hashicorp · hashibot-web · May 27, 2025
@@ -11,13 +11,26 @@ source: terraform-docs-common
 
 Keep track of changes to the API for HCP Terraform and Terraform Enterprise.
 
+## 2025-05-1
+
+-   Add `agent-pool` relationship to the [run task API](/terraform/enterprise/api-docs/run-tasks/run-tasks), which you can use to assign a run task to an agent pool.
+-   Add `private-run-tasks` to [feature entitlements](/terraform/enterprise/api-docs#feature-entitlements).
+    <!-- BEGIN: TFC:only name:revoke -->
+-   You can now revoke, and revert the revocation of, module versions. Learn more about [Managing module versions](/terraform/enterprise/api-docs/private-registry/manage-module-versions).
+    <!-- END: TFC:only name:revoke -->
+
+## 2025-03-20
+
+-   Add API documentation for multiple [team tokens](/terraform/enterprise/api-docs/api-tokens), and update documentation around [legacy team tokens](/terraform/enterprise/api-docs/team-tokens##legacy-team-tokens-api-reference).
+-   Update existing API documentation for [team tokens](/terraform/enterprise/api-docs/team-tokens) to distinguish multiple team tokens from [legacy team tokens](/terraform/enterprise/api-docs/team-tokens##legacy-team-tokens-api-reference).
+
 ## 2025-3-10
 
 -   Document unique pagination metadata given in the response of [Organization Runs Index API](/terraform/enterprise/api-docs/run##list-runs-in-an-organization).
 
 ## 2025-03-10
 
--   Add new field `current_rum_count` to the [explorer API](/terraform/enterprise/api-docs/explorer) in the `workspaces` view type that lists a workspace's current resources under management. 
+-   Add new field `current_rum_count` to the [explorer API](/terraform/enterprise/api-docs/explorer) in the `workspaces` view type that lists a workspace's current resources under management.
 
 ## 2024-11-19
 

@@ -61,7 +61,7 @@ You can use the following types of tokens to authenticate:
 
 ### Blob Storage Authentication
 
-HCP Terraform relies on a HashiCorp-developed blob storage service for storing statefiles and multiple other pieces of customer data, all of which are documented on our [data security page](/terraform/enterprise/architectural-details/data-security).
+HCP Terraform relies on a HashiCorp-developed blob storage service for storing statefiles and multiple other pieces of customer data, all of which are documented on our [data security page](/terraform/cloud-docs/architectural-details/data-security).
 
 Unlike the HCP Terraform API, this service does not require that a bearer token be submitted with each request. Instead, each URL includes a securely generated secret and is only valid for 25 hours.
 
@@ -90,10 +90,14 @@ The following entitlements are available:
 -   `cost-estimation` — Allows an organization to access [cost estimation][].
 -   `global-run-tasks` — Allows an organization to apply [run tasks](/terraform/enterprise/workspaces/settings/run-tasks) to every workspace. Affects the [run tasks][] endpoints. This feature is currently in beta.
 -   `module-tests-generation` - Allows an organization to generate tests for private registry modules. This feature is currently in beta.
+-   `module-deprecations` - Allows an organization to mark a module version from the Private Registry as deprecated.
+-   `module-revocations` - Allows an organization to mark a deprecated module version from the Private Registry as revoked.
 -   `operations` — Allows an organization to perform runs within HCP Terraform. Affects the [runs][], [plans][], and [applies][] endpoints.
 -   `policy-enforcement` — Allows an organization to use [Sentinel][]. Affects the [policies][], [policy sets][], and [policy checks][] endpoints.
 -   `private-module-registry` — Allows an organization to publish and use modules with the [private module registry][]. Affects the [registry modules][] endpoints.
 -   `private-policy-agents` - Allows an organization to ensure that HTTP enabled [Sentinel][] and OPA [policies][] can communicate with isolated, private, or on-premises infrastructure.
+-   `private-run-tasks` - Allows an organization to ensure that [run tasks](/terraform/enterprise/workspaces/settings/run-tasks) can communicate with isolated, private, or on-premises infrastructure.
+-   `private-vcs` - Allows a self-hosted HCP Terraform agent to [connect to a private VCS provider](/terraform/enterprise/vcs/private) without having to expose that provider to the public internet.
 -   `run-tasks` — Allows an organization to use [run tasks](/terraform/enterprise/workspaces/settings/run-tasks). Affects the [run tasks][] endpoints.
 -   `self-serve-billing` — Allows an organization to pay via credit card using the in-app billing UI.
 -   `sentinel` -  **DEPRECATED** Use `policy-enforcement` instead.
@@ -336,9 +340,9 @@ $ curl \
 
