HomeRelease NotesRelease Version 4.52.0 (February 19, 2026)
Explore Release Notes

Release Version 4.52.0 (February 19, 2026)

19. 02. 2026

Pre-deployment steps

To be done before deployment

Check configuration changes and apply them in the application.yaml if the default configuration has been overridden there

Check if the release contains migrations. Migrations can affect deployment and downtime.

Use GET /i18n/export/{fileName} to download files with current i18n properties. Check if the downloaded file is correct.

Post-deployment steps

To be done after deployment

Verify permission changes and assign or remove required permissions if they have been overridden

Add new properties from the I18n properties changes to the downloaded i18n properties file and add translation for them if needed.

Use POST /i18n/import to upload and apply previously downloaded i18n file with added new properties.

Release migrations

Release migrations

Сreated new table: api_refresh_token
Added token_version field to:

  • user_user_def.security_token_version – Master version per user

  • api_auth_token.token_version – Access token validation

  • api_refresh_token.token_version – Refresh token validation

Changes to notice

Changes to notice

Corporate role was deleted from UI, company creation functionality should be used instead.

New functionality

Feature

Description

Benefits

Ability to delete currency if it is not used

The service user can delete currency if it is not used:

  • There are no client wallets in this currency

  • Currency is not main

  • There are no operations with this currency

During currency deletion, the following is performed:

  • closing all WorkingDays in statuses openand requested_to_close

  • soft-deleting all commission profiles associated with this currency

  • soft-deleting all system, cash_desk, gate_provider coins associated with this currency

  • soft-deleting currency

More flexible system management.

Ability for service users to enable/disable 2FA usint authenticator application.

Service users can enable 2FA and connect an authenticator application to generate TOTP.

When 2FA is enabled, and the authenticator application is connected, the screen to enter TOTP is shown during login after the user specifies credentials.

Security enhancement.

Fireblocks integration

Fireblocks is an institutional digital asset infrastructure that provides secure custody and on-chain transaction execution, and its integration with SDK.finance enables crypto assets to be managed within a ledger-based financial system with controlled withdrawals, validated deposits, policy-driven execution, and full operational and accounting oversight.

Feature

Description

Ability to cancel a withdrawal rejected due to the limit.

The administrator cancels the withdrawal that was rejected due to safe withdrawal limits or insufficient liquidity.

SDK.finance releases the previously held amount on the user account and marks the withdrawal business process with a status indicating that it was cancelled by the user.

Ability to process a withdrawal rejected due to the limit.

The administrator manually processes a withdrawal request that was rejected due to withdrawal limits or insufficient liquidity.

SDK.finance finishes the withdrawal process and marks it as manually processed.

Ability to initiate deposit validation with checking vault_account.asset.balance_updated event and without.

The administrator initiates a manual validation of a deposit transaction that was marked as not validated because a corresponding vault_account.asset.balance_updated event with the same blockHeight and blockHash was not received after a transaction.status.updated event with status COMPLETED and substatus CONFIRMED.

During manual validation, SDK.finance attempts to resolve the missing balance update event.

If it is still not found, the transaction may be explicitly validated by an administrator based on external verification (for example, via Fireblocks Console and blockchain explorer).

Validate with checking vault_account.asset.balance_updated event: POST /gate/transactions/deposit/{txId}/validate/auto

Validate without checking vault_account.asset.balance_updated event: POST /gate/transactions/deposit/{txId}/validate/manual

Webhook dispatcher

The webhook dispatcher allows integrations to be built at the middleware level based on events emitted by SDK.finance, without requiring any changes to the SDK.finance codebase, enabling external systems to react to platform events and implement new integrations in a flexible, event-driven way.

Feature

Description

Ability to view and filter the list of webhook notifications generated by SDK.finance.

Service user can retrieve a paginated list of webhook notifications generated by SDK.finance with the following parameters:

  • id

  • resourceId

  • status

  • eventType

  • createdAt

  • deliveryAttempts

  • sentAt

Improvements

Feature

Description

Backoffice UI and Mobile application use bundles uploaded to back-end.

To change text on UI, APIs from I18n management to can be used.

Ability to edit the organisation profile depends on the status. When trying to edit the profile in the forbidden status, an error is returned: exception.profile.edit_forbidden

Validation will be applied to

  • company

  • shareholder

  • individual

Status

Description

Ability to edit

Ability to upload documents

NONE

just for created users

Allowed

Allowed

PENDING

when company is marked as ready for review

Not allowed

Not allowed

REVIEW_REQUIRED

need a manual review from Compliance for further action (also used when identification flow is gone via the 3th party vendors eg: ComplyAdvantage or SumSub via Node-RED)

Allowed

Allowed

DECLINED

when identification status is declined

Not allowed

Not allowed

APPROVED

when identification status is approved

Not allowed

Not allowed

CLOSED

Not allowed

Not allowed

User credentials are separated from the organisation profile and separate APIs are implemented to manage credentials.

1. To create a request to update login credentials.
permission required: LOGIN_CREDENTIALS_OWNER, LOGIN_CREDENTIALS_MANAGER

POST /users/:userId/login-credentials

  1. To confirm login.

permission required: LOGIN_CREDENTIALS_OWNER

PATCH /users/:userId/login-credentials

Ability for Compliance to return the organisation to the None status, so it is available for update, if it was previously declined.

Compliance can return a Declined organisation to the None status, so it is available for update.

Status flow when a declined organisation is returned for update:

Entity

Old status

New status

Organisation

Declined

None

Organisation documents (if exist)

In verification

Declined

Organisation documents (if exist)

Approved

Outdated

Organisation documents (if exist)

Declined

Declined

Shareholders (if business organisation)

Pending

None

Shareholder document (if Shareholder is pending)

In verification

Declined

Shareholder document (if Shareholder is pending)

Approved

Outdated

Shareholder document (if Shareholder is pending)

Declined

Declined

Shareholders (if business organisation)

Declined

Declined

Shareholders (if business organisation)

Approved

Approved

Improved JWT tokens implementation according to security best practices:

  • Refresh token replay attack prevention – Single-use enforcement

  • Token rotation – New refresh token issued on each refresh

  • Mass token revocation – Version-based invalidation

  • Precise token tracking – JTI support for individual token control

  • Audit trail – Complete token lifecycle tracking

  • Reduced attack surface – Database validation for all refresh operations

  1. Database-Backed Refresh Tokens

  • New Entity: RefreshToken (api_refresh_token table)

  • Security Enhancement: Refresh tokens are now stored in the database with SHA256 hashing, enabling:

    • Single-use enforcement (prevents replay attacks)

    • Precise token revocation

    • Audit trail for token usage

    • Token rotation on each refresh

  1. Token Versioning System

  • Added token_version field to:

    • user_user_def.security_token_version – Master version per user

    • api_auth_token.token_version – Access token validation

    • api_refresh_token.token_version – Refresh token validation

Purpose: Enables global token invalidation by incrementing the user’s token version. All tokens with mismatched versions are automatically rejected.

Triggers for version increment:

  • Password changes

  • Security events

  • Role changes

  • Manual token revocation by user or admin

  1. JWT ID (JTI) Support

  • Access tokens now use their database ID as the JTI claim

  • Enables precise token tracking and revocation

  1. New Token Management API

  • New Controller: TokenManagementController

  • New Permissions: TOKEN_MANAGER, TOKEN_OWNER

  • Endpoint: DELETE /v1/user/{userId}/token – Invalidates all user tokens

  1. Token Retention & Cleanup

  • New Config: TokenRetentionConfig with TOKEN_RETENTION_DAYS (default: 90 days)

  • Enhanced Timer: DeleteExpiredTokenTimer now handles:

    • Permanent deletion of expired tokens after retention period

    • Cleanup of both access and refresh tokens

    • Compliance/audit retention requirements

UI change: Asset is renamed to Currency.

Asset is renamed to Currency on the Backoffice UI.

API changes

Updated

POST /users/view

Added credentials node (CredentialsDto component) for UserDto component.

Moved email, unverifiedEmail, phoneNumber, unverifiedPhone fields from ContactDto to CredentialsDto, from contact to credentials node relatively.

Removed email and primaryPhoneNumber fields from ProfileContactUpdateReq for APIs
PATCH /organizations/{organizationId}/profile
PATCH /profiles/{userId}/contact
POST /profiles/my/contact

POST /organizations/{organizationId}/identification

The permission COMPANY_REVIEWER was removed from this API operation.

The permission ORGANIZATION_REVIEWER was added to this API operation.

Added

POST /users/{userId}/login-credentials

PATCH /users/{userId}/login-credentials

DELETE /currencies/:currencyId

GET /webhook-event

POST /gate/transactions/{tx}/action

with actions:

  • CANCEL_REJECTED_BY_LIMIT

  • PROCESS_REJECTED_BY_LIMIT

POST /gate/transactions/deposit/{txId}/validate/auto

POST /gate/transactions/deposit/{txId}/validate/manual

DELETE /v1/user/{userId}/token

Deprecated/Deleted

I18n properties changes

Added

core.notification.update_credentials_login.current_login.confirm.email_text=Update login credentials process. To confirm the existing login use this short code: </br><b>${confirmCode}</b>
core.notification.update_credentials_login.current_login.confirm.sms=Update login credentials process. To confirm the existing login use this short code: ${confirmCode}
core.notification.update_credentials_login.current_login.confirm.email_subject=Update login credentials process. Confirm existing login
core.notification.update_credentials_login.new_login.confirm.sms=Update login credentials process. To confirm the new login use this short code: ${confirmCode}
core.notification.update_credentials_login.new_login.confirm.email_text=Update login credentials process. To confirm the new login use this short code: </br><b>${confirmCode}</b>
core.notification.update_credentials_login.new_login.confirm.email_subject=Update login credentials process. Confirm new login
core.notification.addition_credentials_login.new_login.confirm.sms=Addition login credentials process. To confirm the new login use this short code: ${confirmCode}
core.notification.addition_credentials_login.new_login.confirm.email_subject=Addition login login credentials process. Confirm new login
core.notification.addition_credentials_login.new_login.confirm.email_text=Addition login credentials process. To confirm the new login use this short code: </br><b>${confirmCode}</b>
core.exception.login_credential.action_type.is_not_supported=Login credentials operation type is not supported.

core.exception.currency.currency_can_not_be_deleted=Currency can't be deleted. Cause: {0}

options of messages

core.exception.currency.currency_can_not_be_deleted=Currency can't be deleted. Cause: there are client coins associated with this currency.
core.exception.currency.currency_can_not_be_deleted=Currency can't be deleted. Cause: there are operations associated with this currency.
core.exception.currency.currency_can_not_be_deleted=Currency can't be deleted. Cause: there are transactions (Tx) associated with this currency.

Configuration changes

New Environment Variable:
TOKEN_RETENTION_DAYS=90 # Days to retain deleted tokens (audit/compliance)

core.organizations.permission-configs[*].default-status for each organisation type was deleted from the application-organizations.yaml file.

The new fields default-org-status and default-org-status-by-org-type were added under core.organizations section in application-organizations.yaml file:

core:
 organizations:
 ...
 default-org-status: 'approved'
 default-org-status-by-org-type:
 - type: 'individual'
 status: 'none'
 - type: 'merchant'
 status: 'none'
 - type: 'corporate'
 status: 'none'

If the organisation type is included in the default-org-status-by-org-type list, then status field value will be used as default organization status, the default-org-status field value will be used as the default organisation status.

If this configuration should be modified on specific environment, then the fields provided above should be added to application.yaml file on a specific environment and modified according to requirements.

Database changes

Сreated new table: api_refresh_token

Permission changes

New permission WEBHOOK_EVENT_VIEWER was added and granted to the following roles:

  • administrator

New permission ORGANIZATION_REVIEWER was added and granted to the following roles:

  • administrator

  • ceo

  • kyc_specialist

New permission LIMITED_TRANSACTIONS_VALIDATION_EXECUTOR was added and granted to the following roles:

  • administrator

  • ceo

Added TOKEN_OWNER permission to all roles

Added TOKEN_MANAGER to the following roles:

  • administrator

  • ceo

New permissions DEPOSIT_TRANSACTION_MANUAL_VALIDATION_EXECUTOR and DEPOSIT_TRANSACTION_AUTO_VALIDATION_EXECUTOR were added and granted to the following roles:

  • administrator

  • ceo