Changelog

New PingOne

You can now create a custom notification sender that uses your defined Syniverse channels rather than individual phone numbers. You can find details in the Create Phone Delivery Settings (Syniverse channels) and Update Phone Delivery Settings (select Syniverse channels) examples.

New PingOne

We have added new endpoints to allow administrators to optionally manage custom metadata properties for applications. These properties are intended for administrative purposes, such as storing contact or other relevant information about the application. You can find details in Application Metadata.

New PingOne

We’ve released a new notification template for account creation, which sends a notification to the user when an account is created using the PingOne Connector in DaVinci. We’ve also released a new notification template for user verification, in which you can customize the verification code notification templates to use in a DaVinci flow. Learn more in Notifications Templates.

New PingOne MFA

The existing pushEnabled and otpEnabled fields indicate whether push and OTP were initially enabled for a device. Since the enabled/disabled status can change over time, two new objects, pushStatus and otpStatus, have been added for mobile devices to reflect the current device status for receiving pushes and the current device status for OTP authentication. You can find details in Native Device Properties.

New PingOne Credentials

PingOne Credentials enables you to sign credentials using your cryptographic keys that you hold on-premise, rather than using keys stored in PingOne. Refer to Credential signing with on-premise keys for details.

New PingOne Protect

You can now erase all of the risk-related data that has been collected for a specific user, using the riskUserProfile endpoint. For details, refer to Risk Data.

Deprecated PingOne Credentials

PingOne Credentials no longer supports cardDesignTemplate, which is replaced by fixed templates, and is deprecated. The property metadata.fields.isVisible, which controls visibility of fields in cardDesignTemplate, is no longer required and is also deprecated. Existing credential types defined by a cardDesignTemplate will continue to work, but cardDesignTemplate cannot be updated. You can use Update a Credential Type to remove cardDesignTemplate and add a visualizationTemplateData object to such credential types.

New PingOne

Added the userAttributeUsernameMatch attribute for Microsoft 365 applications. This allows you to customize how the username in an STS Username token request is matched to a PingOne user profile, overriding the default email address match.

You can find details in the Applications WS-Federation settings data model.

New PingOne

PingOne now supports OIDC client-initiated backchannel authentication (CIBA). This enables an out-of-band authentication flow initiated by an end user from a consumption device, such as a point-of-sale system, and completed on the user’s authentication device. The application must be configured with a grantTypes value of ciba. Learn more in CIBA grant type.

New PingOne

PingOne now supports OAuth 2.0 token exchange (RFC 8693). This enables an application to present a subject token and optionally an actor token and receive an access token for a custom resource. The application must be configured with a grantTypes value of token_exchange. Learn more in Token exchange grant type.

New PingOne

We’ve added the Required Boolean attribute to the Resource service. This is an optional setting enabling you to make a property required for custom resources. Learn more in Resource attributes data model.

New PingOne MFA

The grace period for authenticator app (TOTP) passcodes is now configurable. You can find the description of the new parameter passcodeGracePeriod in the TOTP device authentication policy data model and the Create Device Authentication Policy example.

New PingOne

The Gateway API service now supports PingOne Advanced Identity Cloud connections. Learn more in Create PingOne AIC Connection.

New PingOne

You can now use key rotation policies (KRPs) with OIDC worker applications. Learn more in the Applications OIDC settings data model. PingOne now uses the KRP for token signing when the application includes PingOne API scopes in its authorization requests. Previously, PingOne would use the default key in this instance.

New PingOne

Opaque refresh tokens are now supported for OIDC-based applications. Because opaque refresh tokens are more secure and the recommended format, after March 1, 2027, JWTs will be deprecated. Learn more in Refresh tokens.

New PingOne Protect

Using the new riskSettings endpoint, you can now specify maximum retention periods for the risk data that’s used by the following risk predictors: New Device, User Location Anomaly, User Based Risk Behavior. You can find details in the Protect settings data model and the relevant update and read examples.

New PingOne MFA

When defining FIDO policies, you can now use the new object userVerification.pinRequirement to set a minimum PIN code length for devices. For details, refer to the FIDO policies data model and the Create FIDO Policy - specific authenticators example.

New PingOne

For Microsoft 365 applications, you can now specify the Assertion Validity Duration (the assertionDuration property). This setting controls the expiration time for the SAML assertion in passive profile sign-on requests. We’ve also added support for WS-Trust (Web Services Trust) 1.3 for Microsoft 365 applications. These options are supported when Advanced Configuration is enabled.

New PingOne

To reduce the likelihood of PingOne email notifications getting flagged as spam when you are using Ping Identity as the notification sender, you can use the new endpoint mailFromDomain to define a custom MAIL FROM domain for trusted email domains that you have configured. Specifying a MAIL FROM domain results in SPF alignment with the FROM header, reducing the chances that the DMARC check will fail. You can find details in Custom MAIL FROM domains, and in the relevant PUT, GET, and DELETE examples.

Info PingOne Verify Voice Verification capability within PingOne Verify is deprecated and will be removed Oct 17, 2026.

New PingOne

The platform now supports incoming customer-configuration data on requests to customer environments. You can define multiple inbound traffic policies that identify specific clients and the structure of their requests. For detailed information, refer to Inbound Traffic Policies.

New PingOne

The platform includes an mtlsEnabled property on custom domains to specify whether the custom domain supports the use of mTLS when establishing connections to PingOne. Refer to Custom Domains.

New PingOne

The platform now includes endpoints to import and export forms. Refer to Import Form and Export Form.

New PingOne

The platform now includes endpoints to retrieve authorization server metadata. Refer to OAuth 2.0 Authorization Server Metadata and OAuth 2.0 Authorization Server Metadata (custom domain).

Info PingOne

We’ve published the PingOne Universal Services collections (PingOne Authorize, PingOne DaVinci, PingOne MFA, PingOne Credentials, and PingOne Protect) as independent documentation sets. All are linked from the PingOne Platform APIs.

Info PingOne Verify

PingOne Verify removed limits per user, both per hour and per day. Therefore, Reset Verification, which resets the verification limits of a user, is deprecated and will be removed Sep 24, 2026.

New PingOne

We’ve added support for the new Rate Limiting feature. Rate entitlement enforcement will begin at some point after September 2025. You can use the API Usage Dashboard now to track your usage, and determine if the existing entitlements will be sufficient to meet the needs of your business when enforcement starts. Refer to Rate Limiting for more information.

New PingOne

When defining a custom provider for SMS/voice or email notifications from PingOne, you can now also use providers that require authentication with OAuth 2 or a custom header. For details, see the Create Phone Delivery Settings (custom, OAUTH2) example, the Create Phone Delivery Settings (custom, custom header) example, the Email delivery settings data model under Email Delivery Settings, and the Custom provider phone delivery settings properties (excluding Twilio and Syniverse) table under Phone Delivery Settings.

New PingOne

We’ve added support for RFC 7914 for Scrypt password encoding. This encoding is used in our new SCRYPT_RFC7914 identifier to distinguish it from the earlier encoding (still supported) using the SCRYPT identifier. Refer to Password encoding for more information.

New PingOne Protect

For the User-based Risk Behavior predictor, you can now include the new field shouldDetectCompromisedAccount if you want PingOne to attempt to detect compromised user accounts and take this into account when calculating the risk level for this predictor. In cases where there are indications that the user’s account has been compromised, result.recommendedAction is returned with a value of ACCOUNT_RECOVERY. For details, refer to Risk Predictors.

New PingOne MFA

For PingOne environments where PingID accounts have been integrated, you can now include the PingID-specific authentication methods such as the PingID app in your device authentication policies. For details, refer to Device Authentication Policies and the Update Device Authentication Policy (env with PingID integration) example.

New PingOne

For mobile applications, a new parameter called passcodeGracePeriod has been added to allow you to customize the grace period during which the passcode can still be used even after the passcode has been refreshed. For details, refer to the Applications OIDC settings data model.

Improved PingOne

For PingOne email notifications, you can now use the new emailProviderFallbackChain field to switch back to using the Ping server without losing the settings for the custom server/provider that you defined. For details, refer to Notifications settings.

New PingOne

The platform now supports a Forms component setting to control the visibility of a form field. For more information, refer to FormField data model.

Improved PingOne

OIDC-based applications in PingOne can now request an access token that accesses scopes from multiple custom resources in a single request. For more information, refer to Applications OIDC settings data model and Resource Scopes.

New PingOne

For applications of type PORTAL_LINK_APP, you can now specify an external ID for the application. For details, refer to the description of the new externalId field in the Applications base data model.

New PingOne Protect

You can now use Targeted risk policies to define risk policies for different "targets" - combinations of transaction types, user groups, and applications that are being accessed. When a risk evaluation is carried out, these targeted policies are processed in the order that you specified. PingOne Protect uses the first policy whose conditions (transaction type, user group, application) are met. For details, refer to Targeted risk policies under Risk Policies, the Create Risk Policy Set - Targeted Policy with Mitigations example, and the Create Risk Evaluation (using targeted risk policies) example.

New PingOne Protect

You can now include mitigations in your risk policies. In this context, a mitigation is an action that you recommend if a given condition is met, for example, deny access if the email reputation predictor indicates high risk. In situations where the condition is met, the action that you recommended be taken is returned in the risk evaluation response as the value of the result.mitigations[].action field. For details, refer to Using mitigations in your policies and Risk policies data model under Risk Policies, and the Create Risk Policy Set - Targeted Policy with Mitigations example.

New PingOne

We’ve added a new role, Help Desk Admin, to manage user MFA methods and devices, and reset passwords to resolve any account lockouts. Refer to Built-in Admin Roles and PingOne Role Permissions for more information.

New PingOne

The platform now supports the SG (Singapore) region. For details, refer to Working with PingOne APIs.

New PingOne

Added the opSessionCheckEnabled application property to support OIDC session management. For more information see, OIDC Session Management and the Applications OIDC settings data model.

New PingOne

We now support the Czech language for language translations. Refer to Language Translations for more information.

New PingOne

It is now possible to send PingOne notifications via Twilio Verify, and you can use any Verify templates that you have defined. For details, refer to Phone Delivery Settings, the Content Properties table under Notifications Templates, and the following Postman examples: Create Phone Delivery Settings (Twilio Verify), Read One Phone Delivery Settings (include Verify templates), and Create SMS Content (including Twilio Verify template).

New PingOne

We’ve added the virtualServerSettings properties for SAML applications, enabling you to use multiple self-identifiers when connecting to the same SAML application. Refer to Applications SAML settings data model for details.

New PingOne

We’ve added the logoutType property, enabling you to specify either OIDC_RP_INITIATED or SAML2_SLO when logging out of applications of type PING_ONE_SELF_SERVICE or PING_ONE_PORTAL (Application Portal). Refer to the OIDC data model settings for PING_ONE_SELF_SERVICE and PING_ONE_PORTAL for details.

New PingOne MFA

When creating a FIDO policy, you can now specify that it requires enterprise attestation to verify that the authenticator being used was provided by the organization. For details, refer to the Create FIDO Policy - FIDO-certified and enterprise example and the FIDO policies data model.

New PingOne MFA

When creating a FIDO policy, you can use the new userDisplayNameAttributes.suffix field to include the PingOne environment name and/or the PingOne organization name in the popup window that is displayed when a user adds a passkey as an authentication method. For details, refer to the FIDO policies data model.

New PingOne MFA

The use of OATH tokens as an authentication method, which was introduced a number of months ago for environments where PingID accounts were integrated, is now available for all PingOne environments that include the PingOne MFA or PingID services. You can use the oathTokens endpoint to add OATH tokens to the environment and carry out actions such as revoking or resyncing tokens. For details, refer to OATH tokens and the Create MFA User Device (OATH token) example.

New PingOne

You can now soft-delete PingOne PRODUCTION environments, making the environment non-operational for a waiting period before it can be deleted. This is to help protect you from inadvertently deleting a Production environment. Refer to Environments and Deleting Environments for more information.

Info PingOne

The TEXTBLOB form field type (fieldTypes property) has been deprecated. Refer to Forms for more information.

New PingOne

We’ve published a new Getting Started guide for the PingOne Platform APIs, and removed the existing Tutorial guide (the Getting Started guide now covers this information). Refer to Getting Started.

New PingOne

In your notification policies, you can now define waiting periods before users can request another notification such as another OTP, as well as a maximum number of such requests before the user is temporarily locked out. Refer to the new cooldownConfiguration object in Notification Policies and the Create Notification Policy / Environment example.

New PingOne MFA

Your MFA policies can now include WhatsApp as an authentication method. For details, refer to Instant Messaging Delivery Settings, the Offline device (SMS, voice, email, WhatsApp) authentication policy data model in Device Authentication Policies, and the Create WhatsApp Content example.

New PingOne

The platform now supports the x5t signature header in the signed JWT. Refer to Applications OIDC settings data model.

New PingOne

The platform now supports configuration options for Davinci flow execution using the PingOne authorize endpoint in which the response returns JSON. Refer to DaVinci Flow Executions.

