On May 11, we found that ReadMe API tokens were embedded in project login pages. After diagnosing the underlying issue, we released a fix later that day. On May 24, a security researcher noticed the login pages' content had been cached on the Internet Archive and was able to find the exposed tokens and verify that they were still valid. We opened a follow-on incident immediately and began triage and mitigation work. We chose to invalidate and rotate all ReadMe tokens (API keys) as soon as possible, which was performed on May 31.

❗

Please know that we are taking this incident very seriously. Your trust in ReadMe means everything to us, and our support team is available to help answer any questions you have regarding this incident or the resulting token rotation.

Impact

The initial leak was caused by a misapplication of a piece of our middleware stack intended to cull sensitive information (including these tokens) from our response data. This bug was introduced in November when we refactored the login page for ReadMe hubs, and affected all public projects while it was live.

Further exacerbating the issue, some of these pages were cached by web crawlers such as the Internet Archive, limiting our ability to control the leak, a factor in our decision to rotate all tokens. While we have not found any evidence of malicious activity to date, a bad actor could surface a token from a web crawler's cache and use it to access and manipulate a project to their own ends.

Response

We have released multiple fixes and improvements to reinforce the security of these tokens on our platform. After assessing the potential impact of these incidents, we concluded that the best path forward was to revoke and replace all ReadMe tokens that existed during the period that the application was vulnerable. For help updating API keys where they're being used on your end, we've put together a few FAQs here.

While we're aware of the inconvenience — and are deeply sorry for any frustration we've caused — we determined it was a necessary step to avoid exposure of our users’ data. Again, our support team is available to help answer any questions, and we greatly appreciate your understanding as we work to address this incident.

What we’ve done to mitigate this issue:

• Patched our safelisting middleware logic to stem the underlying leak.
• Revoked all tokens generated prior to the underlying fix.
• Disallowed web crawlers on all administrative pages.
• Refactored our token management system to add prefixing and “last-used” tracking.

How we plan to prevent similar incidents in the future:

• Enhancements to our security scanning infrastructure.
• Improved source tracking for ReadMe audit logs.
• Increased investment in security resources.
• Additional token scopes + permissioning options.
• Joining GitHub’s security scanning project.

Hello and happy Gemini season y'all! This week we're shipping an owl fact, tweaking some margins, and fixing a whole lot of bugs. Details below! ♊

✨ New & Improved

• The beta rollout of our new editor is currently underway! I’m actually using it as we speak to write this and I can attest to it being the absolute bee's knees. If you want to get access to it (and sign up for any of our other upcoming betas 👀), fill out this form! ✍️
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• Made some improvements to the spacing in the headers and footers in the hub. 👽
• A new owl fact! 🦉

🛠 Fixes & Updates

• In certain rare instances, clicking the “Try It!” button in the API Reference would not actually… you know… try it. This release includes a fix on that front! 🌱
• A small subset of project administrators were unable to view certain metrics in the project dashboard—this release restores their access. 📊
• We noticed an issue where discussion forum posts were occasionally missing from the list—this release brings them back. 👻
• Fixed some content loading issues for certain enterprise project configurations. ⏳
• Addressed some configuration issues with the Intercom integration. 💬
• Fixed some occasional crashing issues in the API Reference. 💥
• Fixed a few quirks with R code snippets. 🏴‍☠️

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and welcome to another weekly update! This week's release is light but filled with lots of little wins—more below! 💡

✨ New & Improved

• This release adds backfills support for the $ref field in Path Item Objects—something we originally thought we had support for but didn’t but definitely do now. 🔙
• Small behind-the-scenes changes to make front-end bundles in the hubs a li'l lighter. 🌥

🛠 Fixes & Updates

• Some styling tweaks for footer banners in the hubs. 🐾
• Various routing and links fixes. 🔗

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and welcome to another weekly update y'all! This week marks the official kickoff of an exciting new beta release, so lots of work was done on that front. Details below! 🏈

✨ New & Improved

• Y’all! It’s finally happening... we’ve officially kicked off the beta rollout of our new editor! I’m actually using it as we speak and I can attest to it being the absolute bee's knees. If you want to get access to it (and sign up for any of our other upcoming betas 👀), fill out this form! ✍️
• This release includes a small but mighty improvement to our search indexing logic so it ranks results based on the result type (i.e. Guides, Reference, Discussion Post, etc.). 🔍
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

It's May, y'all! Spring cleaning is underway with our code snippets, Enterprise-specific features, and more. More below! 🧹

✨ New & Improved

• Our new editor is right around the corner, y’all! This release includes even more work on that front. You can get a sneak peek in our discussion forums—if you want to be a part of our beta, drop us a line! ✍️
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• Updated the color of the default response type in the API Reference to adequately reflect its neutral nature: a grey-ish white. ⚪

🛠 Fixes & Updates

• Fixed an issue in the API Reference where raw body content would be double-encoded (you may have seen this come through the pipeline last week, but this time it’s for JSON-like bodies). 🍣
• Tweaked our Axios (browser) code samples in the API Reference so they now properly package x-www-form-urlencoded request payloads. 📦
• Fixed an issue where Enterprise Staging logs weren’t displaying properly. 🪵

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and happy last week of April, y'all! We're shipping lots of little improvements to the API Reference and continuing work on upcoming features. More below! ☔️