 ## Rate Limiting
 
-You can make up to 30 requests per second to the API as an authenticated or unauthenticated request. If you reach the rate limit then your access will be throttled and an error response will be returned. Some endpoints have lower rate limits to prevent abuse, including endpoints that poll Terraform for a list of runs and endpoints related to user authentication. The adjusted limits are unnoticeable under normal use. If you receive a rate-limited response, the limit is reflected in the `x-ratelimit-limit` header once triggered.
+You can make up to 30 requests per second to most API endpoints as an authenticated or unauthenticated request. If you reach the rate limit then your access will be throttled and an error response will be returned. 
 
-Authenticated requests are allocated to the user associated with the authentication token. This means that a user with multiple tokens will still be limited to 30 requests per second, additional tokens will not allow you to increase the requests per second permitted.
+Requests are per user, not per token. As a result, you cannot use multiple tokens to make more than 30 requests per second.
 
 Unauthenticated requests are associated with the requesting IP address.
 
@@ -358,6 +362,24 @@ Unauthenticated requests are associated with the requesting IP address.
 }
 ```
 
+### Lower rate limits for some endoints
+
+To prevent abuse, some endpoints have lower rate limits. The lower limits are unnoticeable under normal use. If you trigger a rate-limited response, you can see that limit in the `x-ratelimit-limit` header.
+
+The following endpoints have lower rate limits:
+
+| Method and endpoint                                                                                                                                                                                                         | Purpose          | Limit                               |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | ----------------------------------- |
+| <p>`POST /session/two-factor-send-sms`</p><p>`POST /api/v2/account/actions/two-factor-enable`</p><p>`POST /api/v2/account/actions/two-factor-resend-verification-code`</p>                                                  | Send SMS message | 5 requests per minute per user      |
+| <p>`POST /api/v2/account/actions/two-factor-enable`</p><p>`POST /api/v2/account/actions/two-factor-resend-verification-code`</p>                                                                                            | Send SMS message | 10 requests per hour per user       |
+| <p>`POST /api/v2/account/actions/two-factor-enable`</p><p>`POST /api/v2/account/actions/two-factor-resend-verification-code`</p>                                                                                            | Send SMS message | 100 requests per day per IP address |
+| <p>`POST /session/two-factor`</p><p>`POST /session/two-factor-recovery`</p>                                                                                                                                                 | Submit 2FA code  | 5 requests per minute per user      |
+| <p>`POST` and `PATCH /api/v2/account/create`</p><p>`POST` and `PATCH /api/v2/account/update`</p><p>`POST` and `PATCH /api/v2/account/password`</p><p>`POST` and `PATCH /api/v2/account/reconfirm`</p><p>`POST /session`</p> | Send emails      | 100 per minute                      |
+| <p>`POST` and `GET /sso/link-new-account`</p><p>`POST` and `GET /sso/link-account`</p><p>`POST` and `GET /sso/link-existing-account`</p><p>`POST /sso/saml/{SAML_CONFIGURATION_EXTERNAL_ID}/acs`</p>                        | Send emails      | 20 per minute                       |
+| <p>`POST /api/v2/notification-configurations/{EXTERNAL_ID}/actions/verify`</p><p>`DELETE /api/v2/oauth-tokens`</p>                                                                                                          | Send emails      | 10 per minute                       |
+| <p>`POST /account/reconfirm`</p>                                                                                                                                                                                            | Send emails      | 40 per hour                         |
+| <p>`POST /auth`</p>                                                                                                                                                                                                         | Send emails      | 40 per hour per email address       |
+
 ## Client libraries and tools
 
 HashiCorp maintains [go-tfe](https://github.com/hashicorp/go-tfe), a Go client for HCP Terraform's API.

@@ -813,6 +813,7 @@ curl \
       "policy-set-limit": 1,
       "private-module-registry": true,
       "private-policy-agents": false,
+      "private-run-tasks": true,
       "private-vcs": false,
       "run-task-limit": 1,
       "run-task-mandatory-enforcement-limit": 1,