Requesting access for usage-based auto-locked Resources is now manageable via the API.

(New) accessRequest

• Looks up and returns an AccessRequest by its ID.

(New)accessRequests

• Looks up and returns zero or more AccessRequest objects that match the filter criteria.

• The filter argument supports filtering by User ID and Resource ID.

(New)accessRequestApprove

• Approve an AccessRequest by its ID.

(New)accessRequestReject

• Reject an AccessRequest by its ID.

(New)AccessRequest

• An object containing information about the access request, including its associated User and Resource.

Usage-based access is now configurable via the API.

resourceCreate, resourceUpdate

• Added argument usageBasedAutolockDurationDays: Int to set and update the usage-based auto-lock duration configured on the resource (in days).

  • If unspecified, the resource's existing auto-lock duration remains unchanged.

  • If null, the resource's existing auto-lock duration is removed.

resourceAccessAdd, resourceAccessSet

• accessInput now accepts a new input field to configure usage-based access

  • usageBasedAutolockDurationDays: Int: The usage-based auto-lock duration configured on a group's access to a Resource (in days).

    • If unspecified, the group's existing auto-lock duration remains unchanged.

    • If null, the group's existing auto-lock duration is removed. This value should be null if this is for a service account.

Resource

• Added usageBasedAutolockDurationDays field specifying the usage-based auto-lock duration configured on the Resource (in days).

AccessEdge

• Added usageBasedAutolockDurationDays field specifying the usage-based auto-lock duration configured on the group's access to a Resource (in days).

Serial numbers can now be created and deleted via API. Any new and existing devices who have matching serial numbers will be verified.

(New) serialNumbers

• Returns serialNumbers with the following attributes:

  • id: ID!

  • serialNumber: String!

  • createdAt: DateTime!

  • matchedDevices: [Device!]!: Devices who have matching serial numbers. These devices are now verified.

(New) serialNumbersCreate

• Takes a list of serial numbers and verifies them. Both new and existing Devices with matching serial numbers will now be verified.

(New) serialNumbersDelete

• Takes a list of serial numbers and deletes them. Any Devices with matching serial numbers are no longer considered verified.

Added support for managing the DNS filtering allowlist and denylist.

(New) dnsFilteringProfile

• Returns a DnsFilteringProfile that contains information about the current DNS filtering configuration. Returns null if DNS filtering isn't enabled.

• DnsFilteringProfile has the following attributes:

  • allowedDomains: [String!]!: a list of allowed domains.

  • deniedDomains: [String!]!: a list of denied domains.

  • id: ID!: the ID of the DNS filtering profile. Currently this field is unused elsewhere.

(New) dnsFilteringAllowedDomainsSet

• Sets the DNS filtering allowlist. Whatever list is provided will override the current allowlist. Passing null will clear the allowlist.

(New) dnsFilteringDeniedDomainsSet

• Sets the DNS filtering denylist. Whatever list is provided will override the current denylist. Passing null will clear the denylist.

Ephemeral access is now configurable via the API.

resourceAccessAdd, resourceAccessSet

• accessInput now accepts a new parameter to configure ephemeral access

  • expiresAs: DateTime: The timestamp at which the access expires. If unspecified, any existing expiration remains unchanged. If null, the existing expiration is removed. This value must be unspecified when the principal is a service account.

Users can now be filtered by their first name, last name, and role.

users

• The filter when filtering for users has additional filtering options:

  • firstName: StringFilterOperatorInput: filters users by their first name.

  • lastName: StringFilterOperatorInput: filters users by their last name.

  • role: StringFilterOperatorInput: filters users by their role, e.g. "SUPPORT" or "ADMIN".

It's now easier to search for objects using strings across all of our GraphQL queries.

StringFilterOperatorInput

• Strings can now be filtered using additional parameters:

  • startsWith: String: returns true if a field starts with the passed string.

  • endsWith: String: returns true if a field ends with the passed string.

  • contains: String: returns true if a field contains the passed string.

  • in: [String!]: returns true if a field is in the set of passed strings.

  • regexp: String: returns true if a field matches the passed regular expression.

Added Connector metadata to API endpoints.

Connector

• Added the version field, which is the Connector's version.

• Added the publicIP field, which is the Connector's public IP.

• Added the privateIPs field, which is the Connector's private IP, if detected.

• Added the hostname field, which is the hostname of the machine or VM hosting the Connector, if detected.

Device.lastConnectedAt

• This field is now deprecated and will return an empty value.

Added support for Security Policies on Resources.

resourceCreate and resourceUpdate

• Added the ability to specify the Resource's security policy.

groupCreate

• Providing a Security Policy will now set the Security Policy used to access any Groups also passed during creation.

groupUpdate

• Providing a Security Policy will update the Security Policy used to access all of the Resources the Group has access to, including Resources not passed in addedResourceIds. No Security Policies will be updated if no Security Policy is passed.

(New) resourceAccessAdd

• Given a Resource, add Groups or Service Accounts with access to the Resource and, for Groups, define which Security Policy they use.

(New) resourceAccessSet

• Given a Resource, set which Groups or Service Accounts have access to the Resource and, for Groups, which Security Policy they use. Groups and Service Accounts not included in this call will be removed.

(New) resourceAccessRemove

• Given a Resource, remove Groups' and Security Accounts' access to the Resource.

Added expanded support for managing users.

(New) userCreate

• Creates and optionally invites a new user. If you use an IdP, contact us to enable adding users via social login.

(New) userDelete

• Deletes a user. Users who are synced via an IdP cannot be deleted.

(New) userRoleUpdate

• Updates a user's role.

(New) userDetailsUpdate

• Updates details about a user.

Added the ability to assign aliases to Resources.

resourceCreate and resourceUpdate

• A Resource's alias can be now be set from the API.

Resource

• The alias field is the Resource's alias, if one is set.

Added the ability to see whether a user is synced from your account's IdP or manually added.

users

• Added the ability to query users by their type.

User

• Added the type field, denoting whether a user is synced or manually added.

Added the ability to filter Connectors by their state.

connectors

• Connectors can now be filtered by their state.

Added the ability to query and mutate Device state.

(New) deviceArchive

• Archives a Device. Devices are unarchived when they next connect to Twingate.

(New) deviceBlock

• Blocks a Device. Blocked Devices cannot access Twingate.

(New) deviceUnblock

• Unblocks a Device.

devices

• Devices can now be filtered by device state.

Device

• Devices now have an activeState field, which determines whether the Device is active, archived, or blocked.

Added API support for Resource Visibility.

resourceCreate and resourceUpdate

• Added the ability to set and update a Resource's visibility options.

Resource

• Added two fields for a Resource's visibility options:

  • isVisible: whether a Resource will be in the main Resource list in the Client.

  • isBrowserShortcutEnabled: whether a Resource will have an "Open in Browser" shortcut in the Client.

Added the ability to specify a Remote Network's location.

remoteNetworkCreate

• Added the ability to set location during creation time. The location will default to "other" if not set.

remoteNetworkUpdate

• Added the ability to update location.

(New) RemoteNetworkLocation

• An enum of possible Remote Network locations, one of AWS, Azure, Google Cloud, on premises or other.

RemoteNetwork

• Now has a location field specifying where the Remote Network is located

Added the ability to toggle whether a Connector should have downtime notifications from the API.

connectorCreate and connectorUpdate

• Status notifications can be toggled on and off for a Connector by setting hasStatusNotificationsEnabled true or false respectively.

Added the ability to set a Group's Security Policy.

securityPolicyCreate and securityPolicyUpdate

• Added the ability to specify securityPolicyID to set a Group's Security Policy.

Added the ability to name Connectors at creation time.

connectorCreate

• Now takes a name argument that will set the Connector's name.

Added API endpoints to manage Service Accounts.

(New) serviceAccountKey

• Looks up and returns a ServiceAccountKey by its ID.

(New) serviceAccount

• Looks up and returns a ServiceAccount by its ID.

(New) serviceAccountKeyCreate

• Creates a new Service Key for a Service Account.

(New) serviceAccountKeyUpdate

• Renames a Service Key.

(New) serviceAccountKeyRevoke

• Revokes a Service Key. Any headless clients using this Service Key will no longer be able to connect to Twingate.

(New) serviceAccountKeyDelete

• Deletes a Service Key. Any headless clients using this Service Key will no longer be able to connect to Twingate.

(New) serviceAccountCreate

• Creates a new Service Account, optionally with a list of Resources that the Service Account will have access to.

(New) serviceAccountUpdate

• Updates an existing Service Account, including renaming the Service Account or adding and removing Resources from the Service Account.

(New) serviceAccountDelete

• Deletes a Service Account.

(New) ServiceAccountKey

• An object containing information about a Service Key, including its status and expiration time.

(New) ServiceAccount

• An object containing information about a Service Account, including its associated Resources and Service Keys.

Deleting a Remote Network will now fail if the Remote Network has any Resources.

remoteNetworkDelete

• If a Remote Network has any Resources, remoteNetworkDelete will fail and return an error. Delete all of a Remote Network's Resources before deleting the Remote Network.

Added the ability to query and mutate Devices from the API.

(New) device

• Looks up and returns a Device by its ID.

(New) devices

• Looks up and returns a zero or more Devices that match the filter criteria.

(New) deviceUpdate

• Mutates a Device's state, currently only used for manually verifying a device.

(New) Device

• An object containing information about a Device, including information about verification status, its hardware and its user.

Added the ability to rename Connectors from the API.

(New) connectorUpdate

• The connectorUpdate endpoint is able to rename a Connector.

You can now filter Groups, Remote Networks, and Resources by their names.

groups, remoteNetworks, and resources

• For each query, the filter parameter now has a name field to filter objects by their name.

Connector names are now unique within a Remote Network rather than with an entire account.

connectorCreate and connectorUpdate

• Connector names are now unique within a Remote Network rather than within an entire account.