Skip to content

Changelog

All notable changes to Moveris API (v2) will be documented here.

In plain terms

This page lists new features, changes, deprecations, and fixes. Check it when upgrading your integration or troubleshooting unexpected behavior.

2026

[2.7.0] - 2026-05-14

Changed

  • React SDK (@moveris/react 3.10.1) — Canvas contexts used for capture and quality analysis pin colorSpace: 'srgb' and willReadFrequently: true, reducing pixel drift on Display P3 / wide-gamut displays that previously skewed blur, brightness, and encoded frame data. The default full-frame capture cap moves from 640×480 to 1280×720 to align with the V3.1 training resolution path.

  • React SDK capture format (@moveris/react 3.10.x) — Frame utilities emit PNG base64 only. The previous 'raw' RGBA option and the jpeg-js encoding path were removed from captureVideoFrame and useSmartFrameCapture. Breaking change for advanced integrations: if you relied on 'raw' output or deterministic jpeg-js JPEG, migrate to the returned PNG or encode JPEG yourself outside the helper.

Fixed

  • Containerized inference (MediaPipe) — Docker images ship updated OpenGL libraries and a MediaPipe compatibility shim so face-detection workloads keep running against current upstream library expectations.

[2.6.1] - 2026-05-11

Security

  • Developer Portal API (Python)protobuf is pinned to patched releases (>= 5.29.6) with an updated Poetry lockfile to address known security advisories in the dependency chain.

  • Hosted Verification UI — Dependency upgrades clear current pnpm/npm audit findings (including Vite, PostCSS, fast-uri, and tmp) for the hosted verification web application.

  • Moveris MCP serverHono and related dependency overrides were updated so self-hosted MCP installs pick up upstream security fixes.

[2.6.0] - 2026-05-06

Changed

  • React/Shared SDK (@moveris/react and @moveris/shared 3.8.6) — Face-crop generation now matches the server/training pipeline (20% frame-based margin, bounded non-square crop, then resize to 224×224). This reduces false fake outcomes caused by crop mismatch in custom integrations that build their own crops with calculateFaceCropRegion.

  • Breaking change for custom crop pipelines: calculateFaceCropRegion now returns { x, y, width, height } instead of { x, y, size }, and calculateAdaptiveCropMultiplier was removed.

  • React SDK capture pipeline (@moveris/react 3.8.2 – 3.8.5) — Frame encoding is now deterministic across browsers (jpeg-js instead of canvas.toDataURL) and the SDK exposes an optional raw RGBA capture format on useSmartFrameCapture / captureVideoFrame for advanced integrations that need consistent pixel data and to bypass browser JPEG variance.

Security

  • Integration runtime hardening — Additional dependency security fixes shipped across SDK and MCP surfaces (including Vite, Lodash, Hono and related transitive chains), reducing vulnerability exposure for pinned and self-hosted integrator builds.

[2.5.1] - 2026-04-23

Fixed

  • Social login account linking (Developer Portal auth) — When a user signs in with Google or GitHub and the email already exists, the backend now auto-links the social provider to that existing account instead of forcing password login. This removes avoidable login failures for teams using social auth.

[2.5.0] - 2026-04-23

Added

  • Embeddable Cognito widgets (@moveris/cognito-check and @moveris/cognito-check-react 0.1.0) — New SDK packages provide a hosted checkbox-style verification entrypoint for teams that want a lightweight, embeddable verification trigger in web apps.
  • Portal admin cache refresh action — Admins can now trigger allowed-host cache refreshes from the backend tooling, reducing propagation delays when CORS allowlists are updated.

Changed

  • Developer Portal authentication and authorization — Portal-facing endpoints now use JWT auth with role-based access control (RBAC) and organization scoping more consistently, improving tenant isolation for multi-org teams integrating through the portal.
  • Cognito widget UX behavior — Verification checkbox state now locks after success, applies a 30s timeout guard, and standardizes camera preview to a 4:3 aspect ratio to reduce webcam cropping issues.

Fixed

  • API key revocation handling — Revoked API keys now raise a dedicated backend error path and return clearer auth failures for clients, making key-rotation incidents easier to diagnose.

