May 2025 Newsletter

SDK News Corner

This month’s SDK updates include several improvements to multi-factor authentication (MFA) workflows. These changes simplify how MFA is enabled, audited, and customized within your extensions.

Unified MFA Handling

The mfa_validation_required decorator now supports both client-rendered and server-rendered extensions, streamlining the process for enabling MFA in SDK extensions. Whether you’re using Secure Access Codes, token-based MFA, or external providers, this decorator makes it easy to integrate MFA with a single line of code:

from q2_sdk.core.http_handlers.tecton_server_handler import Q2TectonServerRequestHandler, mfa_validation_required

class AuthorizedUserHandler(Q2TectonServerRequestHandler):

    @mfa_validation_required()
    async def submit(self):
        """
        This route is only called once the MFA workflow is complete.
       """

Audit Action Support

You can include the audit_action_name parameter when using the MFA decorator. This facilitates integrations with Q2 Patrol and allows for audit events to be automatically generated whenever the decorated extension methods are invoked:

@mfa_validation_required(audit_action_name="CustomAuditAction")
async def submit(self):
    ...

Context-Rich External MFA Workflows

External MFA extensions now expose a self.mfa_info object, giving you detailed information about the current MFA context. This includes:

• The type of workflow (e.g., login, transaction authentication)
• A transaction ID, when applicable
• Additional metadata relevant to the flow

Other Updates

• MFA database operations are now available in all environments—not just dev_only.
• We also enhanced q2_request tracking and fixed several issues around extension creation, dependency handling, and Tornado compatibility. For the full list of changes, check out the SDK changelog.

Mobile SDK News

Migrating to Swift Package Manager

We have migrated our native modules from CocoaPods to Swift Package Manager (SPM) with our 25.5.0 release of the Q2Mobility iOS app, which was released on 05/14/25. This transition will streamline dependency management, improve build performance, and enhance code maintainability. We may have already contacted you with questions regarding support of SPM within your module, but going forward all native mSDK modules should support SPM.

Portal News

Certificate Signing Update

For Caliper API and many other Q2 APIs, the JWT signing is done through q2developer.com. This signing is managed through a list of certificates that we maintain where any new cert is automatically issued and valid for two months. The recent update introduces a delay where newly created certificates are not considered valid until 2 hours after being created.

What does this solve? Previously, there was an edge case involving a race condition. One of our servers would retrieve the latest certificate and use it to sign a token. However, when the API attempted to validate that token, it might hit a different server that hadn’t yet pulled the new certificate. As a result, the token would be rejected as unauthorized. A classic race condition. By delaying the certificate's validity by 2 hours, we now we ensure that all servers have sufficient time to synchronize and retrieve the new certificate. This prevents premature signing and ensures that validation can occur reliably across all servers.

Tecton News

Enhanced Form Element Experience:

The Input component has been refined so that "optional" and "readonly" labels no longer affect the component's total height, ensuring predictable layout behavior. Additionally, we've updated the Checkbox toggle variant with a new, modern style, providing users a refreshing experience when interacting with checkbox toggles.

Component Library Updates:

Several components have gained new features to support more diverse use cases. The Tag component now includes a decorator slot that accepts a Badge or Icon element for enhanced visual communication. The Icon has an updated default stroke width, and the Badge component has been expanded to display strings, numbers, or an empty bubble state to be more versatile across different UI implementations. The Action Group component now supports the "Coin" variant of the Button component, and the Donut Chart legend now allows modifying the button height for better customization. We also improved keyboard navigation consistency in the Select component, ensuring tab keydown behavior works reliably across different implementations.

Developer Experience Improvements:

The Select component's "Live Example" on the documentation site now demonstrates best practices using the Item component as robust content inside the Select component. The Tecton CLI tool integrated into the SDK now supports adding config-level overpanel display options, streamlining the development workflow for overpanel modules, and our documentation has been updated to provide clearer guidance on utilizing the Tecton cache capabilities.

Latest Releases

Caliper SDK (Python) v2.269.0 - CHANGELOG

Tecton SDK (Javascript) v1.55.0 - CHANGELOG

Marketplace (Python) v0.8.9 - CHANGELOG

Caliper API (Python) v1.44.1 – CHANGELOG