LoginSign Up
← Back to all sparks
L

Leantime

PM
Velocity6.3

Open-source project management system for non-project managers, designed for small teams and startups with focus on goals and milestones.

leantime.io

Leantime lands a major architecture rebuild, then spends a week stabilizing its API auth

project-managementopen-sourcepermissionsjson-rpc-apimobileself-hosted
Current state
Leantime is working through the aftermath of 3.9.0, a large architectural release that introduced a native permission engine, a JSON-RPC API layer, consolidated 16 canvas variants into a unified Blueprints domain, and added mobile push notifications. The subsequent 3.9.1-3.9.5 train is dominated by fixing Bearer/token authentication regressions that release introduced.
Where it's heading
The open-source PM tool is modernizing its foundation (thin controllers, typed exceptions, fail-closed authorization, Blade migration) to support a mobile app and third-party integrations. The near-term cost is a visible bugfix tail as token-based auth gets hardened path by path.
Prediction
Expect the patch cadence to settle once Bearer-auth coverage stabilizes, with mobile endpoints and the JSON-RPC surface becoming the focus, given the mobile API work threaded through these releases.

Recent moves

  1. 9d ago

    Mobile API endpoints for notifications and calendar; fixes

    Adds session-scoped mobile API endpoints for the notifications inbox and calendar, plus mention-dropdown and canvas fixes. Continues building out the API surface the mobile app needs.

    View source ↗
  2. 13d ago

    Fix cross-project My Work loading and Bearer auth

    Fixes cross-project 'My Work' loading and a Bearer-auth role-storage bug. Part of the post-3.9.0 stabilization train, no new capability.

    View source ↗
  3. 13d ago

    Fix Bearer token auth on permission-gated API methods

    Resolves a Bearer token error that denied every permission-gated API method, and unifies session handling across auth paths. A correctness fix for the 3.9.0 API rework.

    View source ↗
  4. 15d ago

    Fix route caching and Bearer/PAT authentication

    Fixes stale route-cache recovery and Bearer/PAT authentication against the core token store. Another stabilization patch in the 3.9.x line.

    View source ↗
  5. 15d ago

    Fix 3.9.0 Bearer API auth regression

    Restores user context for Sanctum Bearer API requests, fixing a regression from 3.9.0, and adds a contract-test CI gate. Pure correction of the prior release.

    View source ↗
  6. 15d ago

    Native permission engine, JSON-RPC API and mobile push

    ⚡ SPARK

    3.9.0 rebuilds the foundation: a native fail-closed permission engine across every domain, a JSON-RPC API replacing legacy REST, consolidated Blueprints, and mobile push notifications. The architectural move that the following bugfix train is paying down.

    View source ↗