✨ New & Improved

• Our new editor is right around the corner, y’all! This release includes even more work on that front. You can get a sneak peek in our discussion forums—if you want to be a part of our beta, drop us a line! ✍️
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• If you have enums defined for response object definitions in the API Reference, we now display all the possible enum values in the response modal. 📚
• This release backfills support for the allowReserved option in parameter definitions in the API Reference. 🤬
• Improves our support for the deepObject style option to support nested objects in the API Reference. 🪆
• When viewing HTTPie code samples in the API Reference, you’ll now see an installation step! 🥧

🛠 Fixes & Updates

• Fixed an issue in the API Reference where raw body content would be double-encoded. 🔀
• Fixed some casing issues with Accept header definitions in the API Reference. 💼
• Fixed some width issues with the Glossary tooltip. 🤌
• Some UI fixes in the dashboard. 💅

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and welcome to another weekly update, y'all! This week we're adding onto our Search API and making lots of enhancements and fixes to our API Reference. More below! 🕵️

✨ New & Improved

• Our new editor is right around the corner, y’all! This release includes even more work on that front. You can get a sneak peek in our discussion forums—if you want to be a part of our beta, drop us a line! ✍️
• When using "Try It!" with GET endpoints in the API reference, you previously may have seen a response that's been cached in your browser, even if the response code appears to indicate otherwise. With the caching changes in this release, users will always see the freshest response from the server, along with the correct status code. ⛲
• This release includes various improvements to our Python code snippets in the API Reference! HTTP accessors are more readable and file uploads look much cleaner. 🐍
• We’ve added Recipes to the results returned from our Search docs endpoint. 🔍

🛠 Fixes & Updates

• Fixed an issue where endpoint pages in the API reference that were missing response objects that were missing Schema objects would crash. 💥
• Fixed an issue in the API reference where the base URL in your API log would sometimes be prefixed with a https://try.readme.io/. Whoops. 🔗
• This release fixes an issue where long JSON responses would occasionally get cut off and show up on a single line. 🤥
• Fixed an issue affecting a small chunk Enterprise projects where certain search result links were broken. 🔎
• Fixed various UI issues in the dashboard and the API reference. 🖌️

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and happy Triple Aries szn, y'all! We're continuing work on our editor (with its beta right around the corner!), making big updates to our reference preview site, and fixing a whole bevy of bugs. More below! ♈

✨ New & Improved

• We’ve made some quality-of-life improvements to our reference preview site! We added dozens of example OpenAPI definitions that you can preview in our API Reference section. You can also load in your own OpenAPI definitions as well! 🍿
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• This release includes even more improvements to our soon-to-be-released editor, which you can get a sneak peek of in our discussion forums! ✍️

🛠 Fixes & Updates

• We’ve got good news for users of APIs using Basic Authentication—we fixed an issue that was dropping your credentials as you navigated around the docs. 🍪
• Fixed some crashing issues affecting API Reference pages that contained certain kinds of array/object parameters. 💥
• Fixed an issue where certain Operation IDs were causing links to break on subsequent re-syncs. 🔗
• Fixed some readability issues affecting the search modal on certain projects. 🔍

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Hello and welcome to another Owlet Weekly Update, y'all! This week we're making some improvements to our JSON Schema handling, fixing a few bugs, and continuing work on some exciting projects. Details below! 🍌

✨ New & Improved

• Per the OpenAPI v3.1 specification, including summary or description values alongside a $ref pointer should override those respective values of the referenced component. This release includes an update to our JSON Schema handling in the API Reference so we respect that override! 🎡
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• This release includes even more improvements to our soon-to-be-released editor, which you can get a sneak peek of in our discussion forums! ✍️

🛠 Fixes & Updates

• Fixed an issue where malformed operationId values would cause certain API reference endpoint pages to crash. 💥
• Various styling fixes in the API Reference. 💅
• Minor security fixes. 🔐

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!

Happy April Fools Day y'all! We're celebrating by unironically doing a huge launch. Details below! 🤡

👍

We've been rolling out a redesigned docs experience for some time now—check out this page for the details!

The legacy docs style is now deprecated and is not receiving any bug fixes. All changes below are only applicable to the new docs experience (unless otherwise noted). We'll communicate a sunset timeline to any remaining legacy customers soon.

✨ New & Improved

• We spent the last few months completely redesigning our homepage from the ground up and decided to unironically launch it today (April 1st)! While April Fools Day is a questionable day to announce big website redesigns, we were too excited to wait until Monday. Be sure to check out the new digs! 🏡
• We’re in the process of rolling out our new Enterprise Authentication experience! This release includes more work on that front. Get the details on everything here! 🔑
• This release includes even more improvements to our soon-to-be-released editor, which you can get a sneak peek of in our discussion forums! ✍️

🛠 Fixes & Updates

• Fixed an issue in the API Reference where clicking between API logs would drop your Authorization header at some point in the process. 🗝️
• Turns out, our PUT /api-specification endpoint wasn’t properly surfacing certain validation errors, so this release fixes that. 🚧
• This release fixes an issue for Safari users where clicking the “Try It!” button in the API Reference would periodically crash. 🧭
• Various styling fixes across the board. 🎨

Hope you're staying safe and healthy! Thanks for being a part of the ReadMe community, folks.

—Kanad and the ReadMe team

📘

What is the Owlet Weekly Update?

Thanks for tuning in to another edition of our Owlet Weekly Update—an owlet-sized update (posted every week to the ReadMe Changelog) on the product updates we're shipping here at ReadMe. We'd love to hear what you think of these updates at [email protected]!