create a family plan if once was admin of a family plan
Fixed: User is member of a Team and can receive shares in Shared Folder, but not add the Team to a Shared Folder.
Fixed: Shared folders in Account Transfer do not retain permissions.
Resolved: Prevent user from linking a personal license to existing business license from a different data center region.
Fixed: Removing a favorite from a record does not sync with other platforms.

Subsequent releases 14.7.12, 14.7.13, 14.7.14 and 14.7.15 resolved the following bugs:

Fixed: Issue decrypting old device session tokens
Fixed: Custom email templates reverting to default template in certain sub-nodes
Fixed: Personal license validation link produces 404 error
Fixed: SCIM provisioning failing with 400 error
Fixed: Free Data Breach Scan in EU region generating confusing error message
Fixed: Hyperlink to signup from SSO-provisioned user inside email template generated 404 error

Security Updates

Prevent external SIEM host connectivity test misuse by enumerating ports on the local network

Backend API Version 14.7.10

Released on September 15, 2019

Features & Benefits

Support for import of extra-large record notes

Backend API Version 14.7.9

Released on August 16, 2019

Bug Fixes

Free Breach Scan emails not sending to existing paid subscribers. Fixed.
Enterprise invite re-sending to users on expired licenses. Fixed.

Backend API Version 14.7.8

Released on Aug 16, 2019

Features & Benefits

Enterprise end-user invitations are now sent once every 48 hours to maximize user adoption. Previously sent email invitation codes are invalidated by the most recent code.
Updated the formatting, layout and branding of general email templates sent from the backend API in accordance with Keeper's new corporate branding.

Bug Fixes

Duo 2FA setup was not fully activated in some end-user scenarios after first setup. Fixed.
Translations missing in invitations and transfer record dialogs in Admin Console.
Preventing user from changing email address to the same email.
IP Allowlisting with overlapping ranges caused errors. Fixed.

Backend API Version 14.7.7

Released on Aug 9, 2019

Bug Fixes

IP throttling too aggressive, adjusting to prevent false positive.
Some customers unable to accept Enterprise invitation. Fixed.
SCIM messaging from Centrify returning 404 errors. Fixed.

Backend API Version 14.7.6

Released on August 6, 2019 @ 7PM PST

Due to issues experienced with Twilio (EU regulations surrounding delivery of messages using local numbers, confusing user experience around the use of Authy services), we made a migration of Keeper SMS 2FA services to Amazon AWS, our infrastructure provider.

The new backend SMS capabilities of Amazon AWS provide the following benefits:

Local delivery of phone numbers via Short Codes
Fast and reliable delivery
Full integration into Keeper's existing AWS infrastructure

We apologize for any disruption of SMS 2FA services over the past several days as we have completed the migration. If you have any questions or experience any issues receiving SMS messages from Keeper, please contact support or switch to a TOTP-based authentication method, such as Google Authenticator or Duo.

Backend API Version 14.7.4

Released on August 2, 2019

Features & Benefits

Migrated backend 2FA system from self-managed Twilio numbers to Twilio/Authy APIs

Bug Fixes

Fixed Azure AD SCIM pushes for user creation

Backend API Version 14.7.0

Released on July 25, 2019

This is a major feature, bug fix, security and performance improvement release.

Features & Benefits

Admins with Team Management permission will soon be able to add other members to a team, even if the admin is not part of the team. NOTE: Front-end implementation of the feature must still be completed on the Admin Console.
Users will receive an email notification when a record has transferred ownership to them.
Vault Transfers performed by the approved administrator will also transfer deleted records. The deleted records will be in the "deleted" section of the destination vault.
Ability to assign free Personal Licenses to Business Licenses (not available for all Business customers).
Created API to provide a list of team members, in order to display the information in the Vault. NOTE: The vault update has not gone live yet.
Created process to periodically ask the customer to review and update their security questions.
Created Backend APIs to support the Free Data Breach Scan feature on the Keeper Security Website and BreachWatch services. https://keepersecurity.com/free-data-breach-scan.html
Roles can now be provisioned through SCIM (supported by Okta and other identity providers). The Role ID must be provided by the SCIM message. Notes: - When a new user is created, default roles will be assigned regardless of what provided in "roles" field. - Roles with administrative permissions will cause the operation to fail with status 406 ("not acceptable") and "detail": "A role with Administrative Permissions may not be assigned by SCIM." - To identify the Role ID, this information is will eventually be displayed in the Admin Console, but it can be also seen via Keeper Commander command "enterprise-info":

