This changelog is the source of truth for all changes to the Trello developer platform.
Make sure that your Power-Up collaborators information is up to date. You can modify collaborators on the Power-Ups admin panel under the ‘Collaborators’ tab.
Going forward, when Atlassian receives communication regarding your public Power-Up, we will create a Jira issue and add every collaborator that is associated with your Power-Up. This will include Workspace admins as well as Workspace members that you added manually. Remember, you and your collaborators already have Atlassian Accounts by virtue of being Trello users.
We want to open up a more reliable method of communication between our security team and Power-Up developers. Currently, we only ask for an email for our contact information, and a Support Contact email/link when the Power-Up is made public. This has created many inefficiencies when it comes to reaching out to developers, specifically regarding security tickets.
Since these emails aren’t necessarily tied to an Atlassian Account, there may not even be a person behind a Power-Up . We can’t reliably tag developers in our Jira tickets, so we don’t have a way to track progress outside of an email chain, and many of our attempts to contact a support email go unanswered.
In effect, we’re asking public Power-Ups to have associated Atlassian Account/s, which will make our third-party security processes faster and more secure.
Thanks for all your efforts making Trello awesome, and thanks in advance for your cooperation!
We have now added a new fieldatlassianEmail
in Power-Ups to store Atlassian account information
We will soon be asking public Power-Ups to include an email linked to an Atlassian Account. This will assist our support and internal developer teams in managing Power-Up vulnerabilities, and handling communications.
For more information, see https://developer.atlassian.com/cloud/trello/guides/power-ups/submitting-your-power-up/#prepare-for-launch
This information will only be required if you want to make your Power-Up public, just like our fields Support Email
and Privacy Policy
. It will not be shown on your public Power-Up listing.
Rollout completed March 12th 2024
Trello’s API will no longer permit supplying a body with a GET request. Previous behavior in our API ignored the payloads provided with GET requests but these requests will now be blocked with a 403 response from our content delivery network.
To resolve issues resulting from this change ensure all GET requests to Trello’s API are sent without a payload.
Supplying a body in a GET request will result in a response with the following format:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 4ogSZBSsiLGbtsvYqOrUuLBZtQh5mksfsLsYd2kfPezq6jSgOIuX0A==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
Trello has introduced a /w/
and /u/
route prefix for workspace and member routes. This change has already been rolled out, with API responses for workspaces (or “organizations” in the API) and members returning the prefixed url
values.
Trello will cease support for the legacy format by Aug 8, 2024 and as such all integrations storing URLs must update to the new format by that date.
Examples
Legacy workspace URL: https://trello.com/trelloinc
New workspace URL: https://trello.com/w/trelloinc
Legacy member URL: https://trello.com/taco
New member URL: https://trello.com/u/taco
In addition to the action
and the model
fields, webhook event responses now contain the webhook
field, which contains the webhook model itself. The webhook model fields are id
, active
, callbackURL
, description
, idModel
, consecutiveFailures
, firstConsecutiveFailDate
.
See our webhook documentation for full details on webhook event responses.
For apps using legacy app keys (app keys created via trello.com/app-key) you can now specify the app author by passing the author
query parameter in your OAuth request URL or by setting the appAuthor
config option when calling either TrelloPowerUp.initialize
or TrelloPowerUp.iframe
, depending on your workflow.
Please update each and every one of your apps using Trello OAuth with legacy app keys to include your app’s author name, otherwise you risk your app falling out of compliance and potentially getting it delisted from Trello.
For more info please refer to the documentation of the OAuth method you’re using:
- t.authorize()
- t.getRestApi().authorize()
We currently disable webhooks when they “fail” consecutively for 30 days without recovering. Previously, the only type of “failure” was when the webhook callback endpoint returned something other than a 200 response when a webhook event was sent. With this change, webhook events failing because its token lost access to the webhook's model is now considered a failure, and will count towards disablement if not fixed within 30 days.
How does a webhook’s token lose access to the webhook’s model? The most common way this can happen is by a user leaving a board. See this example:
A webhook is set up using a user’s token to watch a board they are a member of.
Later on, that user leaves the board. Thus, their token loses access to the board.
Now, if changes are made on the board, the webhook watching that board will throw an error when attempting to send the webhook event to the webhook’s callback endpoint. This is because the webhook’s token can’t access the model (the board).
If the webhook’s token doesn’t regain access to the model (that is, the user never re-joins the board), the webhook will be disabled after 30 days.
Note that before this change, webhook tokens losing access to the webhook's model already caused webhook events sending to fail. This change simply considers this a “consecutive failure” and will contribute to eventual disablement of the webhook.
API responses for custom field items will now include value
and idValue
fields with a null
value, rather than omitting the fields depending on the custom field type, to maintain consistent API response shapes.
GET /1/card/:id/customFieldItems
Before:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[
{
"id": "64638429a6afeadf0d5795f6",
"idCustomField": "615dca8087f377004a347073",
"idModel": "646383ecbaea32cb431a606d",
"idValue": "615dca902bfde800dec91fb1",
"modelType": "card"
},
{
"id": "6463842b5617d811b4250a9f",
"idCustomField": "615dca66da745f00356d1246",
"idModel": "646383ecbaea32cb431a606d",
"modelType": "card",
"value": { "text": "Test" }
}
]
After:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[
{
"id": "64638429a6afeadf0d5795f6",
"idCustomField": "615dca8087f377004a347073",
"idModel": "646383ecbaea32cb431a606d",
"idValue": "615dca902bfde800dec91fb1",
"modelType": "card",
"value": null
},
{
"id": "6463842b5617d811b4250a9f",
"idCustomField": "615dca66da745f00356d1246",
"idModel": "646383ecbaea32cb431a606d",
"idValue": null,
"modelType": "card",
"value": { "text": "Test" }
}
]
Workspaces that own publicly listed Power-Ups can no longer be deleted. This will prevent those Power-Ups from breaking for other users that have them installed. Users need to remove all publicly listed Power-Ups from a workspace before deleting it.
When making a DELETE call, we will now check for public power-ups with a matching idOrganizationOwner
. If any exist, we will return a 400 error code with the message Workspaces with publicly power-ups can't be deleted
(translated into various languages).
We're happy to announce that authorized users can now manage storage for disabled Power-Ups. When an authorized user disables a Power-Up from Trello board(s), they may choose to clear the board-level storage as a part of that action. This action clears all public Power-Up data on the board.
This action is available to users with board administration, workspace administration, or ENT administration privileges. It is not currently available to administrators that choose to “bulk disable” a Power-Up from all boards in a workspace.
What do you need to do?
If you provide documentation or guidance to users about the retention of Power-Up data after the Power-Up is disabled, you should update it accordingly.
For Trello enterprises that have opted in to user management via Atlassian Admin, some Enterprise API endpoints will function slightly differently.
GET /enterprises/{id}/auditlog
will contain actions taken in Atlassian Admin, but may not contain the source for those actions.
PUT /enterprises/{id}/organizations
will result in the organization being added to the enterprise asynchronously. A 200 response only indicates receipt of the request, it does not indicate successful addition to the enterprise.
PUT /enterprises/{id}/members/{idMember}/licensed
Revoking of licenses is no longer possible.
PUT /enterprises/{id}/members/{idMember}/deactivated
Deactivation is no longer possible.
PUT /enterprises/{id}/admins/{idMember}
is no longer available.
DELETE /enterprises/{id}/admins/{idMember}
is no longer available.
GET /enterprises/{id}/organizations/bulk/{idOrganizations}
will result in organizations being added to the enterprise asynchronously. A 200 response only indicates receipt of the request, it does not indicate successful addition to the enterprise.
Previously, attempting to add a deactivated workspace member to a board returned a 200 response code, even though the member wasn't actually added. Now, attempting to do so will correctly return a 403 Forbidden error with the accompanying message, "Must reactivate user first.”
You can now include checklists from cards when calling t.card()
from the Power-Up Client Library. To do this, pass checklists
as a parameter, or use all
. For example:
1
t.card('id', 'checklists').then((data) => console.log(data));
The returned information includes the name of the checklist, its position, and an array of the checklist items. This is similar to the results from the Checklists API.
For more information on t.card()
, see Accessing Trello Data.
Several months ago, we announced new security requirements for cloud apps, which take effect today (October 31). As of today, all Marketplace apps and Trello Apps (Power-Ups) are expected to meet the new requirements.
Maintaining a secure Marketplace is a collective effort, shared by Atlassian and partners. The new requirements reflect the most current best practices for building secure apps and provide platform-specific guidance. They set Atlassian’s baseline standard for cloud app security, and will be updated annually to ensure alignment with industry standards.
The new requirements apply across five categories: Authentication & Authorization, Data Protection, Application Security, Privacy, and Vulnerability Management. They benefit both developers and customers by providing guidelines for building secure apps and elevating the trust posture of our cloud ecosystem.
Read the blog to find out more about the changes that take effect today, and how we will validate that apps are following security requirements moving forward.
We’re increasing the length of Trello tokens. Existing tokens will continue to work, and new tokens will be 12 characters longer.
These changes are planned to be rolled out fully by November 16, 2022.
The tokens are longer because we’re creating a new standard prefix/regex shape for Trello tokens and secrets. This will allow us to automated detection and discovery for leaked tokens.
However, please note that tokens are meant to be “opaque”, meaning their length, shape, or format is not guaranteed. Your application code should not assume anything about the token’s structure. If your application relies on Trello tokens having a specific structure, such as matching a certain regular expression or having a certain character length, you should remove that logic immediately.
But if your app code is already treating Trello tokens as opaque, then you are all set! No action required.
Rate this page: