Releases: ktalpay/fintech-external-api-reference
Releases · ktalpay/fintech-external-api-reference
v0.3.0
v0.3.0 — Documentation hardening release
This release strengthens the repository as a documentation-first reference architecture for secure external API access in fintech-style platforms.
Highlights
- Added request-flow diagrams for successful requests, invalid key handling, scope denial, and rate-limit denial.
- Aligned the canonical threat model with the grouped documentation structure.
- Refined API key lifecycle documentation around creation, one-time display, hashing boundaries, ownership, expiry, revocation, and rotation.
- Clarified the distinction between company ownership and permission scopes.
- Aligned auditability and rate limiting documentation with request-flow behavior.
- Reviewed the illustrative OpenAPI contract for
X-Api-Key, token-owner company scope, and stable error behavior. - Aligned external error-code documentation with the OpenAPI sample.
- Cleaned up the ADR index and navigation.
- Added a v0.3.0 consistency-check note covering public wording, links, OpenAPI YAML parsing, navigation, and terminology.
Scope
This is a non-production reference architecture and documentation artifact. It does not provide a production implementation, compliance guarantee, certification, or deployment-ready system.
Suggested reading path
- README
- Documentation index
- Architecture overview
- Request-flow diagrams
- Threat model
- API key lifecycle
- Scope and permission model
- Auditability model
- Rate limiting and abuse detection
- Illustrative OpenAPI contract
v0.2.0 - External API integration readiness documentation milestone
v0.2.0 Release Notes
Summary
v0.2.0 is the second documentation milestone for the fintech external API reference architecture.
It builds on v0.1.0 by adding external integration readiness material:
- webhook delivery model,
- stable error code reference,
- external integration guide,
- implementation-neutral review checklist,
- ADR-0007 through ADR-0010.
What changed since v0.1.0
| Area | Document | Purpose |
|---|---|---|
| Webhook delivery | docs/webhook-delivery-model.md |
Signed, company-scoped webhook delivery, retries, idempotency, failure handling, and auditability. |
| Error handling | docs/error-code-reference.md |
Stable external error codes, HTTP status mapping, retry semantics, and audit expectations. |
| Integration onboarding | docs/integration-guide.md |
Implementation-neutral guidance for API key use, idempotency, rate limits, webhooks, token lifecycle, and logging. |
| Readiness review | docs/review-checklist.md |
Checklist for architecture, security, product, and integration readiness review. |
| Architecture decisions | ADR-0007 through ADR-0010 | Decisions for signed webhook delivery, stable error codes, integration guide, and readiness checklist. |
Included documentation
- Documentation index
- Problem statement
- Architecture overview
- Security boundaries
- Company-scoped API key model
- Scope and permission model
- Audit log model
- Rate limiting and abuse detection model
- Token lifecycle and revocation model
- External API contract examples
- Threat model
- Webhook delivery model
- Error code reference
- Integration guide
- Review checklist
- ADR-0001 through ADR-0010
Architecture decisions added in v0.2.0
- ADR-0007: Use signed webhook delivery model.
- ADR-0008: Use stable external error codes.
- ADR-0009: Use integration guide for external API onboarding.
- ADR-0010: Use review checklist for external API readiness.
What is intentionally not included
- Application code
- Production deployment
- Cloud-specific implementation
- Legal/compliance mapping
- OpenAPI/YAML contract
- SDKs or client libraries
- Automated tests
Next possible increments
- OpenAPI example file
- Webhook event schema catalogue
- Sample review worksheet
- Sequence diagrams
- API lifecycle/versioning policy
- Sample architecture review package
- v0.2.0 public announcement post
Notes
This release is a documentation milestone, not a production implementation.
v0.1.0 - External API reference architecture documentation milestone
v0.1.0 Release Notes
Summary
v0.1.0 is the first documentation milestone for the fintech external API reference architecture. It collects the core models, example contracts, threat model, and architecture decisions needed to review company-scoped external API access.
Included documentation
- Problem statement
- Architecture overview
- Security boundaries
- Company-scoped API key model
- Scope and permission model
- Audit log model
- Rate limiting and abuse detection model
- Token lifecycle and revocation model
- External API contract examples
- Threat model
- ADR-0001 through ADR-0006
Architecture decisions included
- ADR-0001: Use company-scoped API keys for external API access.
- ADR-0002: Use append-only audit events for external API access.
- ADR-0003: Use layered rate limiting for external API access.
- ADR-0004: Use explicit token lifecycle and revocation controls.
- ADR-0005: Use explicit external API contracts.
- ADR-0006: Use a threat model for external API boundaries.
What is intentionally not included
- Application code
- Production deployment
- Cloud-specific implementation
- Legal/compliance mapping
- OpenAPI/YAML contract
- SDKs or client libraries
- Automated tests
Next possible increments
- OpenAPI example file
- Integration guide
- Error code reference
- Webhook delivery model
- Sequence diagrams
- Implementation-neutral checklist
- Sample review worksheet
Notes
This release is a documentation milestone, not a production implementation.