Skip to content
Go to file
Cannot retrieve contributors at this time
575 lines (470 sloc) 38.3 KB


New Endpoints

  • Added /rooms/{roomId}/aliases for retrieving local aliases for a room. (#2562)

Backwards Compatible Changes

  • Added data structures for defining moderation policies in rooms per MSC2313. (#2434)
  • Optionally invalidate other access tokens during password modification per MSC2457. (#2523)
  • Add User-Interactive Authentication for SSO-backed homeserver per MSC2454. (#2532)
  • Add soft-logout support per MSC1466. (#2546)
  • Replaced legacy room alias handling with a more sustainable solution per MSC2432. (#2562)

Spec Clarifications

  • List available enum values for the room versions capability. (#2245)
  • Fix various spelling errors throughout the specification. (#2351, #2415, #2453, #2524, #2553, #2569)
  • Minor clarifications to token-based User-Interactive Authentication. (#2369)
  • Minor clarification for what the user directory searches. (#2381)
  • Fix key export format example to match the specification. (#2430)
  • Clarify the IV data type for encrypted files. (#2492)
  • Fix the .m.rule.contains_user_name default push rule to set the highlight tweak. (#2519)
  • Clarify that an event_id is returned when sending events. (#2525)
  • Fix some numbers in the specification to match their explanation text. (#2554)
  • Move redaction algorithm into the room version specifications. (#2563)
  • Clarify signature object structures for encryption. (#2566)
  • Clarify which events are created as part of /createRoom. (#2571)
  • Remove claims that the homeserver is exclusively responsible for profile information in membership events. (#2574)


Breaking Changes

  • Add id_access_token as a required request parameter to a few endpoints which require an id_server parameter as part of MSC2140. (#2255)

New Endpoints

  • Add POST /account/3pid/unbind for removing a 3PID from an identity server. (#2282)

Backwards Compatible Changes

  • Add M_USER_DEACTIVATED error code. (#2234)
  • Remove bind_msisdn and bind_email from /register now that the identity server's bind endpoint requires authentication. (#2279)
  • Add m.identity_server account data for tracking the user's preferred identity server. (#2281)
  • Deprecate id_server and make it optional in several places. (#2310)

Spec Clarifications

  • Add missing format fields to$m.notice schema. (#2125)
  • Remove "required" designation from the url field of certain msgtypes. (#2129)
  • Fix various typos throughout the specification. (#2131, #2136, #2148, #2215)
  • Clarify the distinction between m.key.verification.start and its variant. (#2132)
  • Fix link to Olm signing specification. (#2133)
  • Clarify the conditions for the .m.rule.room_one_to_one push rule. (#2152)
  • Clarify the encryption algorithms supported by the device of the device keys example. (#2157)
  • Clarify that /rooms/:roomId/event/:eventId returns a Matrix error. (#2204)
  • Add a missing state_key check on .m.rule.tombstone. (#2223)
  • Fix the m.room_key_request action value, setting it from cancel_request to request_cancellation. (#2247)
  • Clarify that the submit_url field is without authentication. (#2341)
  • Clarify the expected phone number format. (#2342)
  • Clarify that clients should consider not requesting URL previews in encrypted rooms. (#2343)
  • Add missing information on how filters are meant to work with /context. (#2344)
  • Clarify what the keys are for rooms in /sync. (#2345)


Breaking Changes

  • Add a new submit_url field to the responses of /requestToken which older clients will not be able to handle correctly. (#2101)


  • Remove references to presence lists. (#1817)

New Endpoints

  • GET /account_data routes. (#1873)

Backwards Compatible Changes

  • Add megolm session export format. (#1701)
  • Add support for advertising experimental features to clients. (#1786)
  • Add a generic SSO login API. (#1789)
  • Add a mechanism for servers to redirect clients to an alternative homeserver after logging in. (#1790)
  • Add room version upgrades. (#1791, #1875)
  • Support optional features by having clients query for capabilities. (#1829, #1879)
  • Add M_RESOURCE_LIMIT_EXCEEDED as an error code for when homeservers exceed limits imposed on them. (#1874)
  • Emit M_UNSUPPORTED_ROOM_VERSION error codes where applicable on /createRoom and /invite APIs. (#1908)
  • Add a .m.rule.tombstone default push rule for room upgrade notifications. (#2020)
  • Add support for sending server notices to clients. (#2026)
  • Add MSISDN (phone number) support to User-Interactive Authentication. (#2030)
  • Add the option to lazy-load room members for increased client performance. (#2035)
  • Add id_server to /deactivate and /3pid/delete endpoints to unbind from a specific identity server. (#2046)
  • Add support for Olm sessions becoming un-stuck. (#2059)
  • Add interactive device verification, including a common framework for device verification. (#2072)