New PingOne

The platform now supports DaVinci Admin API operations through the PingOne API resource server to manage DaVinci workflow configuration. Refer to DaVinci Admin APIs for links to all available services.

New PingOne

We’ve added Early Access Features APIs enabling you to adopt and provide feedback on PingOne features before the General Availability release. Refer to Early Access Features for more information.

New PingOne MFA

You can now specify that a mobile push requires the user to match a number that they were shown when requesting access. To enable the option for an application, use the new push.numberMatching.enabled property in your MFA policy. Refer to Device Authentication Policies. To control how the user performs the matching - selection from a group of three numbers or manually entering the number - use the push.numberMatching.type property when configuring the mobile settings for the application. Refer to Application Operations.

New PingOne MFA

You can now cancel an authentication process that has already begun. This can be used in situations where a user decides they want to use a different authentication device. For details, refer to the Cancel Device Authentication and Cancel Authentication Flow examples.

Improved PingOne MFA

When using the devices endpoint to request details of a single MFA device or all MFA devices, responses for activated FIDO2 devices can now include the AAGUID for the type of authenticator. For details, refer to the new fidoDeviceMetadata object in MFA devices.

New PingOne MFA

When configuring an MFA policy, you can now specify for FIDO2 devices the maximum number of times authentication can fail before the user is blocked temporarily, and how long the user should be blocked. Refer to the new fido2.failure object in Device Authentication Policies.

New PingOne

ID tokens now include a new claim called p1.mfa_device_id, the ID of the device that was used to authenticate. Refer to ID Token claims.

New PingOne Protect

For workforce contexts, risk evaluations can now include the new PingID Device Trust predictor. For details, refer to Risk Predictors and the Create Risk Evaluation (includes device trust predictor) example.

Improved PingOne

When determining the language to use for a notification, PingOne now also takes into consideration the Accept-Language header in the request. For details, refer to Runtime logic for content selection in Notifications Templates.

New PingOne MFA

When creating or updating an MFA policy, you can now specify the notification policy that should be used with the MFA policy by using the new notificationsPolicy.id field. Refer to Device Authentication Policies and the Create Device Authentication Policy example.

New PingOne MFA

In MFA policies, you can now include a "remember me" option so that users do not have to authenticate when accessing applications from a device they have used before. Refer to the new rememberMe object in Device Authentication Policies and the implementation instructions in Remembered Devices.

Improved PingOne

When creating or updating a population, if you do not specify a theme.id value in your request, the default theme for the current environment is used. Refer to Create Population and Update Population.

New PingOne

The platform supports token fulfillment in PingOne, enabling admins to map attributes from a source’s authentication JWT to the PingOne generated token to improve interoperability with OIDC applications. Refer to Use an authentication JWT for token fulfillment.

New PingOne

You can now define multiple custom providers to use for SMS / voice notifications. In environments with more than one custom provider, you can specify in your notification policies the order of provider preference to use in different geographical locations. For details, refer to the new providerConfiguration object in Notification Policies.

New PingOne

We’ve added the ability for an OIDC application to request to terminate a user session from the IdP associated with the user using only the ID token. Refer to GET IdP Signoff for details.

New PingOne

The platform now supports the LINKEDIN_OIDC identity provider type to specify LinkedIn as an external identity provider. The LINKEDIN type is deprecated and will be removed from the platform in February, 2026. For details, refer to Create Identity Provider (LinkedIn OIDC).

New PingOne Verify

PingOne Verify added an additional provider, Babel Street Rosette, to enhance matching of biographic data on submitted documents to corresponding data on verified records. A new request, Verify Identity Record Matching provides access to this provider outside the context of a verify transaction. This new request requires a specific license entitlement.

New PingOne MFA

You can now define a period during which a specific user should be allowed to bypass MFA. Refer to Allow MFA Bypass for User.

New PingOne

For RADIUS gateways, support has been added for the EAP-MSCHAP v2 protocol. Also, to help block Blast RADIUS attacks, a new object called blastRadiusMitigation has been added. Refer to Gateway Management.

New PingOne MFA

When defining FIDO policies, you can now include the new publicKeyCredentialHints array to provide public key credential hints to the browser in order to give priority to the authentication method that the user is most likely to use. For details, refer to FIDO Policies.

New PingOne MFA

For PingOne environments where PingID accounts have been integrated, you can use the new oathTokens endpoint to add OATH tokens to the environment and carry out actions such as revoking or resyncing tokens. For details, refer to OATH tokens and the Create MFA User Device (OATH token) example.