This list is not intended to be all-encompassing - it will document major and breaking API changes with their rationale when appropriate:


  • http4k-* : Upgrade some dependency versions
  • http4k-contract : Allow user to provide schema creation implementation. H/T @tamj0rd2
  • http4k-core : [Fix #1053]: Add BiDiLensSpec defaulted with factory method
  • http4k-core : [Fix #1059]: Update kondor-json to 2.2.2. H/T @asadmanji


  • http4k-core : FollowRedirects also sets port on redirect.


  • http4k-* : Upgrade some dependency versions
  • http4k-serverless-lambda :[Fix #1057] Error when parsing AWS lambda event from S3 bucket
  • http4k-testing-webdriver :[Fix #1050] Http4kWebDriver does not work on Windows due to path issues. H/T @cmh-dev
  • http4k-core :[Fix #1055] Host header should contain host with port. H/T @obecker


  • http4k-client-core : Ensure consistent content-length behaviour across clients
  • http4k-client-apache : Ensure consistent content-length behaviour across clients
  • http4k-client-apache4 : Ensure consistent content-length behaviour across clients
  • http4k-client-fuel : Ensure consistent content-length behaviour across clients
  • http4k-client-jetty : Ensure consistent content-length behaviour across clients


  • http4k-* : Fix broken POM dependencies.


  • http4k-* : Upgrade some dependency versions
  • http4k-contract : Support for data4k progressive data models with field metadata via delegate properties


  • http4k-* : Upgrade some dependency versions
  • http4k-cloudnative* : Ability to override separator in Environment.


  • http4k-* : Upgrade some dependency versions
  • http4k-contract* : [Fix] Enums do not pick up custom prefixes in model naming. H/T @ashcor for the tip-off!
  • http4k-opentelemetry* : [Fix] Fix to set HTTP_REQUEST_BODY_SIZE attribute in OpenTelemetryTracing. H/T @dkandalov
  • http4k-contract* : Added Canonical model-namer.


  • http4k-* : Upgrade some dependency versions
  • http4k-client-helidon : [Fix #1037] Improve support for query parameters. H/T @franckrasolo


  • http4k-testing-tracerbullet : [Fix] Mermaid sequence diagram generation was constantly changing by default editorconfig files and people committing with different IDE settings
  • http4k-server-jetty : [Fix #1023] Header values in quotes lose their quotes. H/T @efasel, @dhs3000


  • http4k-format-jade4j : [Breaking] This module has been renamed due to the library Jade4J becoming Pug4J. Migration should be a no-op apart from switching the imported module, and renaming your templates from .jade to .pug. Please see Pug4j docs for anything else.
  • http4k-format-pug4j : [New module] Replacement for Jade4j


  • http4k-webhooks : Move VerifyWebhookSignature filter to ServerFilters as it's not for HTTP clients!


  • http4k-* : Upgrade some dependency versions
  • http4k-core : [New module!] Support for the Standard Webhooks format
  • http4k-core [Fix #1022] For a request with matching if-none-match header the response lacks the etag header. H/T @efasel
  • http4k-core [Fix #1030] Maven POM for http4k-format-jackson-xml is invalid: jackson-dataformat-xml is missing a version


  • http4k-* : Upgrade some dependency versions
  • http4k-core : Fix lens replacement of path parameter when there is a regular expression in the path segment
  • http4k-format-jackson : Added lens support for deserialising data4k containers directly from HTTP message bodies (via Body.json(::JsonNodeDataContainer)).toLens()


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.9.22, and Jetty 12 (see below).
  • http4k-server-jetty - [Breaking] Upgrade to Jetty 12. This is a major rewrite of the Jetty engine and the API surface is incompatible with v11. If you are using vanilla Jetty backend then this is a NoOp replacement, otherwise fallback to using the new Jetty11 module and then plan migration accordingly. Massive H/T to H/T @FredNordin for the implementation upgrade.
  • http4k-server-jetty11 - [New Module!] Drop-in replacement module for custom Jetty11 users. Constructor is now called Jetty11() instead of Jetty(), so migration should be very simple. Other renames as required (using 11) to avoid API clashes in the http4k codebase.
  • http4k-aws : [Breaking] Tweaks to the signature of AwsPreSignRequests. Use AwsRequestPreSigner instead. H/T @oharaandrew314


  • http4k-aws : Pre-sign AWS requests with the new AwsPreSignRequests class. H/T @oharaandrew314
  • http4k-serverless-lambda : [Fix #1013] Support multi value query parameters in ApiGatewayV2LambdaFunction ( http4k-serverless/lambda)


  • http4k-* : Upgrade some dependency versions
  • http4k-core : [Unlikely Break: Fix #1011] Jackson does not honour serialisation of Enums when they are used as Map keys. The fix MAY break JSON serialisation (which actually is a bug as the expected behaviour is for the Enums to use the predefined mapping).


  • http4k-* : Upgrade some dependency versions
  • http4k-core : [Fix #1009] Extracting access token from non-standard AccessToken response fails


  • http4k-* : Upgrade some dependency versions
  • http4k-core : Make RouterDescription print-friendly


  • http4k-* : Upgrade some dependency versions
  • http4k-serverless-lambda : Add support for custom EventBridgeEvent format


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.9.21


  • http4k-* : Upgrade some dependency versions
  • http4k-contract [Fix #1002]: Ability to use RequestContexts for providing a User Principal with Security.