Security

  • Dependency hardening across integration surfaces — Additional vulnerability patches were released across MCP/server tooling and SDK build dependencies (including Hono/Vite-related chains), reducing exposure for pinned deployments.

[2.4.1] - 2026-04-22

Changed

  • Verification UI (0.4.0) — Hosted verification flow now forwards camera capability context in crop submissions, improving downstream auditability for integrators using the hosted experience.
  • Developer portal backend reliability — Admin detection listings were optimized to reduce N+1 query overhead in large datasets. This improves performance for teams reviewing verification activity.

Security

  • Runtime dependency hardening — Security updates were shipped across SDK/Verification UI/MCP tooling (including Vite and related transitive packages), reducing known vulnerability exposure for pinned integrations.

[2.4.0] - 2026-04-15

Added

  • Async Video Detect idempotencyPOST /api/v1/{tenant_slug}/video/detect now supports the Idempotency-Key header. Reusing the same key with the same API key returns the original submission_id instead of creating duplicate async jobs, which helps integrators retry safely after network interruptions.
  • React SDK (@moveris/react 3.7.0) — Added LivenessCaptureProvider context plus brightness sampling utilities (sampleCenterBrightness, sampleFaceBrightness) for advanced custom overlays and capture-feedback UIs without prop threading.

Changed

  • React SDK (@moveris/react 3.6.3) — Capture pacing can now be tuned with both captureIntervalMs and minCaptureDelay; the previous hard floor that limited effective capture rate has been removed when you set a lower delay explicitly.
  • Verification UI — Updated to SDK @moveris/react 3.6.3 and aligned capture throttling values for more consistent frame cadence during hosted verification sessions.
  • Developer Portal integration layer — Portal API calls now consistently target the unified /api/v1 paths with Bearer-authenticated requests and envelope-unwrapped responses, improving compatibility with API v2 response handling in portal workflows.

Fixed

  • Async video processing (portrait videos) — Frame extraction now correctly applies OpenCV rotation metadata for portrait MP4 uploads, preventing incorrect orientation during inference.
  • React SDK (@moveris/react 3.6.3) — Camera and detection loops stop as soon as frame collection enters uploading, avoiding unnecessary camera activity while waiting for the API response.

Security

  • Dependency vulnerability updates were shipped across API, MCP, and Verification UI runtimes (including key auth/runtime packages) to reduce exposure for integrators running self-hosted or pinned builds.

[2.3.1] - 2026-04-02

Fixed

  • React SDK (@moveris/react / @moveris/react-native / @moveris/shared 3.6.2) — When the API returns HTTP success but the JSON body has no verdict field, LivenessClient now maps the result to verdict inconclusive instead of throwing LivenessApiError. Responses that include an error or failed success still throw as before.

Changed

  • Developer Portal — transactional emails — Signup, billing, and payment-related notifications use a shared base layout with refreshed copy; payment_failed template binding is corrected.

[2.3.0] - 2026-04-02

Added

  • Developer Portal — organization video settings — Organization admins can set the tenant slug (used in POST/GET /api/v1/{tenant_slug}/video/detect) and an optional video metadata schema (JSON Schema) so metadata on async video submissions is validated consistently. Configure both under Settings in the Developer Portal.
  • Webhook delivery logs — payload echo and filters — Delivery log API responses now include request_body (the JSON body Moveris attempted to deliver). You can filter logs by event_type (e.g. verification.completed, verification.failed) and by model (resolved model in the payload). The Portal Webhook / delivery views add filtering and a detail drawer for each attempt; event labels use the verification.* names.

Changed

  • React SDK (@moveris/react / @moveris/react-native / @moveris/shared 3.6.1) — The dynamic-range advisory threshold for soft lighting feedback (“Find better lighting”) is lower (internal constant DYNAMIC_RANGE_WARNING_THRESHOLD 180 → 60), so guidance appears in more real-world lighting while remaining non-blocking (capture is not stopped).

Security

  • Moveris MCP serverpath-to-regexp constrained to >= 8.4.0 to address reported ReDoS issues.

[2.2.0] - 2026-04-01

Added

  • verification.failed webhook — In the Developer Portal you can subscribe to a second event type. Moveris sends it when ML inference or async video processing fails after authentication and request validation (covers fast-check, fast-check-crops, fast-check-stream, and tenant video/detect). The JSON body keeps the same top-level shape as verification.completed (event, session_id, timestamp, data); for failures, data includes error, model, input_source, processing_ms, and frames_processed (no verdict). The X-Webhook-Event header is verification.failed. Configure which events each webhook receives in the Portal (completed only, failed only, or both). Signing with your webhook secret works the same as for completed events.
  • React SDK (@moveris/react / @moveris/react-native 3.5.0) — Clearer camera permission denied messaging and built-in denied UI on LivenessCamera.

Changed

  • @moveris/shared (LivenessClient) — Unwraps the API v2 standard JSON envelope (data, success, message) and maps the structured errors array format. Use a @moveris/shared release that includes this behavior together with API v2; upgrade @moveris/react / @moveris/react-native to pick up the matching dependency range.
  • Default model in deployment templates — Example and Fly/Docker configuration defaults now align on mixed-10-v2 where a single default model alias is set (adjust MODELS_* / worker settings for your environment).
  • Developer Portal (backend)Proxies to API v2 unwrap the standard response envelope (e.g. models list for the Portal UI).
  • Moveris MCP server — Consumes API v2 response envelopes; dependency updates for reported vulnerabilities (e.g. path-to-regexp).
  • Verification UI — End-to-end handling of API v2 standard responses.

Fixed

  • Webhook delivery logging — Failure-path deliveries no longer hit invalid null constraints or missing session linkage when emitting verification.failed (delivery logs and MCP session stubs behave consistently).
  • Developer Portal (web UI) — Dependency updates (including pinned axios) to address npm audit findings.

[2.1.0] - 2026-03-27

Added

  • Standard response envelope on all endpoints — Every JSON response is now wrapped in { "data": ..., "success": true/false, "message": "..." }. Error responses include an errors array with error-code-keyed messages. Webhook payloads are not affected (they keep the { event, session_id, timestamp, data } format). See Errors.
  • Async tenant-scoped video detection endpoints — New endpoints for pre-recorded video processing:
  • POST /api/v1/{tenant_slug}/video/detect to submit a video file (or URL) and get a submission_id
  • GET /api/v1/{tenant_slug}/video/detect/{submission_id} to poll status and retrieve results when complete Supports tenant metadata validation, tenant/org access checks, and async queue processing.
  • React SDK camera capability inspection@moveris/react / @moveris/shared (3.4.0) now expose camera capability helpers (getCameraCapabilities, validateCameraRequirements, getOptimalConstraints) plus useCamera capability fields and LivenessView onCapabilities callback for device diagnostics.

Changed

  • Response format (breaking) — All API responses now use the standard envelope. Clients must read response.data for the payload instead of the top-level body. Errors use success: false with errors array instead of the previous flat { "error": "...", "message": "..." } format. Validation errors return 400 (previously 422).
  • React SDK capture quality signals — Recent SDK releases improve real-time capture guidance with matrix-based roll detection and dynamic-range soft warnings ("Find better lighting"), while keeping capture non-blocking for advisory-only conditions.
  • Verification UI capture flow — Verification UI now uses crop-based submission aligned with fast-check-crops and supports alias-based model resolution in requests, improving compatibility with API v2 model versioning.

Fixed

  • Verification UI crop payload shape — Crop submissions now send { index, pixels } objects to match the fast-check-crops schema.
  • Portal/API edge networking for integrators — Upstream platform now forwards Fly-Client-IP through Nginx, improving real client IP visibility for integrations relying on network telemetry.

[2.0.1] - 2026-03-23

Added

  • React SDK: Face area quality gateuseSmartFrameCapture now rejects faces that occupy less than 4% of the frame area. Helps avoid low-quality captures when the user is too far from the camera.
  • React SDK: captureIntervalMs and onEyeWarninguseSmartFrameCapture gains captureIntervalMs (default 100 ms) to tune capture rate (e.g. 50 ms for ~20 FPS). useDetectionPipeline gains onEyeWarning callback for real-time eye quality feedback ("Eyes are in shadow", "Glare detected", etc.) just before onRestartNeeded fires.
  • MCP: frame_count parameterverify-human-presence tool accepts optional frame_count (10, 30, 60, 90, 120) to override the default derived from risk_level.

Changed

  • React SDK: Default endpointLivenessView and useLiveness now default to fast-check-crops instead of fast-check-stream. Pass endpoint="fast-check-stream" to preserve previous behavior.
  • MCP: Alias-based model resolutionverify-human-presence tool uses API v2 alias resolution. Response model field now returns frame count string (e.g. "10", "30"); new model_version and frame_count fields added. Risk levels map to { modelVersion: "latest", frameCount } tuples.

[2.0.0] - 2026-03-20

Added

  • Model versioning (v2 flow) — New frame_count body parameter and X-Model-Version request header for alias-based model resolution. Send X-Model-Version: latest (or v1, v2, fast, etc.) with frame_count: 10|30|60|90|120 to resolve the concrete model. See Model Versioning & Frames.
  • Deprecation response headers — When using a deprecated model, responses include Deprecation: true, Sunset, X-Moveris-Deprecated-Model, and X-Moveris-Suggested-Model. All responses include X-Moveris-Model-Resolved with the resolved model ID.
  • Billing suspension guard — Suspended accounts receive 402 with error: "account_suspended" (distinct from insufficient_credits). Credit pre-check runs before processing; usage logs persist for audit.

Changed

  • CORSX-Model-Version header is now allowed in CORS preflight. Deprecation response headers are exposed to clients.
  • Request schema — When X-Model-Version header is present, the model body field is ignored; resolution uses (version, frame_count) instead.

[1.12.0] - 2026-03-19

Added

  • Fast Check Crops: bg_segmentation — Optional request field to indicate whether background segmentation was applied to crops before sending. Stored in session metadata for A/B analytics comparing model accuracy with vs. without segmentation.

[1.11.3] - 2026-03-17

Security

  • Dependency vulnerability fixes (pillow, orjson, PyJWT) to address a Pillow out-of-bounds write and an orjson recursion DoS.

[1.11.2] - 2026-03-13

Added

  • React SDK: useDetectionPipeline hook for gaze + eye-region gating, exposing detectionGate and getWarnings() for session warnings at submit time.

Changed

  • React SDK: useSmartFrameCapture now supports external detectionGate and adds restart() for blocking conditions (e.g. hidden/shadowed eyes). Glasses detection is non-blocking and forwarded as a warning.
  • Documentation: API key scopes and frame capture requirements documentation updated (including clarification for capture behavior by endpoint).

[1.11.1] - 2026-03-12

Added

  • AI-readable documentationllms.txt and llms-full.txt added for AI assistant integration (Claude Code, ChatGPT, Cursor). Enables AI tools to discover and use the API documentation during integration.
  • SDK documentation updatesSession ID (sessionId) prop documented for LivenessView, LivenessModal, and useLiveness (React and React Native). CapturedFrame type clarified (timestampMs in SDK, timestamp_ms in API payload).

[1.11.0] - 2026-03-12

Added

  • Capture warnings in fast-check responses — Optional warnings field in request and response for Fast Check, Fast Check Stream, and Fast Check Crops. Frontends can report capture conditions (e.g. "Low light detected", "Face not centered"); the API echoes aggregated warnings in the response for debugging and UX improvement.

Changed

  • Basic Auth for documentation — Optional authentication for documentation endpoints when DOCS_BASIC_AUTH is configured. Protects staging docs from public access.

[1.10.0] - 2026-03-11

Added

  • API key scopes — API keys can be restricted by scope: detection:write, detection:read, session:write, session:read, session:audit, keys:read, keys:write, usage:read, credits:read, webhooks:read, webhooks:write, hosts:read, hosts:write. Create scoped keys in the Developer Portal for least-privilege access. Keys with empty scopes retain full access (backward compatible).

Changed

  • Endpoints now enforce scope requirements. Requests with keys that lack the required scope return 403 with error: "insufficient_scope" and required_scope in the response.

[1.9.1] - 2026-03-10

Fixed

  • Mixed model credit costs — Corrected credit deduction for mixed-v2 models (e.g. mixed-10-v2, mixed-30-v2, mixed-90-v2, mixed-120-v2). Requests using these models now deduct the correct number of credits per model config.

[1.9.0] - 2026-03-10

Added

  • Models registry endpoint — GET /api/v1/models returns the list of available models with id, label, description, min_frames, and deprecated status. Authenticated via shared app-to-app Bearer token. Used by the Developer Portal and SDK useModels hook for dynamic model selection.
  • React SDK useModels hook — Fetch available models from the API and build dynamic model selectors with deprecated-flag support. Integrations can show model descriptions and warn when using deprecated models.

[1.8.0] - 2026-03-09

Added

  • Mixed V2 models — New model family trained on 6,486 videos across 9 attack types. Includes mixed-10-v2, mixed-30-v2, mixed-60-v2, mixed-90-v2, mixed-120-v2 with improved accuracy and per-model EER thresholds. See Models overview.

Deprecated

  • Legacy mixed modelsmixed-10, mixed-30, mixed-60, mixed-90, mixed-120, mixed-150, and mixed-250 are deprecated. Migrate to the corresponding mixed-N-v2 variants.

[1.7.0] - 2026-03-06

Changed

  • Dynamic CORS — CORS allowed origins are now managed via the Developer Portal (AllowedHost entries) instead of a fixed configuration. Organizations can add and manage allowed hosts (e.g. for Qualtrics, Pavlovia, custom domains) without code changes.

[1.6.0] - 2026-03-04

Fixed

  • Documentation — Added missing CLAUDE.md.txt download for AI integration and Claude Code workflows.

[1.5.0] - 2026-03-03

Added

  • Session endpoints for verification landing page — GET /api/v1/sessions/{session_id} returns session context; PATCH /api/v1/sessions/{session_id}/audit records audit events. Enables the verification UI to display session metadata and track user interactions.
  • HMAC verification token authentication — MCP verification flows can use short-lived tokens (in URL or X-API-Key header) instead of API keys. Tokens are signed with VERIFICATION_TOKEN_SECRET.

Changed

  • CORS support for verification landing page — Added verify.moveris.com and dev.verify.moveris.com to allowed origins so the verification UI can call the API without CORS errors.

Fixed

  • React SDK: Eliminated LivenessCamera flickering caused by unstable callback dependencies.
  • React SDK: Injectable sessionId support for liveness detection components.

[1.4.0] - 2026-02-26

Added

  • MCP (Model Context Protocol)AI agents can now verify human presence before high-stakes actions. Integrate Moveris with Cursor, Claude Desktop, ChatGPT, Microsoft Copilot, Meta AI, and other MCP hosts. Documentation includes step-by-step agent configurations.
  • CORS support for Qualtrics and Pavlovia — Embed the liveness flow in Qualtrics and Pavlovia survey subdomains without CORS errors.

Changed

  • Documentation site updated with glossary improvements and MCP reference pages.

[1.3.0] - 2026-02-24

Added

  • Webhook delivery logs — View delivery history and status of webhooks in the Developer Portal. Helps debug failed deliveries and monitor verification callbacks.
  • MCP verification sessions — Create and manage verification sessions for AI agents. Sessions can be tracked and cleaned up automatically.

[1.2.0] - 2026-02-13

Added

  • Fast Check Stream endpoint — New endpoint for high-concurrency frame uploads. Ideal when many users verify in parallel or when you prefer streaming over batch uploads.
  • Organization name and code — API responses can include organization details for multi-tenant integrations.
  • Model cards — Public documentation for each liveness model (Fast, Balanced, Thorough) with use cases and performance characteristics.
  • Documentation portal — Central docs site at documentation.moveris.com with API reference, SDK guides, examples, and best practices.

Changed

  • Improved liveness detection when using mixed frame counts across models.
  • React and React Native SDK documentation expanded with component usage and examples.

[1.1.0] - 2026-02-08

Added

  • Organization invitations — Invite users to your organization via invitation codes in the Developer Portal. Supports email/password and social login flows.
  • Streaming liveness in React — React SDK components now support streaming options for smoother capture flows and lower latency.

Fixed

  • Face-crops endpoint behavior corrected for pre-cropped image submissions.
  • Organization mapping and invitation code validation in the Developer Portal.

How to Read This Changelog

  • Added - New features
  • Changed - Changes to existing functionality
  • Deprecated - Features that will be removed in future versions
  • Removed - Features that have been removed
  • Fixed - Bug fixes
  • Security - Security-related changes