My Vault> enterprise-info --roles                                                                                                                                                                                                                            
Enterprise name: Craig Lurey LLC

       Role ID  Name                  Cascade?    New User?    Node
--------------  --------------------  ----------  -----------  ---------------------------------------------------------
47377784242422  Administrator                                  Craig Lurey LLC\Finance
47377784242415  Administrator                                  Craig Lurey LLC\Legal
47377784242418  Administrator                                  Craig Lurey LLC\Contractors
47377784242533  Agent Manager                                  Craig Lurey LLC\Agents

"Last Modified" in record history will be replaced with the date in which the backup of was created (not last modification date)
Shared records to users outside of the organization will be removed automatically when a "Vault Transfer" of the user account is performed by the admin.

Bug Fixes & Performance Improvements

Stop sending share invites between Enterprise users, as this is not needed.
Repaired the "Change Email Address" flow from certain clients, in which the verification email was not being sent properly.
Emergency Access not honoring the desired wait time in certain cases.

Backend API Version 14.6.0

Released July 2, 2019

Features & Benefits

BreachWatch for Business
New APIs for BreachWatch Business client apps (retrieving public key)
Billing support for BreachWatch Business

Bug Fixes

Improved BreachWatch performance to reduce CPU load
User with expired personal license was unable to login and accept Enterprise invite.

Backend API Version 14.5.2

Released on May 6, 2019

Bug Fixes

"Recent Activity" screen has not been displaying the user's custom Device Name setting since the 14.0 release. This is now resolved.
Resolved SSO login when a user is moved into a subnode within the sub-node of the same tree.

Backend API Version 14.5.0

Released on April 23, 2019

New Features & Benefits

Node Isolation Option for MSP Customers The Keeper Backend now as the ability to enforce Node Isolation for business customers. When "Node Isolation" is activated, users and teams that show within Share screens on the vault are limited to parent and child nodes. This feature is built for MSP customers who configure each node in the Keeper Admin Console as a separate end-customer account. In the example below, if Node Isolation is activated on the West Coast node then: Users in "Developers" are able to see other users and teams up in Developers, West Coast, Regions, Engineering and Craig Lurey LLC. Users in "Developers" are NOT able to see the users and teams in "East Coast" or "Sales", since those nodes are in parallel tree paths.

On the Vault, the screens affected by this change are the "Shared Folder" and "Record Share" screens:

To activate Node Isolation please contact us https://keepersecurity.com/support.html

Other Improvements

Migrating from Google Cloud messaging (GCM) to Firebase Cloud Messaging (FCM) for Android platforms.
During Vault Transfer / Account Transfer, team permissions are also transferred now.
Optimization for syncing a large number of folders and records, when team permissions and individual user permissions overlap the same records. Duplicates are removed from the sync down response which decreases the overall encrypted package size.
Created an optimized "import" backend API for record import

Bug Fixes

Fixed "record key already encrypted with datakey" error which occurs randomly
German translation improvement (backend errors and success messages)

Coming Soon

The next Backend API 14.6.0 release will support BreachWatch for Business.

Backend API Version 14.4.0

Released on March 14, 2019

Enhancements & Benefits

Ability to login to Keeper when offline and SSO is unavailable, on the Web Vault and Desktop App. In this use case, the Keeper Admin enables the feature from the admin console role enforcement policy. This feature is disabled by default. It will only appear as an option within an SSO-enabled node.

For users who are part of an SSO-enabled node where the Admin has enabled Master Password login, the user will be able to login to the Web Vault and set a Master Password. Note that the Master Password complexity is enforced based on the rules of the role enforcement policy.

When offline mode is permitted by the Keeper Administrator, users can login to the Web Vault in a fully offline situation, or in a network that has no SSO access. Note that in order to make use of this feature, the user must login to the Web Vault on that particular user account at least one time.
If an account is available for offline login, an indicator graphic shows on the login screen:

Keeper Commander can now be utilized on SSO-enabled accounts through the use of the Master Password.
Security Update: We have added new security updates to prevent enumeration attacks against SSO Customer Enterprise Domain names.
We have added several new event types in the Advanced Reporting & Alert module to track the following events:
- Alert Created
- Alert Deleted
- Alert Paused
- Alert Resumed
- Team Created
- Team Deleted
- Role Created
- Role Deleted
- Node Created
- Node Deleted

Bug Fixes

Fixed issue where "Just-In-Time (JIT)" provisioning setting was being ignored

Known Issues

Offline mode will not work in Internet Explorer and the mobile version of Safari, due to the limitations of those platforms.

Backend API Version 14.3.0

Released January 25, 2019.

Enhancements & Benefits

Final release of Advanced Audit & Reporting backend prior to Admin Console release
Improved record history detailed data
Replace "Recent Activity" data with new enhanced metadata
Business logic for Audit & Reporting SKU and billing system
KeeperChat free trial activation from Admin Console
Increase allowed file upload size on "Custom Logo" from Admin Console

Bug Fixes

Syncing fix in shared folders related to removing a user from a folder
Overlapping IP ranges in enforcement restriction caused exception
"Ownerless" records after vault transfer are automatically corrected
Translation fixes regarding certain new role enforcement policies
Record "delete" events not logged when deleted from root user folder
SCIM triggers email to admin if the max number of licenses has been exceeded

Coming Soon

Version 14.4.0 includes several new features for Master Password login when SSO is unavailable, and offline mode in the Web Vault.

Backend API Version 14.2.0

Released December 27, 2018.

Enhancements & Benefits

This release contains minor bug fixes and several new backend features.
Added support for upcoming Advanced Event Reporting & Auditing system
Added additional API throttling monitoring and abuse prevention measures
Translation changes

Known Limitations

None

Bug Fixes

Duplicate shared folders returned in certain situations
Removed deleted record metadata when no record references found

Coming Soon

Version 14.3.0: Major release with over 20 tickets, containing bug fixes, new features and general backend improvements affecting all client applications.

Backend API Version 15.1.2

Released December 31, 2020

Improvements

KA-3705: Allow sync_down on iOS and Android v15 for expired users
KA-3703: Silence alerts to iOS that contain an empty message
KA-3699: Return success on recognized device on register_device_in_ region

Bug Fixes

KA-3704: Users unable to adjust the logout timer

Backend API Version 15.2.2

Released February 15, 2021

Improvements

KA-3809: Improved logging for support team
KA-3812: Ability to perform verbose SCIM logging
KA-3795: Improved behavior of "Stay Logged In" for browser extension users.
KA-3792: Improved speed and performance
KA-3797: Improved speed related to Trash Can view

Bug Fixes

KA-3787: Improved query performance on the backend
KA-3796: Invalid 2FA code returns invalid error message to user
KA-3784: Attempt to add a user to a shared folder doesn't add the user in local folder view
KA-3802: Error processing large number of SSO Cloud Admin Approvals
KA-3801: Adding users via customer-specific provisioning method generates Server 500 error
KA-3808: Some records do not return user information in "Last modified" record history information.
KA-3824: New records are not visible to all team members of a shared folder
KA-3790: Denying a Keeper Push via 2FA method caused approval

Backend API Version 15.2.4

Released on March 2, 2021

Known Issues

This update may have caused existing Azure Function sessions to be logged out. Please follow the instructions in the link below to re-activate the Azure Function. https://docs.keeper.io/sso-connect-cloud/device-approvals/azure-function#troubleshooting-and-repairing-failed-logins See the "Troubleshooting and Repairing Failed Logins" section to resolve the issue.

Features & Improvements

KA-3777: Added reporting module event for "User requesting self-device approval" for SSO Cloud
KA-3772: Ensure BreachWatch is granted to linked personal accounts
KA-3716: Modified sync to allow single-record retrieval for the Commander SDK
KA-3798: New "Share Report" API for Vault and Commander SDK

Bug Fixes

KA-3727: Attempt to add a Trusted User generates a "No Active Share Exist" error message
KA-3710: Admin approvals randomly fail to be received in the Vault
KA-3689: Log Error - error setting master password expiration
KA-3627: Adding an alias for an SSO user fails
KA-3027: Issue causing transferred records to have two owners
KA- 2672: "Removed record permission" event fails to be triggered
KA-3827: Transferring an account can create a "read only" owned record
KA-3767: Unable to logout from SSO Cloud if there is no IdP session id
KA-3842: Commander times out after 30 days
KA-3027: Transferring a record, the new owner deletes the transfer record, went to the original owner's trash can.
KA-3827: Transferring an account can create a read-only owned record.

Backend API Version 16.0.2

Release ETA April 12, 2021

Bug Fixes

KA-3939: User is unable to send record share invites (AU accounts)
KA-3953: User receives an error message in attempt to empty their trash (AU accounts)

Backend API Version 16.0.4

Released May 10, 2021

New Features & Improvements

Windows Hello Role Enforcement Policy Role policy for admin to prevent their users from enabling Windows Hello Login. This will launch with the next Admin Console.

Bug Fixes

KA-3989 and others: Support for Quick and Full sync methods in the Admin Console
KA-4016, KA-4021, KA-3988, KA-3987: Improved Session timeout handling with Browser Extension and Desktop Apps
KA-3970: AU user receives and error message when attempting to empty their trash
KA-3971: Enterprise transactions are being duplicated
KA-3976: Quick syncs are not correctly sending license information for purchased add-ons
KA-3987: Logging into the vault then using using the BE, fails to reset the idle timeout
KA-3988: Logging out after the session token is expired generates an error
KA-3994: Managed Company data is incorrect on full syncs
KA-3995: Attempt to pause a Managed Company fails
KA-4005: Unable to delete a user in the AU data center Admin Console
KA-4003: Throttling error contains "XXX" in the response message
KA-4014: Okta SCIM error - invited user is not deleted on PATCH message

Backend API Version 16.0.6

Released on May 19, 2021

Bug Fixes and Improvements

KA-4012, KA-3596, KA-4015: Resolved several Sharing and Emergency Access related API calls to eliminate all possible enumeration attack vectors on Login V3. Also resolved confusing error messages and popups within the application when handling the sharing handshakes between users. Note that in order to share records between users, a sharing relationship must first exist and be established. In the case of Enterprise accounts, a sharing relationship between users already exists. A share relationship must be established manually for all consumer users and Enterprise-to-consumer accounts, or Enterprise users between different tenants.
KA-4004, KA-4006, KA-4023: Added additional push notifications and auto-syncing to the Admin Console for MSP tenants to trigger instant updates when MC license changes occur, and for Vault Transfer actions.
KA-4052: Resolved issue where linked Family Plans are not getting enough family member licenses added.

Backend API Version 16.0.8

Released on Jun 25, 2021

Bug Fixes

KA-4097: Australia data center unable to perform Vault Transfer
KA-4077: Support RFC7159 "Accept: application/json" and "Accept: application/scim+json"
KA-4078: Support for Account Recovery of expired free users.
KA-4055: Support for Account Recovery of SSO users with clients implementing Login V3
KA-4103: Vault login not properly redirecting the user to the proper datacenter upon clicking on the device approval link.

Improvements

KA-3800: Implemented Role Enforcement policies for Record Type creation
KA-4074: Improved Session Invalidation upon the following events:
- Changed 2FA
- Change master password
- User locked by Enterprise Admin
- User locked by Keeper Support
- Device locked by Enterprise Admin
- Enterprise user deleted
- User deleted via SCIM
- Enterprise deleted
- MSP managed company deleted
- MSP managed company removed
KA-4080: In case of downstream SMS 2FA provider failure, Keeper can offer support for email delivery of 2FA codes.

Backend API Version 16.1.0

Released on Aug 9, 2021

This backend release provides support for the following major capabilities:

Keeper Secrets Manager Provides your DevOps, IT Security and software development teams with a fully cloud-based, Zero-Knowledge platform for managing all of your infrastructure secrets such as API keys, Database passwords, access keys, certificates and any type of confidential data. https://docs.keeper.io/secrets-manager/
GovCloud Support Keeper is going live with AWS GovCloud in the US data center to support FedRAMP compliant environments. AWS GovCloud is designed to host sensitive data, regulated workloads, and address the most stringent U.S. government security and compliance requirements. To discuss GovCloud and FedRAMP compliance, please email govsales@keepersecurity.com.

Backend API Version 16.1.3

Released on Aug 31, 2021

Bug Fixes

KA-4235: Deleted users get "Unable to connect" after attempting to re-register
KA-4204: Deleting pending invited users causes errors when re-adding the user

Backend API Version 16.2.0

Released on Sep 16, 2021

Features

Support for the new Compliance Reports feature which goes into Beta Learn more: https://docs.keeper.io/enterprise-guide/compliance-reports
Support for the new Keeper Automator service for automatic SSO Cloud device approvals Learn more: https://docs.keeper.io/sso-connect-cloud/device-approvals/automator

Bug Fixes

KA-4118: Email delivery rate limiting on Trial signup
KA-4279: Error when moving a user between nodes as a sub-admin

Backend API Version 16.2.8

Released on Oct 18, 2021

Bug Fixes

KA-4220: GovCloud Email device approval link broken
KA-4219: GovCloud Change Email Address function broken
KA-4255: GovCloud Change Master Password email notifications not being sent
KA-4364: Account Transfer of Read Only direct record shares to transferee get elevated permissions (edit/share) for transfer recipient

Features and Improvements

KA-4264: API to convert non-type records to Record Types
KA-4280: Added Compliance Reports event logs to Advanced Reporting & Alerts module
KA-4298, KA-4300: Vault Transfer support for Record Types records (in Admin Console)
KA-4316: Better handling of connection timeouts when setting up the Keeper Automator
KA-4350: Added support for Devo (SIEM provider)

Backend API Version 16.2.12

Release ETA Nov 12, 2021

Bug Fixes and Improvements

KA-4354: "Prevent sharing with file attachments" not working if Record Types activated
KA-4378: If you have an existing MC that is the basic plan and then upgrade it to the Plus plan the BreachWatch and ARAM is not being added to the MC. If you down grade the MC from plus to basic they are getting the getting the add ons added when they should not.
KA-3965: Imported users from CSV are receiving email invites even if "disable invites" selected
KA-4106: No email is sent when account recovery is disabled
KA-4305: Partial email and name searching is not working in Share screens
KA-4405: Team-role mapping of Secrets Manager permissions not working
KA-3292: Allowing Libya and Iraq IP address ranges to access the Keeper service

Backend API Version 16.2.14

Released on Nov 17, 2021

Bug Fixes

KA-4442: Security updates to SSO Cloud. SSO Special thanks to the team at SCHUTZWERK for their findings.

Backend API Version 16.2.15

Released on Dec 8, 2021

Bug Fixes

KA-4388: Changing email address in the vault doesn't update immediately on the Console when clicking Sync
KA-4328: Compliance Report bugs when a record is shared to another Enterprise tenant user.
KA-4393: Compliance Report needs to include consumer accounts when a record is shared externally.
KA-4121: Marking a node as isolated from Commander not working
KA-4425: Previous email verification links are not expiring after generating a new one from changing email address.
KA-4118, KA-4424: Email rate limiting
KA-4471: Some users are not found by SCIM GET query

Improvements

KA-4304: Added additional helpful security information in the "Share" notifications sent through email. The Record UID, Location and device name of the sender is provided.
KA-4389: Provide Team/Group Display Name in SCIM user group queries

Backend API Version 16.3.0

Released on Jan 6, 2022

Features

KA-4409: Support for Keeper Secrets Manager new record creation
KA-4467: Secrets Manager triggers proper push notifications on record update and client device changes
KA-4541: Enable record types for all Business customers.

Bug Fixes

KL-102: Japanese email invite issues with HTML template.
KL-101: Azure Log Analytics endpoint wrong in the Azure GovCloud region
KL-104: ARAM events not being triggered for Secrets Manager events.

Backend API Version 16.3.2

Released on Jan 25, 2022

Features & Improvements

KA-4153: Support for Webauthn and migration from U2F to Webauthn
KA-4507: Support for nested SSO nodes

Backend API Version 16.3.4

Released on Feb 23, 2022

Bug Fixes

KA-4391: Shared folder 'Can Manage Users' should restrict editing default permissions for an Admin outside of their node
KA-4411: Share link invites change the Web Vault interface to the wrong language if the users are set to different languages.
KA-4462: File upload issues with multiple devices open
KA-4144: Custom record type changes not generating instant push notifications
KA-4143: Sending a share invite to a user who is hosted in a different data center is sending the wrong email content
KA-4157: Bugcrowd ticket for rate limiting enterprise invite email
KA-4506: WebAuthn hardware key setup from the Admin Console not functional
KA-4229: Improved Commander "keep-alive" function while using the application to prevent user from being logged out suddenly.
KA-4604: Unable to verify RSA ID

Improvements

KA-4365: Added location information to any email which contains IP address
KA-4144: Added "Login Method" to the ARAM SIEM events so that the Admin knows which method of login was used (SSO, master password, biometrics, alternate SSO master password)
KA-4093: Backend support for new "Stay Logged In" role policy that will allow a Default=ON
KA-4137: Support for Enable Self Destruct role policy
KA-3938: Prevent extra syncing to users when a shared record is simply autofilled

Backend API Version 16.3.6

Released on Feb 25, 2022

This update fixed Session Resumption on Keeper Commander and Keeper Azure Function for device approvals.

Commander

For Commander users, there is no change required. Persistent login will begin working after the next successful master password login.

Azure Functions

For Azure Functions, you'll need to generate a new config.json file from Commander and then upload the file to Azure.

See the link below for step-by-step instructions to update the Azure function config file:

https://docs.keeper.io/sso-connect-cloud/device-approvals/azure-function#troubleshooting-and-repairing-failed-logins

Backend API Version 16.4

Released on April 4, 2022

Bug Fixes

KA-4647: SMS delivery issues
KA-4561: SCIM totalResults is incorrect in some cases
KA-4555: Allow SCIM "filter" param to search users by email
KA-4609: Wrong email template sent when user changes email
KA-4444: Missing ARAM event when user added to a default role
KA-4390: Accepting Enterprise Invite needs to send a Push to console
KA-4657: SCIM fails on user PATCH with emails as an Array
Several other bug fixes

Features

KA-4666: Support for Keeper One Time Share
KA-4676: Support for new role policy to change Stay Logged In default to ON

Backend API Version 16.4.1

Released on April 8, 2022

Bug Fixes

KA-4702: Slow query causing timeouts on login

Backend API Version 16.5.1

Released on May 2, 2022

Features

Added new policy for requiring Self Destruct (REQUIRE_SELF_DESTRUCT)
Added support for Keeper Automator 2.0

Bug Fixes

Security updates based on NCC Group pen test

Backend API Version 16.5.2

Released on May 11, 2022

Improvements

KA-4551: SAML Library updates
KA-3929: FIPS-140-2 Bouncy Castle updates
JA-4717: Java updates

Bug Fixes

KA-4731: Missing ARAM One-Time Share Expired events
KA-4469: Record Type link changes doesn't sync to affected users
KA-4737: Record Type does not support record larger than 32kb
KA-4752: Errors during onboarding new users on Cloud SSO while migration taking place from SSO On-Prem to SSO Cloud
KA-4760: Azure SIEM export verification issues in GovCloud region

Backend API Version 16.5.x

May and June 2022 Releases

Release 16.5.4 on May 13, 2022

KA-4769: An email in 2 regions may get wrong region link from email invites.

Release 16.5.5 on May 14, 2022

KA-4770: Error creating SSO Connect instance

Release 16.5.6 on May 21, 2022

KA-4773: Improved SAML certificate checking

Release 16.5.7 on May 22, 2022

KA-4776: Emptying trash breaks version 3 record file attachments

KA-4109: Issues with password recovery for SSO users that have only have an SSO Master Password

Release 16.5.8 on May 24, 2022

KA-4778: Login issues with account_summary API are generating long delays

KA-4779: SCD Provisioning errors

Release 16.5.9 on June 8, 2022

KA-4570: Added keeper_fill_auto_suggest policy which controls the Browser Extension "suggestion" feature.

KA-4750: One time share link denied if record is deleted

KA-2620: After a vault transfer, the records were not immediately syncing to the recipient until logout/login.

KA-4788: Fixed email invites during Cloud SSO migration.

KA-4799: Forcing Stay Logged In to ON caused new vault users to error out.

Release 16.5.10 on June 16, 2022

KA-4749: If User A transfers record ownership to User B, then User B deletes the record - it does not appear in the trash.

Release 16.5.12 on July 17, 2022

KA-4863: Scenario where SSO login window closes before the browser extension can process data.

KA-4864: Handling for SSO login browsers where Javascript is not supported, such as with Devolutions integration.

KA-4283: Record Type attachment records or links are not properly restored via revisions or recovery from trash can.

Release 16.5.17 on Aug 12, 2022

KA-4894: Automator communication improved when the device has network failure issues.

Release 16.5.18 on Aug 26, 2022

KA-4933: Support for Domain Aliases. For customers who are changing their email domain for all their employees, they can open a support ticket and we can add a Domain Alias. This prevents any issues when changing emails from the identity provider.

Backend API Version 16.6.x

Released Sept 2, 2022

Bug Fixes

KA-4892: Share Admin implementation for Managed Companies
KA-4885: Event record_add not generated if a record is added directly to a shared folder
KA-4912: Incorrect message when deleting a shared-folder-folder
KA-4935: Stay Logged In (persistent login) showing OFF in situations when it's ON
KA-4984: SSO login and logout generates 502 error for some customers

Features

KA-2593: Share Admin feature
KA-4188: Add the owner's email to the ARAM record removal event
KA-4844: MSP to MC Team Sharing
KA-4619: Support for multi-pagination syncing
KA-4832: Support the ability for Keeper Secrets Manager to delete a record

Backend API Version 16.7.x

Released on Sept 10, 2022

Features

KA-3849: MSP Consumption Billing model

Bug Fixes

KA-4989: Give proper error message when out of licenses
KA-4833: Records that were transferred ownership are missing from the “Transferred: User” folder and are placed in the Deleted Items bin.
KA-4998: Certain manipulations with sharing a record and transferring ownership leads to invalid record key
KA-4992: Various security updates from CodeQL findings
KA-5094: Null pointer exception during update_secret calls
KA-5118: Consolidated event reports are throwing errors in Keeper Commander and UI

Backend API Version 16.8.x

Released on Nov 23, 2022

Features

KA-4917: Add support for new SIEM providers: Datadog, Logz.io, Elastic
KA-5017: Support for MSP Distributors
KA-5019: Creation of bulk user upload API for Admin Console CSV import

