Stricter Token Validation at the API Edge

What Shipped

Our authentication and team-invitation flows now apply a stricter validation check on the security tokens they handle. Behaviour visible to customers stays the same: valid tokens continue to work normally and produce the same success responses they did before. What changed is the path that malformed input takes — it is now rejected at the API edge with a uniform error response, before reaching any deeper system.

Why It Matters

For publishers and e-commerce sites operating in the EU, GDPR Art. 32 ("security of processing") requires appropriate technical measures to protect personal data. A consistent validation layer at the API edge is one such measure: it reduces what an attacker can probe, and it keeps our error responses uniform regardless of what specifically was malformed about the input.

The change is also a small efficiency win — malformed input no longer triggers unnecessary internal operations, freeing capacity for legitimate customer traffic.

Where to Read More

See the full quarterly review and rollout notes at /achievements.

Legal basis for the token-handling activity is documented in our DPIA.