This changelog is the source of truth for all changes to the Trello developer platform.
Support for establishing a websocket connection via appkey+token pairs supplied via query arguments will end on November 15, 2024.
While this continues to be undocumented and unsupported, you may make Websocket connections to Trello, however you will need to switch to providing an OAuth Authorization
header for authentication.
Note that this isn’t possible in the browser sandbox environment, as the WebSocket API does not have an option to provide custom HTTP headers.
You will need to do this from a privileged context, like an app or possibly a browser add-on in the Trello session context.
We're announcing new IP ranges that will soon be available for requests from external clients, such as browsers and API integrations:
13.35.248.0/24
13.227.180.0/24
13.227.213.0/24
These ranges won't be used to make outgoing connections from Atlassian Cloud to remote systems, for example, webhooks.
To prepare for this change, update your firewalls and other security measures to allow connections to the new IP ranges.
For more information, see IP addresses and domains for Atlassian Cloud products, which includes instructions on how to receive notifications of changes, as well as links to machine-readable lists of our IP ranges.
Up until now, a card’s idShort
field value would be restored to its previous value when the card is moved to a board it has previously been on.
Starting Aug 1, 2024 this will no longer be the case. idShort
will always receive a new sequence ID on the destination board. This will have no impact on existing idShort
values, or on idShort
values on cards moved within a single board.
Ensure your app does not store references to idShort values persistently - they may be invalidated due to moves across boards.
In general, we advise against usage of idShort
in favor of using the card’s id
since idShort
values might get invalidated.
As of July 17, 2024, you no longer need to contact Trello to change your public Power-Up Iframe Connector Url domain. You can self-serve this change by going to trello.com/power-ups/admin, selecting your Power-Up, and updating the Iframe connector URL field in Basic information.
While disabling power-up, you can now select Keep all Power-Up data to opt-in to retain the plugin data stored on the board and cards.
Previously, the Disable Power-up dialog defaulted to keeping the users data. Due to security and privacy concerns, we are now changing this functionality. Data will be deleted from active cards on the board immediately, whereas data on archived cards will be deleted asynchronously.
Make sure that your Power-Up collaborators information is up to date. You can modify collaborators on the Power-Ups admin panel under the ‘Collaborators’ tab.
Going forward, when Atlassian receives communication regarding your public Power-Up, we will create a Jira issue and add every collaborator that is associated with your Power-Up. This will include Workspace admins as well as Workspace members that you added manually. Remember, you and your collaborators already have Atlassian Accounts by virtue of being Trello users.
We want to open up a more reliable method of communication between our security team and Power-Up developers. Currently, we only ask for an email for our contact information, and a Support Contact email/link when the Power-Up is made public. This has created many inefficiencies when it comes to reaching out to developers, specifically regarding security tickets.
Since these emails aren’t necessarily tied to an Atlassian Account, there may not even be a person behind a Power-Up . We can’t reliably tag developers in our Jira tickets, so we don’t have a way to track progress outside of an email chain, and many of our attempts to contact a support email go unanswered.
In effect, we’re asking public Power-Ups to have associated Atlassian Account/s, which will make our third-party security processes faster and more secure.
Thanks for all your efforts making Trello awesome, and thanks in advance for your cooperation!
EDIT, 22 May 2024 : This new field has been deprecated since the announcement of our new contact process for Power-Up developers.
We have now added a new fieldatlassianEmail
in Power-Ups to store Atlassian account information
We will soon be asking public Power-Ups to include an email linked to an Atlassian Account. This will assist our support and internal developer teams in managing Power-Up vulnerabilities, and handling communications.
For more information, see https://developer.atlassian.com/cloud/trello/guides/power-ups/submitting-your-power-up/#prepare-for-launch
This information will only be required if you want to make your Power-Up public, just like our fields Support Email
and Privacy Policy
. It will not be shown on your public Power-Up listing.
Rollout completed March 12th 2024
Trello’s API will no longer permit supplying a body with a GET request. Previous behavior in our API ignored the payloads provided with GET requests but these requests will now be blocked with a 403 response from our content delivery network.
To resolve issues resulting from this change ensure all GET requests to Trello’s API are sent without a payload.
Supplying a body in a GET request will result in a response with the following format:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 4ogSZBSsiLGbtsvYqOrUuLBZtQh5mksfsLsYd2kfPezq6jSgOIuX0A==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
Trello has introduced a /w/
and /u/
route prefix for workspace and member routes. This change has already been rolled out, with API responses for workspaces (or “organizations” in the API) and members returning the prefixed url
values.
