api-docs-icon

Turnqey API Changelog

API Base URL: https://api.turnqey.xyz
Documentation: https://docs.turnqey.xyz
Support: support@turnqey.xyz

v1.2.0 — 2026-03-05

Security
  • Rate limiting hardened on all auth endpoints (TAIP)
    • POST /auth/institute/magic-link and POST /auth/qeychain/magic-link — new limit: 10 requests / 15 min
    • POST /forgot-password and POST /reset-password — tightened from 5/min → 5/15 min
    • Closes brute-force and credential-stuffing attack vectors on all authentication flows

Fixed

  • Manual Entries — 3 missing endpoints added (TAIP)

    • POST /manual-entries/trade-completion/{client_id}/{id}/preview — returns projected holdings + cost basis change without saving
    • POST /manual-entries/basis-assignment/{client_id}/{id}/preview — returns projected unrealized G/L change without saving
    • GET /manual-entries/audit-trail/{client_id}/{entry_type}/{id} — path alias for /audit-log/ (UI was calling wrong path)
    • All three were returning 404 in production. Fix is additive only — no schema changes

  • Sandbox — registration rate limit bypass closed

    • POST /api/v1/registration now correctly applies authRateLimiter (was bypassed via direct route mount)

  • Sandbox — malformed JSON now returns 400

    • Invalid JSON bodies now return 400 INVALID_JSON instead of 500 Internal Server Error

  • datetime.utcnow() deprecation (TAIP email service)

    • Replaced deprecated datetime.utcnow() with datetime.now(timezone.utc) in email.py

v1.1.0 — 2026-03-03

Added

  • MFA / Two-Factor Authentication (TAIP)

    • Email-based OTP flow for all adviser logins
    • HTML email template for OTP delivery
    • Mobile-responsive and desktop OTP entry UI
    • Auth guards enforced across all protected routes
    • Security hardening: error message redaction, CORS cleanup, auth boundary enforcement

  • Sandbox free tier — trial period reduced from 14 days → 7 days

  • Principal Role System (TAIP)

    • Adviser accounts now support Principal and Non-Principal roles
    • Principal advisers see all firm clients; Non-Principal advisers are scoped to their own clients only
    • GET /clients and GET /dashboard/stats respect role-based scoping
    • is_active=True filter added to get_tenant_client_stats() — dashboard CLIENTS card now accurate

Fixed

  • Wallet display (TAIP) — adviser dev login now correctly shows all wallets across all clients, not just one

  • Credential rotation — CoinGecko API key, App Insights key, and Azure Function key rotated after security audit

v1.0.0 — 2026-01-31

Initial stable release of the Turnqey API

Added

Morningstar Integration (Live)

  • POST /v1/api/token — Generate JWT token (OAuth 2.0 Client Credentials, 1-hour TTL)
  • GET /authorize — Browser-based exchange authorization
  • GET /v1/api/account/collection/:collectionId — Get account collection
  • GET /v1/api/account/identity/:identity — Get account by identity
  • GET /v1/api/account/:accountId/transactions — Full transaction history
  • GET /v1/api/account/:accountId/balances — Current balances (optional forceRefresh)
  • GET /v1/api/checksum — Checksum for authorization request verification

Q-Score™ (Live)

  • GET /api/crypto-data/:symbols — Real-time market data (comma-separated symbols)
  • POST /api/calculate-portfolio-score — Portfolio Q Score across 21 supported assets
  • GET /api/scores — All cryptocurrency Q, F, and R scores
  • GET /api/status — API health and rate limit status

Q-Score™ Portfolios

  • GET /api/portfolios — List all portfolios
  • POST /api/portfolios — Create portfolio
  • GET /api/portfolios/:id — Get portfolio by ID
  • PUT /api/portfolios/:id — Update portfolio
  • DELETE /api/portfolios/:id — Delete portfolio

Wealthbox Integration (Live)

  • View crypto balances and positions in Wealthbox CRM
  • Client Crypto Discovery
  • Exchange and onchain wallet connections
  • Monthly automated data updates
  • Activation: https://wealthbox-activate.turnqey.xyz/

Authentication and Security

  • OAuth 2.0 with secure token management
  • TLS 1.2+ in transit, AES-256 at rest
  • Role-based access control (principle of least privilege)
  • Annual penetration testing (last: June 3, 2025)
  • SOC 2 Type II certification in progress (expected Q2 2026)
  • Read-only exchange permissions — no trading capabilities
  • IP address allowlisting
  • Audit logging for all API access

Breaking Changes Schedule

No breaking changes currently planned. All v1 endpoints are stable and supported.
Breaking changes will be announced with ≥30 days notice and a 90-day migration overlap period.

API Support