Spec Clarifications

  • Change examples to use instead of a real domain. (#1650)
  • Clarify that state_default in always defaults to 50. (#1656)
  • Add missing status_msg to m.presence schema. (#1744)
  • Fix various spelling mistakes throughout the specification. (#1838, #1853, #1860, #1933, #1969, #1988, #1989, #1991, #1992)
  • Add the missing m.push_rules event schema. (#1889)
  • Clarify how modern day local echo is meant to be solved by clients. (#1891)
  • Clarify that width and height are required parameters on /_matrix/media/r0/thumbnail/{serverName}/{mediaId}. (#1975)
  • Clarify how m.login.dummy can be used to disambiguate login flows. (#1999)
  • Remove prev_content from the redaction algorithm's essential keys list. (#2016)
  • Fix the third_party_signed definitions for the join APIs. (#2025)
  • Clarify why User Interactive Auth is used on password changes and how access tokens are handled. (#2027)
  • Clarify that devices are deleted upon logout. (#2028)
  • Add M_NOT_FOUND error definition for deleting room aliases. (#2029)
  • Add missing reason to (#2031)
  • Clarify how redactions affect room state. (#2032)
  • Clarify that FAIL_ERROR in autodiscovery is not limited to just homeservers. (#2036)
  • Fix example Content-Type for /media/upload request. (#2041)
  • Clarify that login flows are meant to be completed in order. (#2042)
  • Clarify that clients should not send read receipts for their own messages. (#2043)
  • Use consistent examples of events throughout the specification. (#2051)
  • Clarify which push rule condition kinds exist. (#2052)
  • Clarify the required fields on m.file (and similar) messages. (#2053)
  • Clarify that User-Interactive Authentication stages cannot be attempted more than once. (#2054)
  • Clarify which parameters apply in what scenarios on /register. (#2055)
  • Clarify how to interpret changes of membership over time. (#2056)
  • Clarify exactly what invite_room_state consists of. (#2067)
  • Clarify how the content repository works, and what it is used for. (#2068)
  • Clarify the order events in chunk are returned in for /messages. (#2069)
  • Clarify the key object definition for the key management API. (#2083)
  • Reorganize information about events into a common section. (#2087)
  • De-duplicate /state/<event_type> endpoints, clarifying that the <state_key> is optional. (#2088)
  • Clarify when and where CORS headers should be returned. (#2089)
  • Clarify when authorization and rate-limiting are not applicable. (#2090)
  • Clarify that /register must produce valid Matrix User IDs. (#2091)
  • Clarify how unread_notifications is calculated. (#2097)
  • Clarify what a "module" is and update feature profiles for clients. (#2098)


New Endpoints

  • POST /user_directory/search (#1096)
  • GET /rooms/{roomId}/event/{eventId} (#1110)
  • POST /delete_devices (#1239)
  • GET /thirdparty/* Endpoints (#1353)
  • POST /account/3pid/msisdn/requestToken, POST /register/msisdn/requestToken, and POST /account/password/msisdn/requestToken (#1507)
  • POST /account/3pid/delete (#1567)
  • POST /rooms/{roomId}/read_markers (#1635)

