Changelog

January 2026

Saturday, January 31, 2026
consoleclikubernetesgithubapisecurity

January 2026

January brought API rate limiting to the REST API, GitHub Dependabot secret sync, a major architectural improvement to the Kubernetes Operator, and a wave of security hardening. Here's the full recap.

API Rate Limiting

The Phase REST API now supports rate limiting to protect against abuse and ensure platform stability. Rate limits are applied per account and scoped to secret, dynamic secret, and external identity endpoints. When rate limited, the API returns a 429 response with a Retry-After header.

For self-hosted deployments, rate limiting is fully configurable via environment variables. Set RATE_LIMIT_DEFAULT to enable it, and optionally customize per-tier limits with RATE_LIMIT_FREE, RATE_LIMIT_PRO, and RATE_LIMIT_ENTERPRISE.

Check out the Rate Limits docs for full details.

Available in Console v2.58.0.

GitHub Dependabot Secret Sync

You can now sync secrets from Phase to GitHub Dependabot, in addition to GitHub Actions and GitHub Environments. This is useful for organizations that use Dependabot with private package registries or authenticated APIs.

Configure it from the GitHub integration settings in your Phase app — simply select the Dependabot scope when setting up or editing a sync.

Check out the GitHub integration docs for setup details.

Available in Console v2.57.0.

Kubernetes Operator — Daemon-Based Sync

The Kubernetes Secrets Operator has been re-architected to use daemon-based sync instead of polling. This is a significant architectural improvement that reduces API calls, lowers resource consumption, and ensures secrets are synced more efficiently.

Available in Kubernetes Operator v1.4.0.

SSL/TLS for External PostgreSQL & Redis

The Phase Console Docker image now bundles the AWS RDS CA certificate and AWS ElastiCache CA certificate, and exposes new environment variables to configure SSL/TLS connections to external PostgreSQL and Redis instances. This makes it straightforward to deploy Phase on AWS with encrypted database and cache connections out of the box.

New environment variables:

  • DATABASE_SSLMODE / DATABASE_SSL_CA_PATH — Configure PostgreSQL SSL mode and custom CA certificate path
  • REDIS_TLS / REDIS_CA_PATH — Enable TLS for Redis and specify a custom CA certificate path

Available in Console v2.58.0.

Security Hardening

A series of security improvements landed in January as part of ongoing hardening:

  • Permission checks for secret mutations — Added environment access validation for all secret creation, update, and delete operations
  • Permission checks for audit logging — Secret read audit-logging mutations now verify proper permissions
  • Third-party credential access — User authentication is now enforced when accessing third-party service credentials
  • Personal secret access — Updated access checks in personal secret mutations
  • Lease scoping — Dynamic secret lease retrieval is now filtered by environment
  • Payment method validation — Payment method ownership is now verified before allowing detach operations
  • GitLab OAuth2 adapter — Fixed the GitLab OAuth2 adapter to properly use header-based authentication
  • Outbound network filtering — Added filtering of integration connections on Phase Cloud for improved network security

Available in Console v2.56.2.

Vercel Rate Limit Handling

The Vercel integration now properly handles Vercel API rate limits when syncing large numbers of secrets. Previously, syncing many secrets at once could result in failed syncs due to Vercel's rate limiting. The integration now implements retry logic with exponential backoff.

Available in Console v2.56.3.

AWS Marketplace

Phase is now available on the AWS Marketplace, making it easier for teams to discover, procure, and manage their Phase subscription through their existing AWS billing relationship.

Other improvements and fixes

  • Fix tags removed on secret edit — Fixed a bug where tags were being removed from secrets when editing in the cross-environment editor
  • Fix deleted service accounts in app members — Deleted service accounts no longer appear in the app members listing
  • CLI secret referencing fix — Fixed string matching issues in the CLI's secret referencing engine
  • CLI emoji encoding on Windows — Fixed emoji rendering issues in the CLI on Windows (win32)

All features are live on Phase Cloud and available in the latest releases for self-hosted users.

As always, we'd love your feedback — come say hi on Slack or GitHub.

Request a feature

We build features based on community requests and feedback.
Looking for a specific feature or have a use-case in mind? Reach out to us!

CLOUD

The fastest and easiest way to get started with Phase. Spin up an app in seconds. Hosted in the 🇪🇺

SELF-HOSTED

Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.