Qeet Docs

Changelog

Shipped milestones on the road to GA — honest, drawn from the implementation status.

Qeet ID is pre-1.0, targeting July 2026 GA. This changelog tracks the major capabilities that are implemented and tested today. Dates are approximate milestone markers, not release tags.

Everything below is verified in source with unit + integration tests (testcontainers). Items that depend on your cloud/domain (KMS key material, email/SMS deliverability, conformance runs) are noted as external dependencies on the relevant pages, not as missing code.

Be-a-provider milestone

  • OIDC/OAuth2 provider — discovery, JWKS, dynamic client registration, Authorization Code + PKCE (S256), hosted login + consent, ES256 ID tokens, userinfo, refresh rotation, RFC 7009 revoke, RFC 7662 introspect, and RP-initiated logout. See OIDC.
  • Device Authorization Grant (RFC 8628) — for CLI/TV/IoT, including the hosted /device approval page. See Device grant.
  • client_credentials (M2M) via service principals. See M2M.
  • Asymmetric signing — ES256 (P-256), RFC 7638 kid, retired-key grace window, alg-confusion guard.

Enterprise federation

  • SAML 2.0 — both sides: SP (consume external IdPs, JIT) and IdP (register downstream SPs, IdP metadata, SP- and IdP-initiated SSO, RSA-SHA256 assertions). See Enterprise.
  • SCIM 2.0 — Users + Groups with PatchOp membership sync and per-tenant bearer tokens. See SCIM.
  • LDAP — bind login + connection CRUD / test-bind. See LDAP.

Authentication & MFA

  • Passkeys / WebAuthn — registration + passwordless login (previously stubbed; now live). See Passkeys.
  • Social login — per-tenant OIDC-discovery providers with account linking (previously stubbed; now live). See Social login.
  • MFA — TOTP + recovery codes, email/SMS OTP factors, WebAuthn as a second factor, and step-up MFA gated by a recent-verification window. See MFA.
  • Sessionsrefresh-token rotation + theft detection, per-account lockout, session list/revoke. See Sessions.
  • Breached-password rejection via HIBP k-anonymity (off by default, fail-open).

Authorization

  • RBAC with a single-call /check, group-level roles, and explainable authz (?explain=true grant-path trace). ABAC policy per tenant. See Authorization.

Platform, security & delivery

  • Tamper-evident audit — append-only, SHA-256 hash-chained, with /verify. See Audit.
  • Webhooks — HMAC-SHA256, transactional outbox, backoff retries, DLQ. See Webhooks.
  • GDPR — erasure (audit survives, PII redacted), export, retention auto-purge. See GDPR.
  • Secrets vault — per-tenant AES-256-GCM via a pluggable KeyProvider (AWS KMS drops in). Production boot-gate refuses insecure defaults.
  • Distributed rate limiting (Redis token bucket), Prometheus metrics + OpenTelemetry tracing, and a Helm chart + DR runbook.
  • SDKs (5 targets) — TypeScript, Next.js, React, Go, Python. See SDKs.
  • OpenAPI — 142 paths / 184 operations, 100% route coverage guarded in CI.

On the roadmap (not yet shipped)

  • Token-exchange (RFC 8693) / CIBA; adaptive/risk-based MFA and bot detection; fine-grained / ReBAC authorization; externally-verifiable (Merkle) audit; prebuilt React components and actions/hooks extensibility; Node/Rust/React-Native SDKs.

Pagination

Cursor-based pagination across list endpoints — items plus an opaque next_cursor.

On this page

Be-a-provider milestoneEnterprise federationAuthentication & MFAAuthorizationPlatform, security & deliveryOn the roadmap (not yet shipped)