Trello will cease support for the legacy format by Aug 8, 2024 and as such all integrations storing URLs must update to the new format by that date.
Examples
Legacy workspace URL: https://trello.com/trelloinc
New workspace URL: https://trello.com/w/trelloinc
Legacy member URL: https://trello.com/taco
New member URL: https://trello.com/u/taco
In addition to the action
and the model
fields, webhook event responses now contain the webhook
field, which contains the webhook model itself. The webhook model fields are id
, active
, callbackURL
, description
, idModel
, consecutiveFailures
, firstConsecutiveFailDate
.
See our webhook documentation for full details on webhook event responses.
For apps using legacy app keys (app keys created via trello.com/app-key) you can now specify the app author by passing the author
query parameter in your OAuth request URL or by setting the appAuthor
config option when calling either TrelloPowerUp.initialize
or TrelloPowerUp.iframe
, depending on your workflow.
Please update each and every one of your apps using Trello OAuth with legacy app keys to include your app’s author name, otherwise you risk your app falling out of compliance and potentially getting it delisted from Trello.
For more info please refer to the documentation of the OAuth method you’re using:
- t.authorize()
- t.getRestApi().authorize()
We currently disable webhooks when they “fail” consecutively for 30 days without recovering. Previously, the only type of “failure” was when the webhook callback endpoint returned something other than a 200 response when a webhook event was sent. With this change, webhook events failing because its token lost access to the webhook's model is now considered a failure, and will count towards disablement if not fixed within 30 days.
How does a webhook’s token lose access to the webhook’s model? The most common way this can happen is by a user leaving a board. See this example:
A webhook is set up using a user’s token to watch a board they are a member of.
Later on, that user leaves the board. Thus, their token loses access to the board.
Now, if changes are made on the board, the webhook watching that board will throw an error when attempting to send the webhook event to the webhook’s callback endpoint. This is because the webhook’s token can’t access the model (the board).
If the webhook’s token doesn’t regain access to the model (that is, the user never re-joins the board), the webhook will be disabled after 30 days.
Note that before this change, webhook tokens losing access to the webhook's model already caused webhook events sending to fail. This change simply considers this a “consecutive failure” and will contribute to eventual disablement of the webhook.
API responses for custom field items will now include value
and idValue
fields with a null
value, rather than omitting the fields depending on the custom field type, to maintain consistent API response shapes.
GET /1/card/:id/customFieldItems
Before:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[
{
"id": "64638429a6afeadf0d5795f6",
"idCustomField": "615dca8087f377004a347073",
"idModel": "646383ecbaea32cb431a606d",
"idValue": "615dca902bfde800dec91fb1",
"modelType": "card"
},
{
"id": "6463842b5617d811b4250a9f",
"idCustomField": "615dca66da745f00356d1246",
"idModel": "646383ecbaea32cb431a606d",
"modelType": "card",
"value": { "text": "Test" }
}
]
After:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[
{
"id": "64638429a6afeadf0d5795f6",
"idCustomField": "615dca8087f377004a347073",
"idModel": "646383ecbaea32cb431a606d",
"idValue": "615dca902bfde800dec91fb1",
"modelType": "card",
"value": null
},
{
"id": "6463842b5617d811b4250a9f",
"idCustomField": "615dca66da745f00356d1246",
"idModel": "646383ecbaea32cb431a606d",
"idValue": null,
"modelType": "card",
"value": { "text": "Test" }
}
]
Workspaces that own publicly listed Power-Ups can no longer be deleted. This will prevent those Power-Ups from breaking for other users that have them installed. Users need to remove all publicly listed Power-Ups from a workspace before deleting it.
When making a DELETE call, we will now check for public power-ups with a matching idOrganizationOwner
. If any exist, we will return a 400 error code with the message Workspaces with publicly power-ups can't be deleted
(translated into various languages).
We're happy to announce that authorized users can now manage storage for disabled Power-Ups. When an authorized user disables a Power-Up from Trello board(s), they may choose to clear the board-level storage as a part of that action. This action clears all public Power-Up data on the board.
This action is available to users with board administration, workspace administration, or ENT administration privileges. It is not currently available to administrators that choose to “bulk disable” a Power-Up from all boards in a workspace.
What do you need to do?
If you provide documentation or guidance to users about the retention of Power-Up data after the Power-Up is disabled, you should update it accordingly.
Rate this page: