Last updated Apr 30, 2024

Trello Changelog

This changelog is the source of truth for all changes to the Trello developer platform.

30 April 2024

Announcement Power-Up Developers: changes in the way we communicate with you

What you need to do

Make sure that your Power-Up collaborators information is up to date. You can modify collaborators on the Power-Ups admin panel under the ‘Collaborators’ tab.

What are we doing?

Going forward, when Atlassian receives communication regarding your public Power-Up, we will create a Jira issue and add every collaborator that is associated with your Power-Up. This will include Workspace admins as well as Workspace members that you added manually. Remember, you and your collaborators already have Atlassian Accounts by virtue of being Trello users.

More details

Why is this change happening?

We want to open up a more reliable method of communication between our security team and Power-Up developers. Currently, we only ask for an email for our contact information, and a Support Contact email/link when the Power-Up is made public. This has created many inefficiencies when it comes to reaching out to developers, specifically regarding security tickets.

Since these emails aren’t necessarily tied to an Atlassian Account, there may not even be a person behind a Power-Up . We can’t reliably tag developers in our Jira tickets, so we don’t have a way to track progress outside of an email chain, and many of our attempts to contact a support email go unanswered.

In effect, we’re asking public Power-Ups to have associated Atlassian Account/s, which will make our third-party security processes faster and more secure.

Thanks for all your efforts making Trello awesome, and thanks in advance for your cooperation!

12 April 2024

Added New atlassianEmail field to Power-Ups

We have now added a new fieldatlassianEmail in Power-Ups to store Atlassian account information

We will soon be asking public Power-Ups to include an email linked to an Atlassian Account. This will assist our support and internal developer teams in managing Power-Up vulnerabilities, and handling communications.

For more information, see https://developer.atlassian.com/cloud/trello/guides/power-ups/submitting-your-power-up/#prepare-for-launch

More details

This information will only be required if you want to make your Power-Up public, just like our fields Support Email and Privacy Policy. It will not be shown on your public Power-Up listing.

20 February 2024

Deprecation Notice Trello API will no longer accept GET request with data in body

Rollout completed March 12th 2024

Trello’s API will no longer permit supplying a body with a GET request. Previous behavior in our API ignored the payloads provided with GET requests but these requests will now be blocked with a 403 response from our content delivery network.

To resolve issues resulting from this change ensure all GET requests to Trello’s API are sent without a payload.

More details

Supplying a body in a GET request will result in a response with the following format:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 4ogSZBSsiLGbtsvYqOrUuLBZtQh5mksfsLsYd2kfPezq6jSgOIuX0A==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>

14 February 2024

Deprecation Notice Legacy Workspace and Member Route Deprecation

Trello has introduced a /w/ and /u/ route prefix for workspace and member routes. This change has already been rolled out, with API responses for workspaces (or “organizations” in the API) and members returning the prefixed url values.

Trello will cease support for the legacy format by Aug 8, 2024 and as such all integrations storing URLs must update to the new format by that date.

More details

Examples

Legacy workspace URL: https://trello.com/trelloinc
New workspace URL: https://trello.com/w/trelloinc

Legacy member URL: https://trello.com/taco
New member URL: https://trello.com/u/taco

6 June 2023

Added Webhook event response object now contains the webhook model

In addition to the action and the model fields, webhook event responses now contain the webhook field, which contains the webhook model itself. The webhook model fields are id, active, callbackURL, description, idModel, consecutiveFailures, firstConsecutiveFailDate.

See our webhook documentation for full details on webhook event responses.

29 May 2023

Added Trello OAuth now allows you to specify the app's author for legacy app keys

For apps using legacy app keys (app keys created via trello.com/app-key) you can now specify the app author by passing the author query parameter in your OAuth request URL or by setting the appAuthor config option when calling either TrelloPowerUp.initialize or TrelloPowerUp.iframe, depending on your workflow.

Please update each and every one of your apps using Trello OAuth with legacy app keys to include your app’s author name, otherwise you risk your app falling out of compliance and potentially getting it delisted from Trello.

For more info please refer to the documentation of the OAuth method you’re using:
- t.authorize()
- t.getRestApi().authorize()

23 May 2023

Added Webhook tokens losing access to the webhook's model is now considered a webhook failure

We currently disable webhooks when they “fail” consecutively for 30 days without recovering. Previously, the only type of “failure” was when the webhook callback endpoint returned something other than a 200 response when a webhook event was sent. With this change, webhook events failing because its token lost access to the webhook's model is now considered a failure, and will count towards disablement if not fixed within 30 days.

More details

How does a webhook’s token lose access to the webhook’s model? The most common way this can happen is by a user leaving a board. See this example:

A webhook is set up using a user’s token to watch a board they are a member of.
Later on, that user leaves the board. Thus, their token loses access to the board.
Now, if changes are made on the board, the webhook watching that board will throw an error when attempting to send the webhook event to the webhook’s callback endpoint. This is because the webhook’s token can’t access the model (the board).

If the webhook’s token doesn’t regain access to the model (that is, the user never re-joins the board), the webhook will be disabled after 30 days.

Note that before this change, webhook tokens losing access to the webhook's model already caused webhook events sending to fail. This change simply considers this a “consecutive failure” and will contribute to eventual disablement of the webhook.

16 May 2023

Fixed Custom field items will return null fields

API responses for custom field items will now include value and idValue fields with a null value, rather than omitting the fields depending on the custom field type, to maintain consistent API response shapes.

More details

GET /1/card/:id/customFieldItems

Before:

[
  {
    "id": "64638429a6afeadf0d5795f6",
    "idCustomField": "615dca8087f377004a347073",
    "idModel": "646383ecbaea32cb431a606d",
    "idValue": "615dca902bfde800dec91fb1",
    "modelType": "card"
  },
  {
    "id": "6463842b5617d811b4250a9f",
    "idCustomField": "615dca66da745f00356d1246",
    "idModel": "646383ecbaea32cb431a606d",
    "modelType": "card",
    "value": { "text": "Test" }
  }
]

After:

[
  {
    "id": "64638429a6afeadf0d5795f6",
    "idCustomField": "615dca8087f377004a347073",
    "idModel": "646383ecbaea32cb431a606d",
    "idValue": "615dca902bfde800dec91fb1",
    "modelType": "card",
    "value": null
  },
  {
    "id": "6463842b5617d811b4250a9f",
    "idCustomField": "615dca66da745f00356d1246",
    "idModel": "646383ecbaea32cb431a606d",
    "idValue": null,
    "modelType": "card",
    "value": { "text": "Test" }
  }
]

28 April 2023

Fixed Block workspace deletion if workspace owns a publicly listed Power-Up

Workspaces that own publicly listed Power-Ups can no longer be deleted. This will prevent those Power-Ups from breaking for other users that have them installed. Users need to remove all publicly listed Power-Ups from a workspace before deleting it.

More details

When making a DELETE call, we will now check for public power-ups with a matching idOrganizationOwner. If any exist, we will return a 400 error code with the message Workspaces with publicly power-ups can't be deleted (translated into various languages).

4 April 2023

Announcement New feature to manage Power-Up storage for disabled Power-Ups

We're happy to announce that authorized users can now manage storage for disabled Power-Ups. When an authorized user disables a Power-Up from Trello board(s), they may choose to clear the board-level storage as a part of that action. This action clears all public Power-Up data on the board.

More details

This action is available to users with board administration, workspace administration, or ENT administration privileges. It is not currently available to administrators that choose to “bulk disable” a Power-Up from all boards in a workspace.

What do you need to do?

If you provide documentation or guidance to users about the retention of Power-Up data after the Power-Up is disabled, you should update it accordingly.

3 April 2023

Announcement The Enterprises API now functions differently for enterprises opted into user management on Atlassian Admin

For Trello enterprises that have opted in to user management via Atlassian Admin, some Enterprise API endpoints will function slightly differently.

More details

GET /enterprises/{id}/auditlog will contain actions taken in Atlassian Admin, but may not contain the source for those actions.
PUT /enterprises/{id}/organizations will result in the organization being added to the enterprise asynchronously. A 200 response only indicates receipt of the request, it does not indicate successful addition to the enterprise.
PUT /enterprises/{id}/members/{idMember}/licensed Revoking of licenses is no longer possible.
PUT /enterprises/{id}/members/{idMember}/deactivated Deactivation is no longer possible.
PUT /enterprises/{id}/admins/{idMember} is no longer available.
DELETE /enterprises/{id}/admins/{idMember} is no longer available.
GET /enterprises/{id}/organizations/bulk/{idOrganizations} will result in organizations being added to the enterprise asynchronously. A 200 response only indicates receipt of the request, it does not indicate successful addition to the enterprise.

13 January 2023

Fixed Adding deactivated workspace members to a board now correctly returns forbidden error

Previously, attempting to add a deactivated workspace member to a board returned a 200 response code, even though the member wasn't actually added. Now, attempting to do so will correctly return a 403 Forbidden error with the accompanying message, "Must reactivate user first.”

29 November 2022

Added Checklists are available via t.card()

You can now include checklists from cards when calling t.card() from the Power-Up Client Library. To do this, pass checklists as a parameter, or use all. For example:

t.card('id', 'checklists').then((data) => console.log(data));

The returned information includes the name of the checklist, its position, and an array of the checklist items. This is similar to the results from the Checklists API.

More details

For more information on t.card(), see Accessing Trello Data.

31 October 2022

Announcement New Marketplace Security Requirements Are Now in Effect

Several months ago, we announced new security requirements for cloud apps, which take effect today (October 31). As of today, all Marketplace apps and Trello Apps (Power-Ups) are expected to meet the new requirements.

Maintaining a secure Marketplace is a collective effort, shared by Atlassian and partners. The new requirements reflect the most current best practices for building secure apps and provide platform-specific guidance. They set Atlassian’s baseline standard for cloud app security, and will be updated annually to ensure alignment with industry standards.

The new requirements apply across five categories: Authentication & Authorization, Data Protection, Application Security, Privacy, and Vulnerability Management. They benefit both developers and customers by providing guidelines for building secure apps and elevating the trust posture of our cloud ecosystem.

Read the blog to find out more about the changes that take effect today, and how we will validate that apps are following security requirements moving forward.

Read the blog

27 October 2022

Announcement Trello tokens have gotten longer

We’re increasing the length of Trello tokens. Existing tokens will continue to work, and new tokens will be 12 characters longer.

These changes are planned to be rolled out fully by November 16, 2022.

More details

The tokens are longer because we’re creating a new standard prefix/regex shape for Trello tokens and secrets. This will allow us to automated detection and discovery for leaked tokens.

However, please note that tokens are meant to be “opaque”, meaning their length, shape, or format is not guaranteed. Your application code should not assume anything about the token’s structure. If your application relies on Trello tokens having a specific structure, such as matching a certain regular expression or having a certain character length, you should remove that logic immediately.

But if your app code is already treating Trello tokens as opaque, then you are all set! No action required.