# 2026-01-05 ## Summary This release introduces a public Changelog, adds client-scoped webhook management endpoints, and simplifies authentication so that JWT is the primary credential used for API operations. ## Added ### Public Changelog — *Added* [Docs] **Impact:** You can track API and documentation changes in one place, with daily release notes. **Action required:** None. **References:** [Changelog home](/products/fincore/changelog) ### Client-scoped Webhooks Management endpoints — *Added* [Behavior] [Operational] **Impact:** You can manage webhooks per client (list, create, retrieve, update, delete) using client-scoped endpoints. **Action required:** Prefer the client-scoped endpoints for all webhook operations. **References:** - `GET /v1/clients/{clientId}/webhooks` — list webhooks for a client - `POST /v1/clients/{clientId}/webhooks` — create a webhook for a client - `GET /v1/clients/{clientId}/webhooks/{id}` — retrieve a webhook - `PATCH /v1/clients/{clientId}/webhooks/{id}` — update a webhook - `DELETE /v1/clients/{clientId}/webhooks/{id}` — delete (soft-delete) a webhook ### WebhookUpdateRequest schema — *Added* [Behavior] **Impact:** Webhooks can be partially updated (e.g., `url`, `token`, `webhook_status`, optional `auth_*` fields). **Action required:** When updating a webhook, send only the fields you want to change. **References:** `PATCH /v1/clients/{clientId}/webhooks/{id}` ## Changed ### Authentication simplification (JWT-first) — *Changed* [Behavior] [Operational] **Impact:** `x-api-key` is now **bootstrap-only** (used to obtain a JWT). After a JWT is issued, API calls should use **only** `Authorization: Bearer `. **Action required:** Stop sending `x-api-key` on operational API calls; keep it only for JWT bootstrap flows. **References:** `POST /v1/clients/{clientId}/auth/credential-tokens` ### CEP webhook clarification for Penny Validation — *Changed* [Docs] [Operational] **Impact:** The CEP webhook is triggered only for **Penny Validation** transactions (`amount = 0.01 MXN`). `INITIALIZED` may appear on API reads but is **not emitted** by the CEP webhook and should be treated as `PENDING`. **Action required:** Ensure your CEP webhook consumer does not expect `INITIALIZED` events; treat API-read `INITIALIZED` as `PENDING`. **References:** `/products/fincore/guides/penny_validation` ## Deprecated ### Legacy webhook creation endpoint — *Deprecated* [Breaking] **Impact:** `POST /v1/webhooks` is deprecated in favor of the client-scoped endpoint. **Action required:** Migrate to `POST /v1/clients/{clientId}/webhooks`. **References:** `POST /v1/clients/{clientId}/webhooks` ## Migration notes 1) **JWT-first auth** - Use `x-api-key` to obtain a JWT. - Use `Authorization: Bearer ` for all subsequent API calls. 2) **Webhook creation** - If you used `POST /v1/webhooks`, migrate to: - `POST /v1/clients/{clientId}/webhooks`