Backwards Compatible Changes

  • Add more presence options to the set_presence parameter of /sync. (Thanks @mujx!) (#780)
  • Add token parameter to the /keys/query endpoint (#1104)
  • Add the room visibility options for the room directory (#1141)
  • Add spec for ignoring users (#1142)
  • Add the /register/available endpoint for username availability (#1151)
  • Add sticker messages (#1158)
  • Specify how to control the power level required for @room (#1176)
  • Document /logout/all endpoint (#1263)
  • Add report content API (#1264)
  • Add allow_remote to the content repo to avoid routing loops (#1265)
  • Document highlights field in /search response (#1274)
  • End-to-end encryption for group chats:
    • Olm and Megolm messaging algorithms.
    •,, m.room_key events.
    • Device verification process.
    • device_one_time_keys_count sync parameter.
    • device_lists:left sync parameter. (#1284)
  • Add .well-known server discovery method (#1359)
  • Document the GET version of /login (#1361)
  • Document the server_name parameter on /join/{roomIdOrAlias} (#1364)
  • Document the CORS/preflight headers (#1365)
  • Add new user identifier object for logging in (#1390)
  • Document message formats on m.text and m.emote messages (#1397)
  • Encrypt file attachments (#1420)
  • Share room decryption keys between devices (#1465)
  • Document and improve client interaction with pushers. (#1506)
  • Add support for Room Versions. (#1516)
  • Guests can now call /context and /event to fetch events (#1542)
  • Add a common standard for user, room, and group mentions in messages. (#1547)
  • Add server ACLs as an option for controlling federation in a room. (#1550)
  • Add new push rules for encrypted events and @room notifications. (#1551)
  • Add third party network room directories, as provided by application services. (#1554)
  • Document the validated_at and added_at fields on GET /acount/3pid. (#1567)
  • Add an inhibit_login registration option. (#1589)
  • Recommend that servers set a Content Security Policy for the content repository. (#1600)
  • Add "rich replies" - a way for users to better represent the conversation thread they are referencing in their messages. (#1617)
  • Add support for read markers. (#1635)

Spec Clarifications

  • Mark home_server return field for /login and /register endpoints as deprecated (#1097)
  • Fix response format of /keys/changes endpoint (#1106)
  • Clarify default values for some fields on the /search API (#1109)
  • Fix the representation of m.presence events (#1137)
  • Clarify that m.tag ordering is done with numbers, not strings (#1139)
  • Clarify that /account/whoami should consider application services (#1152)
  • Update ImageInfo and ThumbnailInfo dimension schema descriptions to clarify that they relate to intended display size, as opposed to the intrinsic size of the image file. (#1158)
  • Mark GET /rooms/{roomId}/members as requiring authentication (#1245)
  • Clarify changed field behaviour in device tracking process (#1284)
  • Describe StateEvent for /createRoom (#1329)
  • Describe how the reason is handled for kicks/bans (#1362)
  • Mark GET /presence/{userId}/status as requiring authentication (#1371)
  • Describe the rate limit error response schema (#1373)
  • Clarify that clients must leave rooms before forgetting them (#1378)
  • Document guest access in /createRoom presets (#1379)
  • Define what a RoomEvent is on /rooms/{roomId}/messages (#1380)
  • Clarify the request and result types on /search (#1381)
  • Clarify some of the properties on the search result (#1400)
  • Clarify how access tokens are meant to be supplied to the homeserver. (#1517)
  • Document additional parameters on the /createRoom API. (#1518)
  • Clarify that new push rules should be enabled by default, and that unrecognised conditions should not match. (#1551)
  • Update all event examples to be accurate representations of their associated events. (#1558)
  • Clarify the supported HTML features for room messages. (#1562)
  • Move the invite_room_state definition under unsigned where it actually resides. (#1568)
  • Clarify the homeserver's behaviour for searching users. (#1569)
  • Clarify the object structures and defaults for Filters. (#1570)
  • Clarify instances of type: number in the swagger/OpenAPI schema definitions. (#1571)
  • Clarify that left rooms also have account data in /sync. (#1572)
  • Clarify the event fields used in the /sync response. (#1573)
  • Fix naming of the body field in PUT /directory/room. (#1574)
  • Clarify the filter object schema used in room searching. (#1577)
  • Document the 403 error for sending state events. (#1590)
  • specify how to handle multiple olm sessions with the same device (#1596)
  • Add the other keys that redactions are expected to preserve. (#1602)
  • Clarify that clients should not be generating invalid HTML for formatted events. (#1605)
  • Clarify the room tag structure (thanks @KitsuneRal!) (#1606)
  • Add a note that clients may use the transaction ID to avoid flickering when doing local echo. (#1619)
  • Include the request and response structures for the various /requestToken endpoints. (#1636)
  • Clarify the available error codes, and when to prefer the HTTP status code over the errcode. (#1637)
  • Clarify and generalise the language used for describing pagination. (#1642)


