Skip to main content


Discover the new features, logic changes, bug fixes, breaking changes, and known issues and limitations in Piiano Vault release v1.2.0.

New features

  • A new crypto REST API endpoints and equivalent CLI command:
    • These endpoints and CLI commands allow you to encrypt an object without storing it in the Vault, as well as decrypt and update an encrypted object. See Crypto API endpoints and CLI reference for more information.
    • Tokens and hashes can now be created from an encrypted value that was previously encrypted using the Vault's encryption API endpoint.
  • A new feature, custom data types, has been added to Vault.
    • Custom data types are based on builtin types and may be used as the data type of a property in a collection, just like builtin types.
    • Custom data types may optionally redefine the validator, normalizer and transformations of the type (these are called type functions).
    • Type functions are defined and exported from JavaScript bundles. Bundles can be added to Vault, and can be read, updated and deleted using the Bundle REST API.
    • The Bundle REST API is implemented by a new endpoint at /api/pvlt/1.0/ctl/bundles. See the Bundles API endpoints for more information.
    • The existing endpoint at /api/pvlt/1.0/ctl/types has been changed. It now implements the Data Type REST API which manages custom data types as well as builtin types. See the Data Types API endpoints and CLI reference for more information.
    • Two new commands were added to the CLI. The bundle command provides access to the Bundle REST API. The datatype command provides access to the Data Type REST API. See the bundle CLI reference for more information.

New capabilities

New IAM capabilities were added:

  • Bundle management added CapCodeReader and CapCodeWriter.
  • Custom properties added CapTypesReader and CapTypesWriter.

New installs include these capabilities in the IAM file loaded during startup. For existing installs, you must edit the IAM configuration manually and add these capabilities to the roles requiring them.

💡 The Admin role automatically includes all capabilities (including these new ones).

Logic changes

  • Remove the PVAULT_FEATURES_CUSTOM_TYPES_ENABLE environment variable. Custom types are now always enabled.
  • Token update logic was improved to be faster and more efficient.
  • Detokenization - improved SQL index for consistent performance.

Bug fixes

  • Fixed Sentry integration that caused Vault to have increased memory usage.
  • Fixed a bug where Vault could not update a token that was created with the object.fields parameter.
  • Fixed a bug where Vault could not add a new object if its cache wasn't up to date. Vault would now only use the cache to validate the object's schema, until updated.

Breaking changes

  • The existing endpoint at /api/pvlt/1.0/ctl/types has been changed.
  • The format of the type configuration file, pvault.types.toml has been changed.

Known issues and limitations

  • Queries can only match untransformed properties (properties with transformations, such as ssn.mask, are not matched).
  • No pagination is provided for the tokens API operations Search tokens and Detokenize tokens.
  • No pagination is provided for the List objects API operation when retrieving a list of objects using IDs. When requesting a number of objects which exceeds the page size, an error is returned.
  • You cannot derive custom data types from custom data types (only from builtins).