Core 5.7.4 / 6.0.0 Admin API Migration Guide for Partners
This article explains the required updates for partners and API integrators when upgrading to Core 5.7.4 and preparing for Core 6.0.0. Core 5.7.4 will be released on 24 February 2026 and introduces important security improvements and API restructuring. Several legacy methods are now deprecated and will be removed completely in Core 6.0.0.
API Migration Guide — Core 5.7.4 Partner action required ahead of Core 6.0.0
⚠️ Legacy authentication methods and deprecated APIs will be permanently removed in Core 6.0.0, expected October 2025. Partners using affected APIs must migrate before then.
This guide covers what is changing, who is affected, and what action is required.
All partners = Changes that affect everyone using Dstny APIs
Whitelabel partners only = Changes that only affect Admin API access
1. User Ticket API — new secure ticket creation [All partners]
The method for creating Bearer tokens (User API tickets) has been updated in Core 5.7.4.
What changed
Previously, Bearer tickets could be created by MD5 hashing the user password. This method is now deprecated and replaced with a new secure method that:
- Uses username and password directly
- Supports 2FA (two-factor authentication) if enabled for the user
- Works for all User API calls
⚠️ Password-based ticket creation via MD5 will be removed in Core 6.0.0. If your integration creates tickets this way, you must update it.
How to create tickets going forward
- Manually in the Core portal at bc.dstny.se
- Via the updated User Ticket API — see User API documentation for details
How to check if you are affected
Core 5.7.4 adds audit log fields that identify deprecated usage. Look for ticketType: "password_based" in your audit logs — this indicates your integration is still using the deprecated method.
2. MD5 signing replaced with HMAC-SHA256 [Whitelabel partners only]
Admin API authentication has been updated. The legacy MD5-based signature has been replaced with a stronger signing method based on OAuth 1.0 (RFC5849).
What changed
| Area | Legacy method | New method |
|---|---|---|
| Algorithm | MD5 | HMAC-SHA256 |
| Secret format | Hex string | Base64 encoded (RFC4648) |
| Replay protection | Limited | Timestamp + nonce |
Ticket compatibility
Existing API tickets can still be used, but you must:
- Update your signing implementation to use HMAC-SHA256
- Ensure the new Base64 secret format is used (not the legacy hex format)
- Ideally revoke and recreate tickets after upgrading
⚠️ Legacy MD5 signing will be removed in Core 6.0.0. Admin API calls using MD5 signatures will stop working.
How to check if you are affected
In Core 5.7.4 audit logs, look for ticketType: "noauth_token" — this indicates MD5 signing is still in use.
ℹ️ See the Admin API documentation for full details on building the HMAC-SHA256 authorization signature, including code examples in Java, C# and Python.
3. User Admin API replaced by three new APIs [Whitelabel partners only]
The legacy User Admin API has been split into three separate APIs in Core 5.7.4:
- User Administration API — handles user management
- Bulk User Administration API — handles bulk operations
- User Secret API — handles passwords, PINs and device secrets
⚠️ The legacy User Admin API is deprecated from Core 5.7.4 and will be removed in Core 6.0.0.
3.1 User Administration API
User management moves to the new User Administration API. Key changes:
- Passwords and PINs are no longer part of user objects — they have moved to the User Secret API
- The following fields have been removed or changed:
- field1–field6 replaced by dirFields
- resetPassword no longer supported
- callRecordingAgentDesktop removed
- pincode moved to User Secret API
- password moved to User Secret API
- thirdPartyPhone replaced by thirdPartyPhoneType
- The two legacy user listing methods have been merged into a single List users method
3.2 Bulk User Administration API
- Bulk user operations have moved to the new Bulk User Administration API
- The ResetPassword column is no longer included in CSV exports
- Only the full-view CSV format is supported
3.3 User Secret API
Passwords, PINs and third-party device secrets are now managed via the User Secret API:
- Secrets can only be set, never read back
- Only clear-text password format is supported — legacy MD5 password format is removed
- When creating a new user, a password is automatically generated by the system
4. How to identify deprecated API usage
Core 5.7.4 adds new fields to the audit log to help you identify if your integration is still using deprecated methods:
| Field | Value | Meaning |
|---|---|---|
| ticketType | noauth_token | Deprecated MD5 signing in use |
| ticketType | password_based | Deprecated password-based ticket creation in use |
| deprecated | {"forRemoval":true,"since":"5.7.4"} | A deprecated API endpoint was called |
Make sure no deprecated calls remain in your integration before Core is upgraded to 6.0.0.
Partner checklist before Core 6.0.0
[All partners] Update ticket creation to the new User Ticket API method — remove any MD5 password-based ticket creation
[Whitelabel] Replace MD5 signing with HMAC-SHA256 in all Admin API requests
[Whitelabel] Migrate from the legacy User Admin API to the new User Administration, Bulk User Administration and User Secret APIs
[All partners] Review audit logs for noauth_token, password_based and deprecated flags — confirm no deprecated calls remain