  • Breaking changes:
    • Change the rule kind of .m.rule.contains_display_name from underride to override. This works with all known clients which support push rules, but any other clients implementing the push rules API should be aware of this change. This makes it simple to mute rooms correctly in the API (#373).
    • Remove /tokenrefresh from the API (#395).
    • Remove requirement that tokens used in token-based login be macaroons (#395).
    • Move thumbnail_url and thumbnail_info members of json objects for events with msgtypes m.image, m.file and m.location, inside the info member, to match events (#723).
  • Changes to the API which will be backwards-compatible for clients:
    • Add filename parameter to POST /_matrix/media/r0/upload (#364).
    • Document CAS-based client login and the use of m.login.token in /login (#367).
    • Make origin_server_ts a mandatory field of room events (#379).
    • Add top-level account_data key to the responses to GET /sync and GET /initialSync (#380).
    • Add is_direct flag to POST /createRoom and invite member event. Add 'Direct Messaging' module (#389).
    • Add contains_url option to RoomEventFilter (#390).
    • Add filter optional query param to /messages (#390).
    • Add 'Send-to-Device messaging' module (#386).
    • Add 'Device management' module (#402).
    • Require that User-Interactive auth fallback pages call window.postMessage to notify apps of completion (#398).
    • Add pagination and filter support to /publicRooms. Change response to omit fields rather than return null. Add estimate of total number of rooms in list. (#388).
    • Allow guest accounts to use a number of endpoints which are required for end-to-end encryption. (#751).
    • Add key distribution APIs, for use with end-to-end encryption. (#894).
    • Add state event for rooms. (#1007).
    • Add mention of ability to send Access Token via an Authorization Header.
    • Add guest_can_join parameter to POST /createRoom (#1093).
    • New endpoints:
      • GET /joined_rooms (#999).
      • GET /rooms/{roomId}/joined_members (#999).
      • GET /account/whoami (#1063).
      • GET /media/{version}/preview_url (#1064).
  • Spec clarifications:
    • Add endpoints and logic for invites and third-party invites to the federation spec and update the JSON of the request sent by the identity server upon 3PID binding (#997)
    • Fix "membership" property on third-party invite upgrade example (#995)
    • Fix response format and 404 example for room alias lookup (#960)
    • Fix examples of event and room state change, and added a clarification on the membership event sent upon profile update (#950).
    • Spell out the way that state is handled by POST /createRoom (#362).
    • Clarify the fields which are applicable to different types of push rule (#365).
    • A number of clarifications to authentication (#371).
    • Correct references to user_id which should have been sender (#376).
    • Correct inconsistent specification of redacted_because fields and their values (#378).
    • Mark required fields in response objects as such (#394).
    • Make m.notice description a bit harder in its phrasing to try to dissuade the same issues that occurred with IRC (#750).
    • GET /user/{userId}/filter/{filterId} requires authentication (#1003).
    • Add some clarifying notes on the behaviour of rooms with no event (#1026).
    • Clarify the relationship between username and user_id in the /register API (#1032).
    • Clarify rate limiting and security for content repository. (#1064).


  • Spec clarifications:
    • Room aliases (#337):
      • Make it clear that GET /directory/room/{roomAlias} must work for federated aliases.
      • GET /directory/room/{roomAlias} cannot return a 409; the PUT endpoint can, however.
    • Power levels:
      • Clarify the defaults to be used for various fields of the event (#286, #341).
      • Add suggestions for mapping of names to power levels (#336).
    • Clarify the room naming algorithm in certain edge cases (#351).
    • Remove outdated references to the pre-r0 /events API, and clarify the section on syncing (#352).
  • Changes to the API which will be backwards-compatible for clients:
    • New endpoints:
      • POST /register/email/requestToken (#343).
      • POST /account/3pid/email/requestToken (#346).
      • POST /account/password/email/requestToken (#346).
      • POST /account/deactivate (#361).
    • Updates to the Presence module (#278, #342):
      • Remove unused free_for_chat presence state
      • Add currently_active flag to the m.presence event and the GET /presence/{userId}/status response.
      • Make idle timeout the responsibility of the server
      • Remove requirements on servers to propagate profile information via m.presence events.
    • Add new predefined push rules (#274, #340).
    • /sync should always return a prev_batch token (#345).
    • add to parameter to GET /rooms/{roomId}/messages API (#348).