Bug Fixes

KA-5120: Keeper DNA login broken on the Web Vault
KA-4956, KA-5085: Errors from record linking and record history
KA-5096: Email not being triggered when an enterprise runs out of licenses
KA-4275: Remove from All Shares API / Button in the vault throws error
KA-5078: Improved query performance
KA-4726: SSO Connect bug from NCC Group pen test in October 2022

Backend API Version 16.8.7

Released on Jan 20, 2023

New Features

KA-5090: Added role enforcement policy MAXIMUM_RECORD_SIZE to restrict overall Keeper record size. To enforce this policy, please use the Keeper Commander CLI or open a support ticket. When enforced, if the user attempts to create a record with a size greater than the allowed amount, the user will receive the following error message:

KA-4853: Email alias API for Admins. In a future update, the Enterprise Console will allow the Keeper Admin to create an email alias for a user within the organization. This can also be accomplished with Keeper Commander using the enterprise-user --add-alias feature
KA-5091: Added policy to prevent sharing to a user outside of an isolated node. The enforcement policy code is RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES and this can be set from Keeper Commander's enterprise-role command.
KA-4945: Created a new API to View and Restore deleted shared records for all participants.

Records deleted from Shared Folders are difficult for participants to locate, if there are many people who manage a shared folder. They are forced to look in everyone's "Deleted" trash bin, which is not practical. We have implemented new backend features to view and restore deleted shared records.

New ARAM events associated with this feature are below.

New Event

Description

shared_folder_restored

User ${username} restored shared folder UID ${shared_folder_uid}

shared_folder_record_restored

User ${username} restored record UID ${record_uid} in shared folder UID ${shared_folder_uid}

shared_folder_folder_restored

User ${username} restored shared folder folder UID ${folder_uid}

shared_folder_folder_record_restored

User ${username} restored record UID ${record_uid} in shared folder folder UID ${folder_uid}

The front-end support for viewing deleted shared records are planned in an upcoming Web Vault and Desktop App release.

Bug Fixes

KA-4755: IdP-initiated account creation fails when the Vault Transfer policy expiration time has expired.
KA-4888: Missing ARAM event when changing the name of a Managed Company
KA-4786: Records moved out of a shared folder are still showing the "Share" icon in the UI
KA-4428: Enforcement to restrict sharing when a file is attached did not take into account editing the record after initial creation.
KA-4809: Removed ARAM event that was not implemented
KA-5027: User and team searches in sharing auto-suggest UI had bad matches for some search strings
KA-5038: Compliance report is not displaying correctly for Share Admin who gained access to a record from a team.
KA-5117: Duplicate email being sent on account creation
KA-5114: Invited users showing in user criteria filter in Compliance Reports
KA-5112: Transfer Account feature can sometimes cause a transferred record to set the wrong permissions on the record, and sometimes create duplicate records.
KA-5093: If you log in with the an admin assigned to the Keeper Admin role and attempt to move yourself to any other node you are presented with an error that states “you may not move yourself into an SSO-enabled node. Please contact keeper for assistance.
KA-5023: If an SSO Cloud user is deleted from Enterprise console, logging into Android via IDP no longer properly onboards the user (an error dialog appears, user is unable to progress).
KA-4543: Error on Android devices when onboarding through SSO Cloud
KA-5193: Team member is able to incorrectly delete a Shared Folder without proper levels of permission.
KA-5187: Github ticket on Keeper Secrets Manager: record can be created with read-only app permissions.

Improvements

KA-4937: Added throttling on SAML requests via SSO Cloud to prevent spamming. By default, the throttling logic is > 10 requests within 10 seconds. If 10 seconds passes since last request, the count resets. When throttled, response will be a 403 with a message indicating throttling.
KA-4919: Added additional throttling on Keeper Secrets Manager APIs including add_file, create_secret, delete_secret, update_secret, get_secret.
KA-5175: New and improved "welcome" emails when signing up with a trial or purchase
KA-5145: At the request of customers, we have removed MSP Share Admins from the Managed Company's sharing autosuggest list.