API changelog

Every notable change to the Crove REST API. Breaking changes are called out in bold and versioned to give integrators lead time.

API changelog

We version the API by URL path (/api/external/v1/…) and ship non-breaking additions without bumping the version. Breaking changes — which we try hard to avoid — would land on a new path (/v2/…) and run alongside /v1/ for at least 6 months before deprecation.

You can always check what's current at /docs/api-reference/overview.

2026-04 — Compliance bundle + activity filters

Additions:

POST /documents/{id}/download-bundle — returns a ZIP containing the response PDF, audit trail PDF, response JSON, respondent roster, and full per-document activity stream. Useful for lawyer / compliance handoffs without gluing three endpoints together.
GET /activity?events=…&actor=…&actorId=…&from=…&to=…&q=… — added filter params for the audit log. actorId pins the stream to a single team member; events takes a comma-separated list of event types. See /docs/account/audit-log for the catalog.
GET /activity/export — admin-gated CSV export of the same query. 10k row cap; use the date range to chunk.

Changes:

All list endpoints now return an X-RateLimit-* header triple (Limit, Remaining, Reset) even on 2xx. Previously these were only present on 429 responses.

Additions:

PATCH /documents/{id}/auto-reminder — toggle the per-document reminder cadence (1 / 3 / 7 / 14 days). The cron honors respondent opt-out state and logs each reminder to the audit stream as a respondent.reminded event with actorType: system.
Templates now carry a publicLinkConfig.requireLogin boolean that gates the fill page behind Crove authentication. When set, the public fill URL returns 401 + requiresLogin: true so the client can redirect to /sign-in.

2026-02 — Outgoing webhooks + HMAC

Additions:

POST /webhooks — workspace-level subscriptions for 30+ event types. Delivery log + retry-with-exponential-backoff included.
Every outgoing webhook now carries an X-Crove-Signature header:
```
X-Crove-Signature: t=1712345678,v1=<hex-hmac-sha256>
```
Signed over timestamp + "." + body with the per-webhook secret.

Deprecations:

X-Crove-Webhook-Key header removed. Old code signing via shared key should migrate to X-Crove-Signature — see /docs/webhooks/outgoing-webhooks for the verification pattern.

2026-01 — Public API launch (v1)

Launch:

GET/POST /documents — list and create. Pre-fill support via the response object on create.
GET /documents/{id}/pdf — download completed PDF.
POST /documents/{id}/send — fire email invitations to listed signers.
GET /templates — list templates including their symbolTable so you can pre-fill correctly.
Bearer-token authentication (Authorization: Bearer <API_KEY>).
Rate limit: 100 req/min per key, shared across the workspace.

Older endpoints / betas prior to January 2026 aren't listed here; anyone still relying on them should contact support to confirm their migration path.

API changelog

You can always check what's current at /docs/api-reference/overview.

2026-04 — Compliance bundle + activity filters

Additions:

POST /documents/{id}/download-bundle — returns a ZIP containing the response PDF, audit trail PDF, response JSON, respondent roster, and full per-document activity stream. Useful for lawyer / compliance handoffs without gluing three endpoints together.
GET /activity?events=…&actor=…&actorId=…&from=…&to=…&q=… — added filter params for the audit log. actorId pins the stream to a single team member; events takes a comma-separated list of event types. See /docs/account/audit-log for the catalog.
GET /activity/export — admin-gated CSV export of the same query. 10k row cap; use the date range to chunk.

Changes:

All list endpoints now return an X-RateLimit-* header triple (Limit, Remaining, Reset) even on 2xx. Previously these were only present on 429 responses.

Additions:

PATCH /documents/{id}/auto-reminder — toggle the per-document reminder cadence (1 / 3 / 7 / 14 days). The cron honors respondent opt-out state and logs each reminder to the audit stream as a respondent.reminded event with actorType: system.
Templates now carry a publicLinkConfig.requireLogin boolean that gates the fill page behind Crove authentication. When set, the public fill URL returns 401 + requiresLogin: true so the client can redirect to /sign-in.

2026-02 — Outgoing webhooks + HMAC

Additions:

POST /webhooks — workspace-level subscriptions for 30+ event types. Delivery log + retry-with-exponential-backoff included.
Every outgoing webhook now carries an X-Crove-Signature header:
```
X-Crove-Signature: t=1712345678,v1=<hex-hmac-sha256>
```
Signed over timestamp + "." + body with the per-webhook secret.

Deprecations:

X-Crove-Webhook-Key header removed. Old code signing via shared key should migrate to X-Crove-Signature — see /docs/webhooks/outgoing-webhooks for the verification pattern.

2026-01 — Public API launch (v1)

Launch:

GET/POST /documents — list and create. Pre-fill support via the response object on create.
GET /documents/{id}/pdf — download completed PDF.
POST /documents/{id}/send — fire email invitations to listed signers.
GET /templates — list templates including their symbolTable so you can pre-fill correctly.
Bearer-token authentication (Authorization: Bearer <API_KEY>).
Rate limit: 100 req/min per key, shared across the workspace.

Older endpoints / betas prior to January 2026 aren't listed here; anyone still relying on them should contact support to confirm their migration path.

API changelog

API changelog

2026-04 — Compliance bundle + activity filters

2026-02 — Outgoing webhooks + HMAC

2026-01 — Public API launch (v1)

On this page

API changelog

API changelog

2026-04 — Compliance bundle + activity filters

2026-02 — Outgoing webhooks + HMAC

2026-01 — Public API launch (v1)

On this page