This release includes the following changes since r0.0.1:

  • Breaking changes to the API [1]:

    • POST /rooms/{roomId}/join no longer permits use of a room alias instead of a room id. (POST /join/{roomIdOrAlias} continues to allow either.)

    • POST /account/3pid: correct the name of the three_pid_creds parameter

    • The "Push Rules" module no longer supports device-specific rules:

      • GET /pushrules no longer returns a device property
      • device/{profile_tag} is no longer a valid scope for push rules
      • profile_tag is no longer a valid kind of condition on push rules.

      (Device-specific push rules will be reintroduced in the future; in the meantime, their specification has been moved to a draft branch.)

  • Changes to the API which will be backwards-compatible for clients:

    • New endpoints:
      • POST /logout
      • POST /rooms/{roomId}/unban
      • POST /rooms/{roomId}/kick
      • GET /pushers
      • GET /pushrules/{scope}/{kind}/{ruleId}/enabled (previously PUT-only)
      • GET and PUT /pushrules/{scope}/{kind}/{ruleId}/actions
    • Add third_party_signed parameter to POST /rooms/{roomId}/join
    • Add M_INVALID_USERNAME as valid response to POST /register
    • Add unread_notifications field to GET /sync response
    • Add optional invite property to state event
    • Add optional public_key and public_keys to state event
    • Password-based /login may now use a third-party identifier instead of a matrix user id.
  • Spec clarifications

    • Make the state diagram for room membership explicit
    • Note that a user may not be invited to a room while banned
    • Clarify the expected order of events in the response to GET /rooms/{roomId}/context/{eventId}, as well as correcting the example for that API
    • Clarify the behaviour of the "Room History Visibility" module; in particular, the behaviour of the shared history visibilty, and how events at visibility boundaries should be handled
    • Separate the "Room Previews" module from "Guest access"
    • Reword the description of the profile_tag property in PUT /pushers/set, and note that it is not mandatory.
[1]Our versioning policy would strictly require that a breaking change be denoted by a new major specification version. However we are not aware of any clients which rely on the old behaviour here, nor server implementations which offer it, so we have chosen to retain the r0 designation on this occasion.


This release includes the following changes since r0.0.0:

  • API changes: - Added new /versions API - /createRoom takes an optional invite_3pid parameter - /publicRooms returns an avatar_url result

  • The following APIs are now deprecated: - /initialSync - /events - /events/:eventId - /rooms/:roomId/initialSync

  • Spec clarifications - Document inter-version compatibility - Document the parameters to the /user/:userId/filter API - Document the next_batch parameter on /search - Document the membership states on events - Minor clarifications/corrections to:

    • Guest access module
    • Search module
    • /login API
    • /rooms/:roomId/send/:eventType/:txnId API
    • /rooms/:roomId/context/:eventId API


This is the first release of the client-server specification. It is largely a dump of what has currently been implemented, and there are several inconsistencies.

An upcoming minor release will deprecate many of these inconsistencies, and they will be removed in the next major release.

Since the draft stage, the following major changes have been made: - /api/v1 and /v2_alpha path segments have been replaced with the major version of the release (i.e. 'r0'). - Some POST versions of APIs with both POST and PUT have been removed. - The specification has been split into one specification per API. This is the client-server API. The server-server API can be found documented separately. - All APIs are now documented using Swagger - The following modules have been added:

  • Content repository
  • Instant messaging
  • Push notification
  • History visibility
  • Search
  • Invites based on third party identifiers
  • Room tagging
  • Guest access
  • Client config
  • The following APIs were added: - /sync - /publicRooms - /rooms/{roomId}/forget - /admin/whois - /rooms/{roomId}/redact - /user/{userId}/filter
  • The following APIs have been significantly modified: - Invitations now contain partial room state - Invitations can now be rejected - /directory
  • The following events have been added: -
  • Example signed json is included for reference
  • Commentary on display name calculation was added
You can’t perform that action at this time.