Release Notes
New features and improvements in PingAuthorize. Updated December 16, 2025.
Subscribe to get automatic updates: PingAuthorize Release Notes RSS feed
PingAuthorize 11.0.0.0 (December 2025)
Converted the PingAuthorize admin console to React
New DS-44421
We’ve rebuilt the PingAuthorize admin console from AngularJS to a modern React-based interface. The updated console offers improved performance, accessibility, and maintainability while preserving familiar configuration and monitoring workflows.
In addition to this restyling, we’ve introduced:
-
Read-only mode support: You can now place the admin console into read-only mode using the
system.readOnlyconfiguration property, preventing changes to server configuration. -
Expert-level configuration: The admin console’s
configuration.complexityproperty now defaults toexpert, allowing you to view and create expert-level configuration objects. -
Configurable console name: You can now change the admin console’s displayed title using the
branding.appNameconfiguration property.
|
The React-based admin console requires PingAuthorize Server 11.0 or later. |
Learn more in Using the PingAuthorize admin console.
Step-up authentication for APIs
New PAZ-17047
You can now force step-up authentication when users access sensitive resources. When authenticated users try to access higher-risk data, such as salary information, health records, or premium content, you can require a higher level of authentication and also set limits on the amount of time allowed since the last authentication event.
Use the new Auth Challenge statement type to implement step-up authentication requirements in your policies. Learn more in Step-up authentication for APIs.
New JSON manipulation functions for SpEL
New PAZ-17686
PingAuthorize now includes productized JSON data manipulation functions for SpEL, making it easier to query, filter, and transform JSON data directly within policies.
This release introduces the following functions:
-
data_associateByKey: Joins two JSON arrays or objects based on a shared key, allowing you to enrich one data set with related information from another. -
data_containsKey: Filters a JSON collection to return only objects that contain a specific key.
By providing native support for common JSON operations, these functions improve policy clarity, consistency, and performance while reducing reliance on custom expressions.
Learn more in SpEL processing examples.
Added support for RSASSA-PSS signing algorithms
New PAZ-19054
The ID Token Validator and JWT Access Token Validator now support the PS256, PS384, and PS512 signing algorithms for OIDC-based logins to the PingAuthorize admin console or Policy Editor.
Learn more in Access token validator types.
Added HTTP metrics to the Periodic Stats Logger
New PAZ-17947
We’ve added support for HTTP metrics in the Periodic Stats Logger, offering deeper insights into HTTP request flow and PingAuthorize Server performance. When enabled, the server captures detailed statistics at rolling 1-minute, 5-minute, and 15-minute intervals to help monitor short-term spikes and longer-term trends.
Learn more in Enabling HTTP metrics in the Periodic Stats Logger.
Standardized URL decoding behavior
Info PAZ-20178
We’ve standardized URL decoding behavior:
-
Policy evaluation: The PingAuthorize Server now decodes the incoming request URL, including the path and query parameters, exactly once before policy evaluation.
-
Request forwarding: The PingAuthorize Server now forwards the original, unmodified request URL to the backend resource server.
|
Backend resource servers must now perform their own URL decoding in accordance with RFC-3986. If your resource servers previously relied on PingAuthorize to forward fully-decoded request URLs, now these servers might fail to process encoded URLs correctly. You must update these servers to handle encoded URLs or deploy a proxy to decode traffic before it reaches the server. |
Documented the Monitor History plugin
Info PAZ-18453
We’ve added documentation for the PingAuthorize Server’s Monitor History plugin, a server component designed to help analyze performance issues and server crashes. This new documentation details how to:
-
Capture the server state leading up to a crash or restart.
-
View Java Virtual Machine (JVM) stack traces to identify blocked or stuck threads.
-
Monitor resource usage and work queue depth over time.
Learn more in Using the Monitor History plugin.
AWS Java SDK upgrade
Info PAZ-18383
We’ve upgraded to AWS Java SDK v2. This upgrade changes the default behavior for Amazon S3 connections to use virtual-hosted-style URLs, disabling legacy path-style access by default.
If your Amazon S3 deployment package stores require path-style access (for example, https://s3.amazonaws.com/<bucket-name>), enable the Use Path Style Access option in the PingAuthorize S3 store configuration to maintain connectivity.
Enhanced flexibility for policy query requests
Improved PAZ-19611
We’ve enhanced the /query endpoint of the JSON PDP API to support more expressive and open-ended authorization queries:
-
You can now include up to two unbound attributes per request for broader discovery scenarios.
-
You can now include up to three multivalued attributes per request for complex batch-style evaluations.
-
You can now resolve query attributes dynamically using other query attributes. For example, the system can first resolve a list of resources and then, for each resource, resolve the list of actions applicable to it.
Learn more in Query requests.
Improved handling of null values in Redis
Improved PAZ-19569
We’ve enhanced the Redis attribute cache to handle missing or null values more gracefully, with improved validation and clearer logging to simplify troubleshooting and improve system stability.
Added more control over response timestamp precision
Improved PAZ-20713
We’ve added a new Policy Decision Service configuration property, use-microseconds-timestamp, which allows you to enforce microsecond-precision timestamps for governance-endpoint API responses. This option improves compatibility with clients that expect legacy timestamp formats.
Learn more in JSON PDP API response format.
Enabled default condition short-circuiting in the Policy Editor
Improved PAZ-18291
Compound conditions in the Policy Editor now short-circuit by default, matching the existing behavior of the PingAuthorize Server. This ensures that policy evaluation stops as soon as a condition is met, improving performance and providing a consistent experience between policy testing and decision runtime.
Optimized setup behavior for modern JVMs
Improved DS-50603
For new installations, bin/setup no longer sets the JVM option ConcGCThreads, allowing modern JVMs to select the optimal value automatically.
Improved policy query performance
Improved PAZ-13111
We’ve improved the performance of policy queries by applying an optimization pass that significantly reduces the size of internal policy structures.
Added server.out files to CSD archives
Improved SUPP-441
To add details about the server state before shutdown, the collect-support-data tool now includes up to five of the latest timestamped server.out files in the CSD archive.
Improved expired certificate handling for TLS negotiation
Fixed DS-49269, DS-49270
We’ve fixed an issue that could cause the server to select an expired certificate when performing TLS negotiation with an external server that has a key manager provider and requests a client certificate chain.
The server now presents an expired certificate only if the key store doesn’t include any certificate chains with currently valid certificates.
We’ve also added the ssl-cert-nickname property to the external server configuration, which allows you to control which client certificate chain the server presents to that external server. If this property isn’t configured, the server attempts to automatically select an appropriate certificate chain.
Fixed array handling in SpEL
Fixed PAZ-12964
We’ve fixed an issue where a SpEL expression returning an array (such as from the .split() function) would cause a PROCESSING_ERROR. These results are now correctly handled as collections.
Fixed an issue with deployment package deletion
Fixed PAZ-5577
We’ve fixed an issue where deployment packages actively deployed to a deployment package store could be deleted. Now, to delete a deployment package, you must first deploy a different package to the relevant store.
Fixed an issue with policy dependency pagination
Fixed PAZ-18631
We’ve fixed an issue where the Policy Editor’s /dependencies endpoint returned extraneous data, leading to incorrect pagination. The endpoint now reports only valid child policies, ensuring consistent and accurate results.
Fixed an issue with HTTP service timeouts
Fixed PAZ-20345
We’ve fixed an issue where HTTP Service calls would incorrectly time out after 10 seconds, even when a longer request timeout was configured.
Fixed a Policy Editor startup issue
Fixed PAZ-19762
We’ve fixed an issue in the admin point application configuration that could prevent the Policy Editor from starting properly.
Fixed inconsistent URL decoding
Fixed PAZ-20178
We’ve fixed an issue where inconsistent URL decoding could allow double-URL-encoded requests to bypass path-based access controls in API security gateway mode.