Skip to main content


Release date

5 July 2021



  • Ensure the SAML provider base URL is derived correctly when the login endpoint is specified in the metadata, not an environment variable
  • Correctly record which SAML provider was used to log in when multiple SAML providers are configured
  • Ensure api token values are not show in debug logging

Migration notes

  • If not already set, the PACTFLOW_BASE_URL should be set to mitigate cache poisoning vulnerabilities.

  • The PACTFLOW_MASTER_SECRETS_ENCRYPTION_KEY environment variable has been renamed to PACTFLOW_MASTER_ENCRYPTION_KEY. The old name will continue to work, but please update your configuration to avoid warnings. Do not change the value of this key.

  • Steps to enable API token database field level encryption:

    • Please read the relevant documentation for each of the following environment variables, and update your configuration with the appropriate values.

    • Restart the Pactflow application. The API tokens will be encrypted during start up once the PACTFLOW_API_TOKEN_ENCRYPTION_ENABLED environment variable has been set to true.

    • Verify that the API tokens have been encrypted by running the SQL:

      SELECT COUNT(*) FROM saas_api_tokens;
      SELECT COUNT(*) FROM saas_api_tokens WHERE encrypted_value IS NOT NULL;

      Both counts should be the same.

    • Verify that users still have access to the API using their existing tokens executing the following curl command, or making the same request with Postman or equivalent:

      curl -v https://{YOUR_PACTFLOW_DOMAIN} \
      -H "Authorization: Bearer {EXISTING_TOKEN_VALUE}"

      The response should be a 200 OK with a JSON body.

    • Once it has been confirmed that the now-encrypted API tokens are working correctly, please clear the unencrypted values from the database using the following SQL:

      UPDATE saas_api_tokens SET value = NULL;
    • Once API token encryption has been enabled and the unencrypted values removed, encryption cannot be disabled again.