  • http4k-* : Upgrade some dependency versions
  • http4k-core- : [Fix] FollowRedirects now remove host header
  • http4k-testing-webdriver- : Ability to inject clock into the Webdriver


  • http4k-format-jade4j : [Breaking] This module has been renamed due to the library Jade4J becoming Pug4J. Migration should be a no-op apart from renaming your templates from .jade to .pug. Please see Pug4j docs for anything else.
  • http4k-format-pug4j : [New module] Replacement for Jade4j


  • http4k-testing-webdriver* : Allow the originalUri method of the OAuthRedirectionFilter to be configured when constructing an OAuthProvider H/T @mbcltd
  • http4k-format-* : Add alternative syntax for Automarshalling injection/extraction of bodies into and out of HttpMessages


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.9.20
  • http4k-testing-webdriver* : Host header is populated in Http4kWebDriver H/T @mbcltd


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-helidon : [Breaking] Upgrade to stable v4 of Helidon, API changes.
  • http4k-client-helidon : [Breaking] Upgrade to stable v4 of Helidon, API changes.
  • http4k-* : [Breaking - dev only] http4k is now built with Java 21, although Java 8 is still targeted.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : New filter to validate zipkin headers. H/T @time4tea


  • http4k-* : Fix maven dependencies marked as optional in various http4k modules


  • http4k-* : Upgrade some dependency versions, including CVE fix for Jetty.
  • http4k-core : Rename Events.then() with Events.and() for clarity.


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-lambda : Add support to multiple query/header values with the same key


  • http4k-* : Upgrade some dependency versions.
  • http4k-incubator* : Added HTMX emulation on Http4kWebDriver H/T @mbcltd


  • http4k-* : Upgrade some dependency versions.
  • http4k-core* : Added extension function ExecutionService.withRequestTracing() to propagate Zipkin traces across threads


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : BiDiLenses now implement LensInjectorExtractor


  • http4k-core : BiDiLenses now implement LensInjectorExtractor
  • http4k-contract : [Unlikely break] NoRenderer now returns a 404 instead of an empty JSON document.


  • http4k-* : Upgrade some dependency versions.
  • http4k-aws : Add support for AwsSdkAsyncClient. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions
  • http4k-testing-playwright : [New Module] Easily browser-test your http4k apps with this Playwright JUnit extension! H/T @dmcg for the inspiration.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.9.10
  • http4k-htmx : Added hyperscript.js webjar to the distribution.


  • http4k-* : Upgrade some dependency versions
  • http4k-htmx : [New Module] Basic support for htmx development, including Webjar and custom lens types
  • http4k-testing-webdriver : Improve support for radio buttons and radio groups in the http4k-testing-webdriver. H/T @mbcltd


  • http4k-* : Upgrade some dependency versions
  • http4k-contract* : [Fix #964] ContractRoute - inconsistent behavior on route matching. H/T @potfur for the investigation.


  • http4k-* : Upgrade some dependency versions
  • http4k-server-undertow : [Unlikely break] - Reverse removal of the connectRequest from the SSE interface. This should undo the break caused by the recent rewrite.
  • http4k-server-jetty : [Unlikely break] - Reverse removal of the connectRequest from the SSE interface. This should undo the break caused by the recent rewrite.


  • http4k-* : Upgrade some dependency versions
  • http4k-testing-approval : Whitespace is now trimmed from end of approval file content. Improves compatibility with IntelliJ (as final line endings might be added automatically)
  • http4k-testing-webdriver : [Fix #963] Submitting empty textarea form element in the webdriver causes a validation error


  • http4k-* : Upgrade some dependency versions
  • http4k-server-apache4: Upgrade compromised commons-codec version. H/T @oharaandrew314
  • http4k-template-jte : [New module] JTE templating support


  • http4k-security-oauth :Add ability to override response mode in OAuthProvider.


  • http4k-core : [Fix] Extend URI now supports fragment parameters


  • http4k-* : Upgrade some dependency versions
  • http4k-security-oauth : [Fix] In-memory request tracking for FakeOAuthServer now supports full AuthRequest.


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-core : Add some filters for Serverless functions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added nonBlank() to set of standard BiDiMappings. H/T @dmcg
  • http4k-core : [Unlikely break: Fix #956] Lenses don't really work for optional fields in HTML form parsing. Form-fields are now filtered for values which are not blank. This means that you may need to change form lenses to be optional and default to an empty string if they are missing.


  • http4k-* : Upgrade some dependency versions.
  • http4k-cloudnative - Add support for enums in EnvironmentKey
  • http4k-testing-tracerbullet : [Breaking] Fixed SequenceDiagrams for Mermaid to be formatted correctly. This may break approval files for any tests.


  • http4k-* : Upgrade some dependency versions.
  • http4k-client-helidon : API changes from Helidon alpha to M1
  • http4k-server-helidon : API changes from Helidon alpha to M1
  • http4k-contract : [Fix #750] JacksonFieldMetadataRetrievalStrategy is incompatible with kotlinx.serialization @Serializable classes. H/T @krissrex
  • http4k-realtime-core : [Fix #951] Add filters to initialise request context for SSE and WS.
  • http4k-realtime-core : [Fix #885] Accept websocket subprotocols. Note that not all servers are currently supported
  • http4k-server-jetty : [Fix #885] Support subprotocols for Websockets


  • http4k-* : Upgrade some dependency versions.
  • http4k-aws: [Fix #656] AWS request signing issue for URLs with special characters. H/T @krissrex
  • http4k-aws: [Fix #947] AWS request signing issue for duplicated headers and header values with multiple spaces. H/T @krissrex
  • http4k-format-kondor-json: [Unlikely Break] Upgrade kondor-json to 2.0.0. H/T @FredNordin


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.9.0.
  • http4k-core : Surface root error messages in Body lenses when failure occurs on deserialisation.
  • http4k-template-thymeleaf : [Unlikely Break] Use HTML rendering mode and .html suffix by default for Thymeleaf templates. H/T @mikaelstaldal


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : [Fix #939] Override all Request and Response mutators for routed messages. H/T @kwydler


  • http4k-contract-jsonschema : [New module] Extracted this so we can reuse in non-OpenAPI scenarios
  • http4k-contract : [Deprecation] Repackaging of JSON schema classes. Should only affect users if they have explicitly used/extended the standard behaviour.


  • http4k-serverless-lambda* : [Fix #936] AWS SQS null deserialization issues


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth* : Remove dependency on Kotlin-reflect by adding custom adapters. H/T


  • http4k-serverless-lambda* : [Fix #933] AWS SQS deserialization issue when md5OfMessageAttributes is null. H/T @oharaandrew314


  • http4k-realtime-core* : Readd test client methods for SSE and WS


  • http4k-server-realtime-core* : [Breaking - Fix #931] Change Websocket and SSE interfaces to return WsResponse and SseResponse objects. This makes it easier to set response headers and control if a connection is made from the incoming request as it is no-longer hidden (it is exposed at the top level instead of being hidden in the SSE and Websocket objects). It also means that the interfaces for the protocols follow the same pattern.
  • http4k-server-jetty* : As above
  • http4k-server-undertow* : As above
  • http4k-core* : [Fix #930] Update content-length header after GZipping it. H/T @bjornbugge


  • http4k-* : Upgrade some dependency versions.
  • http4k-* : [Breaking] Remove all previous deprecations from all modules for v4. To upgrade cleanly, first upgrade to v4.48.0.0 and then re-upgrade to v5.0.0.0. This will ensure that you only have to deal with Deprecations between the major versions.
  • http4k-templates-dust: [Breaking] Nashorn is finally removed, so we are dropping support for this module. If you are on-pre Java 19 you can continue to use the old module version with no breaking changes.
  • http4k-*: [Breaking] http4k is now built with Java 20. We are still compiling for older Java versions. New major versions will now be incoming with every major JDK release in order to track new and retired JVM features (6 month cycle).
  • http4k-server-jetty: New Server Backend JettyLoom, based on Loom VirtualThreads. Requires Java 21 to use. Standard Jetty remains usable with any Java version.
  • http4k-core: New Server Backend SunHttpLoom, based on Loom VirtualThreads. Requires Java 21 to use. Standard SunHttp remains usable with any Java version.
  • http4k-server-helidon: [New Module] Helidon is a Loom-first rewrite of the popular server. Requires Java >= 19 to use.
  • http4k-server-websocket: [New Module] A lightweight Websocket server built on TooTallNate/Java-Websocket. H/T @oharaandrew314
  • http4k-client-helidon: [New Module] An HTTP client build from the ground up to take advantage of project Loom. Requires Java >= 19 to use.
  • http4k-format-kondor-json: [New Module] Support for KondorJson , the reflection-free JSON library.
  • http4k-testing-tracerbullet: [New Module] TracerBullet allows you to hook into the http4k Events implementation to visually document your applications through testing. See example in reference guide.
  • http4k-contract: Allow RouteMetaDsl to be marked as hidden H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.8.22.


  • http4k-* : Upgrade some dependency versions.
  • http4k-incubator Further simplifications of tracing algorithm


  • http4k-core Make it easy to propagate or update trace spans in ZipkinStorage
  • http4k-incubator Further simplifications of tracing algorithm


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added status lookup by code. H/T @jhult
  • http4k-core : [Unlikely break] Client request tracing now sets and resets the ThreadLocal containing the current Zipkin traces. Possible break if you were relying on Zipkin state in a downstream handler. This change will allow better in-memory testing as traces will be reported correctly inside the context of the filter.
  • http4k-incubator : [Break] Changes to improve how we create Tracing trees, and this the signature of the Tracer to take EventNode which is a tree node.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core: [Breaking] Fix #912 - CatchLensFailure filter now can pass the Request object into the receiver. H/T @mikaelstaldal
  • http4k-server-format-moshi: Add support for Sets
  • http4k-security-oauth: [Breaking] AccessTokens create method took an unnecessary duplicate parameter. To fix, just remove the authorizationCode parameter from your implementations and use the code from the tokenRequest


  • http4k-* : Upgrade some dependency versions.
  • http4k-core: SameSite cookie is now lax when it comes to casing.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : [Breaking] Allow setting of compression level on GZip filter in both Streaming and Memory mode. To fix, simply change from GzipCompressionMode.Memory/Streaming to GzipCompressionMode.Memory()/Streaming()


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : [Fix] #901. Improve performance of GZip in streaming mode.


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-undertow : Upgrade websocket requests based on other common headers. H/T @endofhome
  • http4k-security-oauth : [Breaking] Make full callback URI available as part AuthorizationCodeMissing error. Fixes #895
  • http4k-core : Static resources now return directives as well as content type on served assets.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-kotest : [Possible break] Fix of this Kotest issue in new dependency release might lead to some surprising changes in behaviour of matchers for comparing JSON nodes


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract-ui-redoc: [New Module] Serve Redoc with the redocUiWebjar function.
  • http4k-contract: [New Feature] Serve Redoc with the redocUiLite function.
  • http4k-contract-ui-swagger: [Fix] #880. swaggerUiWebjar now works properly with a non-root path. Plus performance improvements.


  • http4k-incubator TracerBullet diagrams have more options for reporting errors.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.8.20.
  • http4k-incubator TracerBullet diagrams have added colours.


  • http4k-contract-ui-swagger Fix dependency from provided -> api


  • http4k-* : Upgrade some dependency versions.
  • http4k-opentelemetry* :Fix #867. OpenTelemetry tracing uses bad default span naming. H/T @krissrex for the report.
  • http4k-contract-ui-swagger : [New Module] Serve a customized Swagger UI via a bundled WebJar with the new swaggerUiWebjar function. H/T @oharaandrew314
  • http4k-contract : Deprecate swaggerUI in favor of new swaggerUiLite function, which uses a new config format. H/T @oharaandrew314


  • http4k-core* : [Unlikely break] Fix creation of UriTemplate when it starts/ends with multiple slashes. This shouldn't cause any problems that we know about, but we are bumping the breaking version number just in case.


  • http4k-* : Upgrade some dependency versions.
  • http4k-client-apache* : Fix #866 - ApacheClient does not handle SocketException.


  • http4k-* : Upgrade some dependency versions.
  • http4k-incubator : TracerBullet now renders results of tests by default. Use RenderingMode to switch off this default behaviour.


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi-yaml : [Possible clash/break] Upgrade to v2.0 of SnakeYaml (CVE fixes etc) may break dependencies which previously used v1.3X.X. It is safe to pin your SnakeYaml version to 1.3X.X if there is a clash with other libraries in your stack.


  • http4k-contract : [Breaking] Support for HTTP webhooks and callbacks in OpenApi3 models. Note that the Swagger UIs do not support OA 3.1.0 yet so we have limited the OA version number to 3.0.0.


  • http4k-core : [Fix] Header parsing to split correctly.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.8.10.
  • http4k-core : [Unlikely break] Header values now trim leading space (as per RFC)
  • http4k-incubator: Added D2 support for tracing diagrams.
  • http4k-testing-approval: Make tests line-ending-agnostic. H/T @oharaandrew314
  • http4k-format-* : Various tweaks to modules to standardise behaviour. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.8.0.
  • http4k-core : [Fix] #846 - Status.hashCode is inconsistent with Status.equals.
  • http4k-contract : Add new endpoint security type: OpenIdConnectSecurity. H/T @oharaandrew314
  • http4k-contract : swaggerUi now supports Oauth2 redirects. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions.
  • http4k-multipart : Add lensing of Multipart form fields using JSON and Automarshalling
  • http4k-server-jetty : Add support for serving SSE. H/T @FredNordin
  • http4k-contract : [Breaking Fix] Fix #842 - Map OpenAPI implementation adds all properties as required H/T @BBB


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Allow access-control-max-age header to be set from cors policy. H/T @moddular
  • http4k-contract : [Fix] Or security renderer was not rendering properly when the component parts are themselves composite securities.


  • http4k-* : Upgrade some dependency versions.
  • http4k-incubator: Trace diagram improvements for PUML, Mermaid and Markdown.


  • http4k-incubator : More diagram tweaking.


  • http4k-incubator : Tweak of some diagramming.


  • http4k-* : Upgrade some dependency versions.
  • http4k-failsafe : [New Module!] Failsafe is a lightweight, zero-dependency library for handling failures. H/T @FredNordin
  • http4k-incubator : [Breaking] Rewrite of infrastructure for generating tracing diagrams, including new interfaces and support for rendering to various formats. Initial support for PUML and Mermaid.


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-undertow : Remove extra dependencies which aren't needed.
  • http4k-contract: fix Path value resolution it starts with same string as the prefix URL segment. H/T @tkint


  • http4k-* : Fix #827 - Requests with unknown HTTP method result in uncaught exceptions


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Support for arrays of enums in OA3.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-template-rocker : [New module] Compile-time templating with Rocker!


  • http4k-contract- : Fix errant import which broke multipart Openapi V3 spec.


  • http4k-format-* : Remove Json extension method on MultipartFormField.Companion due to problem in JUnit. Re-re-fix.


  • http4k-format-* : Remove Json extension method on MultipartFormField.Companion due to problem in JUnit. Refix.


  • http4k-format-* : Remove Json extension method on MultipartFormField.Companion due to problem in JUnit.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.7.21.
  • http4k-format-* : Added auto() methods to arbitrary lenses (so Query, Header, FormField etc..)
  • http4k-core : [Unlikely break] reverseProxy() now takes the authority into account instead of just the hostname from the request. This should only impact you if you are doing reverse proxy operational on client side and using localhost without a port as a proxy. To fix - simply add the port to your proxying setup and all should be good.
  • http4k-contract* : Fix: Remove duplicate content type header.


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-ktor* : Fix: Remove duplicate content type header.


  • http4k-contract : Fix OpenApi rendering for enums when there isn't reflection.


  • http4k-* : Upgrade some dependency versions.
  • http4k-resilience4j-jetty : Fix #804 - CircuitBreaker counts error twice, once as an error and once as a success
  • http4k-client-okhttp : Added websocket client. H/T @FredNordin.
  • http4k-format-argo : Fix problem with duplicate keys when creating objects.
  • http4k-security-oauth : Ability to add scopes to the OAuth refresh token. H/T @p10r


  • http4k-* : Upgrade some dependency versions.
  • http4k-client-jetty : Added websocket client. H/T @FredNordin.
  • http4k-format-moshi : Add facility to use lightweight metadata adapter instead of Kotlin reflect. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including CVE fix for Handlebars.
  • http4k-multipart: [Breaking] Add DiskLocation and the ability to keep uploaded files permanently stored on disk. H/T @jippeholwerda


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Move Jakarta Servlet code from Jetty as is now shared.
  • http4k-contract : Add UserCredentialsOAuthSecurity. This allows the OpenApi spec to define a Resource Owner Password Credentials grant. It also includes a shortcut to load the principal into a RequestContextLens. H/T @oharaandrew314
  • http4k-core: Add StringBiDiMappings.csv to map between string and list, with a configurable delimiter and element mapping. H/T @oharaandrew314
  • http4k-multipart: [Breaking] Add DiskLocation and the ability to keep uploaded files permanently stored on disk. H/T @jippeholwerda


  • http4k-* : Upgrade some dependency versions including CVE fix for Undertow backend.


  • http4k-core : Add StringBidDiMapping.basicCredentials to easily convert between Credentials and basic auth. H/T oharaandrew314
  • http4k-core: Add Header.AUTHORIZATION_BASIC lens to easily get and set basic Credentials for a message. H/T oharaandrew314
  • http4k-contract: BasicAuthSecurity now supports a RequestContextLens to store the principal. H/T oharaandrew314


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi* : Added ability to make Automarshallers strict.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.7.20.
  • http4k-testing-webdriver : [Unlikely Break] Upgrade has removed deprecated method.


  • http4k-core : [Unlikely Break] Added ZipkinTraceStorage, defaulting to ThreadLocal implementation. This allows centralised storage of trace information in non-standard threading environments (eg. coroutines).


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : YAML is now a recognised content type.


  • http4k-cloudevents : Add custom lenses to retrieve data from a cloud event and an extension function to set it.


  • http4k-cloudevents : Add Jackson.cloudEventsFormat() so we can use custom formats in cloud events lenses


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix #779: SunHttp does not blow up if you add a ll value.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-client-websocket: Fix #775 - WebsocketClient.nonBlocking cannot receive messages in binary mode. H/T oharaandrew314


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth : RefreshingOAuthToken does not blow up when no expiry returned by server.


  • http4k-format-moshi-yaml : [Fix] Re-fix YAML defaults for over greedy boolean values (regression caused by upgrade to SnakeYaml).


  • http4k-security-oauth : Make FakeOAuthServer more configurable, and removed the need for passing in an auth-code generator.


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth : [Unlikely Break] Converted AccessToken to be an interface, and internalised a lens which shouldn't have been used by anyone. To fix uses of accessTokenResponseBody, replace with<AccessTokenResponse>().toLens(), importing from OAuthServerMoshi.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth : [Unlikely Break] Slight changes to CSRF generator interface. Should be easy to fix.


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth : Internal refactoring


  • http4k-* : Upgrade some dependency versions.
  • http4k-client-okhttp : Handle previously escapable HTTP client timeout case.
  • http4k-contract : Added Swagger UI helper route. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including CVE fix for Undertow backend.
  • http4k-contract : [Unlikely break] Remove direct dependency on kotlin-reflect JAR, as it is brought in my http4k-format-jackson anyway. This builds ok but we have bumped the version number just to be sure. H/T @oharaandrew314 for the inspiration.
  • http4k-format-core : Add ContentNegotiator and auto versions to be plugged into http4k-format-* modules. H/T @oharaandrew314
  • http4k-core: Add cors exposed headers property. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi* : Upgrade Moshi to introduce a JSON node model, thus converting Moshi to be an AutoMarshallingJson. This should open the door to us eventually allowing Moshi to be used in http4k-contracts (and OpenAPI). Massive H/T to @oharaandrew314 for the work that went into this.


  • http4k-contract : OpenApi3 Operation Ids now replace '-' with '_', as '-' interfere with generation of OpenAPI clients.


  • http4k-* : Upgrade some dependency versions.
  • http4k-graphql : Add GraphQL explorer for http4k-graphql. H/T @arnabkd
  • http4k-realtime-core : Add helper for test Websocket. H/T @oharaandrew314
  • http4k-resilience4j* : Fix #745: ResilienceFilters.CircuitBreak counts an error twice: once as successful, once as error.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added support for Web Linking header standard
  • http4k-multipart: Fix multipart upload failure if charset is included in content type. H/T @wickwirew
  • http4k-server-jetty: Remove usage of deprecated status description API. H/T @@makowalski + @mandyvuong


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.7.0


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : [Unlikely break] Remove dependency on kotlin stdlib JDK 8 as we don't need it to compile. If this causes a problem, simply re-add api(Kotlin.stdlib.jdk8) to your project dependency list.
  • http4k-* : Fix #744 - Provided dependencies included as runtime in http4k versions >


  • http4k-core : Fix query parameter parsing when value contained =. H/T @overfullstack
  • http4k-security-digest : Fix digest challenge parsing when nonce contained =. H/T @oharaandrew314


  • http4k-contract : [Revert fix] - File field is described as "string" instead of "file" in OA3 specification.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Deprecate eTag filter in favour of ETagSupport.
  • http4k-contract : [Fix] - File field is described as "string" instead of "file" in OA3 specification.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix #738 - Calculating eTag ate body.
  • http4k-core : Caching filters now replace headers instead of adding them.
  • http4k-server-jetty : Change constructor to use supported shutdown mode. H/T @jshiell


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Refreshing Credentials Provider now does not block if there is more than half of the expiring time left.
  • http4k-core : Fix #735 - use whole message body for etag hash. H/T @aSemy
  • http4k-metrics-micrometer - Enable publishPercentileHistogram for Micrometer request timer H/T @jakubjanecek


  • http4k-server-*: Add support for graceful shutdown (available to most server implementations) H/T @nlochschmidt
  • http4k-core: Simplify hex decoding H/T @dzappold


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi-yaml-*: Replace default YAML boolean resolver to be less greedy.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.6.21.
  • http4k-core: Fix #728 - No way to set the request timeout when using the JavaHttpClient. H/T @gmulders
  • http4k-oauth-security: Add missing Moshi adapter


  • http4k-core: Fix ServerFilters.BasicAuth handling of passwords containing colons H/T @robd


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Expand out values4k lens option
  • http4k-core : Allow cookie values to be returned unquoted H/T @2x2xplz
  • http4k-format-* : Throw a lens failure if a valid locale was not parsed H/T @oharaandrew314
  • http4k-opentelemetry : Fix #726 - OpenTelemetry: t.localizedMessage can't be null


  • http4k-* : Upgrade some dependency versions, including Ktor to v2.0.0
  • http4k-format-jackson-csv* : [New module] H/T @oharaandrew314 for the contribution.
  • http4k-core: New standard mappings for Time primitives. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.6.20.
  • http4k-core: Enable overridable behaviour for CatchAll filter. H/T @dcmg
  • http4k-multipart: Add disk cache path to MultipartFormBody.from() parameters. H/T @rny


  • http4k-client-fuel: [New module] An http4k client based on Fuel with both sync and async support.


  • http4k-* : Upgrade some dependency versions, including Jackson to overcome CVE-2020-36518.


  • http4k-contract: Don't output required fields into OpenAPI if there are none.


  • http4k-contract: Small tweak to internal API


  • http4k-contract: Add format OpenApi hints to Arrays and Maps


  • http4k-contract: Remove println from AutoJsonToJsonSchema. Doh!


  • http4k-format-*: Correctly identify integer and number JSON types. This has a knock on effect in OpenApi specifications.


  • http4k-serverless-tencent : Downgrade events library as is insecure.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract: Values4k metadata population for OpenApi3 specifications (via Values4kFieldMetadataRetrievalStrategy).


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract: Values4k metadata population for OpenApi3 specifications (via Values4kFieldMetadataRetrievalStrategy).


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth [Breaking]: Rename OauthCallbackError to OAuthCallbackError


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-webdriver* : [Breaking] Upgrade of webdriver to V4 has changed the APIS. The custom By implementation is no longer required so you can use the inbuilt Selenium version instead. The disabledCssSelector By implementation has been removed, although you can simply replicate this using the existing CSS selector model.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract: Support OA3 meta fields on properties if they are populated by a custom annotation.
  • http4k-graphql : [Possible breaks] Due to upgrade of underlying graphql lib.


  • http4k-security-oauth: Fix error messages for oauth callback failures


  • http4k-security-oauth [Breaking]: apiBase path is now preserved when building auth and token uris
  • http4k-security-oauth [Breaking]: provide reason when an oauth callback fails
  • http4k-security-oauth [Breaking]: allow id token consumer to fail authentication flow


  • http4k-contract: OpenApi3 - Expose new prefix-overriding in OpenApi definitions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract: OpenApi3 - Ability to provide prefixes for all models in a tree. This allows you to have multiple versions of a single model in the specification (at the cost of duplicated schema models).


  • http4k-* : Upgrade some dependency versions.
  • http4k-core: [Breaking] All metrics now include path when labelled and routed. For consistency, . in path names are now convert to underscores as well. Regexes are also removed from paths on both client and server. H/T @hektorKS
  • http4k-testing-strikt: Fix #709 - Strikt assertion builder for Uri.path H/T @michaelbannister


  • http4k-contract: OpenApi3 - Don't add required field if no fields are required!


  • http4k-contract: Fix #706: Form "multi" lens's do not render an items field in contracts.
  • http4k-testing-chaos: ChaoticHttpHandler disables Chaos API when reflection not available.


  • http4k-core: Fix #704: Filters are recreated on every request/ H/T @hektorKS
  • http4k-core: Fix #702: TrafficFilters.ReplayFrom doesn't correctly read from Replay.
  • http4k-server-netty: Fix #703: Netty: null cannot be cast to non-null type
  • http4k-client-apache-async: Remove usage of deprecated API
  • http4k-client-jetty: Remove usage of deprecated API
  • http4k-testing-webdriver: Remove usage of deprecated (internal) API
  • http4k-* : Upgrade some dependency versions.


  • http4k-client-websocket : Apply a timeout when creating a blocking client websocket connection


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-opentelemetry : Fixes #697: Upgraded OpenTelemetry version to 1.11.0 H/T @jenarros


  • http4k-server-jetty : Replace conscrypt with internal java for ALPN server


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added ContentDispositionAttachment server filter. H/T @jenarros
  • http4k-core : Fix path conversion for static routing handlers with trailing. H/T @jenarros
  • http4k-contract : Support non-JSON schema types in request definitions.


  • http4k-core : [Potential Break] Fix #693 Cookie implementation uses LocalDateTime val which is implicitly turned into GMT time for cookie. Break is that Cookies now run from Instant instead of LocalDateTime. Thanks to @maedjyuk-ghoti for alerting us to chase down this 5y+ standing bug!
  • http4k-security-oauth : Fixes to the InsecureCookieBasedOAuthPersistence to make it more user-friendly.
  • http4k-server-netty : Keep-alive for Netty when not streaming. H/T @jakubjanecek for the contrib!


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fixed URLPathSegment encoding/decoding based on RFC 3986. H/T @jenarros for the thoughtful and through contribution!


  • http4k-core : Added mapping for enum() in lenses.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Fix #687 - OpenApiV3 object serialization. H/T @lawkai


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi-yaml : Fix for serialising Maps with null values (the key should still be rendered!)
  • http4k-format-moshi-yaml : Remove accidental stack trace dump.


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-moshi-yaml : [New module] YAML marshalling with zero-reflection is now possible due to a combination of Moshi and SnakeYaml
  • http4k-core : Fix to HttpEvent to use correct value in xUriTemplate instead of full path.
  • http4k-format-jackson-xml : Add autoBody for ConfigurableJacksonXml. H/T @oharaandrew314


  • http4k-* : Upgrade some dependency versions, including ForkHandles to
  • http4k-core : Fix to HttpEvent to use correct value in xUriTemplate instead of full path.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.6.10
  • http4k-incubator : Playing with TracerBullets... a generic interface for building TraceTrees from lists of MetadataEvents.


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-approval : Fix #679. Approval tests delete actual when passing.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Added Servers to OpenApi renderer. H/T @zsambek and @MarcusDunn for making it happen.


  • http4k-core : Make timeouts configurable for Java8HttpClient.


  • http4k-* : [Careful] Upgrade some dependency versions, including Kotlin to 1.6.0.
  • http4k-* : [Breaking] Removal of all previously deprecated methods and types. To ensure you get the smoothest experience, please upgrade to v4.16.3.0 first, deal with the replacements and then upgrade to


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-approval : Check the content type after the content is checked.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Support for top-level enums in schema.
  • http4k-contract : Support for enums in Header/Query/Paths. Finally!


  • http4k-* : Upgrade some dependency versions.
  • http4k-* : Upgrade build process to Kotlin. H/T @franckrasolo


  • http4k-contract : [Breaking] Added API-level tags to the contract rendering.
  • http4k-serverless-lambda : Fix encoding of body to work with gzip filter


  • http4k-contract : [Break] BearerAuthSecurity is now more typesafe when taking a lens.


  • http4k-serverless-lambda : More fixing of deserialisation of SNS events.


  • http4k-serverless-lambda : Fix deserialisation of SNS events.


  • http4k-contract : Fix #667 - Jackson annotations being missed in FieldRetrieval.
  • http4k-undertow : Server now handles HTTP requests gracefully when there is no HTTP handler set.


  • http4k-core : ChaoticHttpHandler is now event better behaved when chaos is not enabled and respects routing templates when applying.
  • http4k-core : Fix #665 - OpenAPI json is incorrect when multi string query lens with defaulted values is used. H/T @suyash192


  • http4k-core : ChaoticHttpHandler is now better behaved when chaos is not enabled.


  • http4k-core : Tidying up HttpEvents
  • http4k-graphql : [Break] Handle null variables in calls.


  • http4k-core : Added convenience HttpEvents


  • http4k-core : ServerFilter request tracing now reinstates previous trace on exit instead of clearing it.


  • http4k-core : Make MetadataEvent a data class.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Rename AsyncHttpClient to AsyncHttpHandler (deprecation).
  • http4k-contract : Fix #664 - Introduce OpenAPIJackson to not serialize nulls by default into OpenAPI specs. If you use your own Jackson instance, you can replicate this behaviour by using .setSerializationInclusion(NON_NULL) on your custom ObjectMapper implementation.


  • http4k-core : Reverse Proxy available in both routing and non-routing version. Use reverseProxy() or reverseProxyRouting() accordingly


  • http4k-core : Reverse Proxy router now falls back to URI host when Host header missing.


  • http4k-security-oauth : Nicer OAuth client filters.


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Fix #657 Use jackson to serialize enum models for OpenApi.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix TrafficFilters.RecordTo eating body stream when used on a server.


  • http4k-* : Fix #652 - AWS event format adapters have fields with wrong cases.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.5.30.
  • http4k-testing-chaos : [Break] Behaviour is now an abstract class instead of a typealias. Super simple to fix. :)


  • http4k-graphql : Fix - Downgrade graphql-java and fix Graphql reference example. contained an incompatible version of graphql-java for generate use. H/T @razvn for spotting and fixing. :)


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-jackson : Fix #646 - Boolean field can escape lens check without throwing MissingKotlinParameterException.
  • http4k-aws : Set the query parameter to empty string if it's value is null, instead of "null". H/T @raelg for the PR.
  • http4k-contract : [Possible (small) Break] Fix #644 - Lazy init contract without path params: Type mismatch. Contract routes with 0 parameters are now able to be constructed lazily - which has added (for consistency) a secondary to(fn: () -> HttpHandler) function to the construction DSL. This may cause overload ambiguity when routes are defined withtout the request input parameter. To fix, un-ambiguate you bindings! (eg. to { Response(OK) } becomes to { _ -> Response(OK) }). H/T @dbacinski for the investigation.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix #638 - Revert changes to make Uri incompatible with <J10. H/T @pwteneyck.


  • Mistakenly released version with wrong number of digits. Re-release for clatiry


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract* : Spec Fix: OpenAPI2 cannot contain oneOf responses as is illegal in spec.
  • http4k-opentelemetry : [Unlikely Break] API changes and renames due to library API changes.


  • http4k-* : Upgrade some dependency versions.
  • http4k-security-digest* : [New module] H/T @oharaandrew314 for the contribution!


  • http4k-contract : Fix #626 - Non JSON bodies do not display examples.
  • http4k-* : Upgrade some dependency versions.


  • http4k-testing-chaos* : Added ChaoticHttpHandler to allow easy creation of HttpHandlers which have a Kotlin API for creating chaos.
  • http4k-format-moshi* : Fix to support marshalling of exceptions and added IsAnInstanceOfAdapter to capture
  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-strikt : [New module] Matchers for Strikt assertion library.
  • http4k-core : no longer exposing UriTemplate.trimSlashes() . H/T @PaulienVa


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-lambda : Functions can now be matched on a pattern instead of an exact match.


  • http4k-serverless-lambda-runtime : [New module] Sidestep the AWS Lambda Runtime with the super lightweight http4k version!


  • http4k-format-moshi : Fix Moshi to use nullsafe value adapters.


  • http4k-serverless-lambda : Move initialisation of Moshi into loading stage for AWS Lambda functions.


  • http4k-contract : Fix #622. DELETE requests not rendered with Body in OpenApi
  • http4k-serverless-lambda : Remove requirement for dependency on AWS Events JAR.
  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-* : Allow custom automarshallers to be used for marshalling events in FnLoader, FnHandler construction.
  • http4k-core : (re)fix Body behaviour for ByteBuffers shorter than the array they wrap. This was taken out due to: H/T (again) @npryce
  • http4k-server-jetty - Multi-frame websocket messages are handled in Jetty. H/T @endofhome


  • http4k-aws : Fix AWS request signing when using stream body.


  • http4k-core : Revert body buffer "fix".


  • http4k-serverless- : Reworking of Serverless infrastructure to support calling Serverless Functions using automarshalled event classes. New concepts of FnHandler and FnLoader (analogues to existing HttpHandler and AppLoader). Docs and examples coming soon!
  • http4k-serverless-lambda* : Support for FnHandlers, with super lightweight unmarshalling of event classes via Moshi. Conversion of all AWS functions to use RequestStreamHandlers under the covers instead of slow marshalling via Jackson. New FnHandlers should extend AwsLambdaEventFunction for events, or the existing ApiGateway*Function classes for HTTP functions. Automarshalling support for the following AWS event types, extensible by providing own Moshi adapter:
    • DynamodbEvent
    • KinesisEvent
    • KinesisFirehoseEvent
    • S3Event
    • ScheduledEvent
    • SNSEvent
    • SQSEvent
  • http4k-serverless-alibaba : [Breaking] Support for FnHandlers. Old style HTTP Handlers should now extend AlibabaCloudHttpFunction. Event functions should extend AlibabaCloudEventFunction. Extensible automarshalling support for event types using Moshi.
  • http4k-serverless-gcf* : Support for FnHandlers. Old style HTTP Handlers should now extend GoogleCloudHttpFunction. Event functions should extend GoogleCloudEventFunction. Extensible automarshalling support for event types using Moshi.


  • http4k-* : Upgrade some dependency versions. Remove excess dependency on alibaba libraries which depend on vulnerable libs.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix Body behaviour for ByteBuffers shorter than the array they wrap. H/T @npryce


  • http4k-format-moshi : [Breaking] Add mappings for Map-type and List-like classes to use default serialisers. To get around this, create your own Moshi configuration, omitting the CollectionEdgeCasesAdapter
  • http4k-websocket-* : [Breaking] Added support for filters with WsFilter, which can be wrapped around a WsHandler or WsConsumer to decorate them with behaviour. This has involved changing WsHandler to always return a WsConsumer even if it doesn't match - in the case of a non-match, the socket is closed immediately.
  • http4k-sse-* : [Breaking] Added support for filters with SseFilter, which can be wrapped around a SseHandler or SseConsumer to decorate them with behaviour. This has involved changing SseHandler to always return a SseConsumer even if it doesn't match - in the case of a non-match, the socket is closed immediately.
  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Repackaging of non-core classes for SSE/WebSockets into new http4k-realtime-core module. No action required unless these classes are needed without an implementation.
  • http4k-core : Repackaging of non-core classes for Serverless into new http4k-serverless-core module. No action required unless these classes are needed without an implementation.


  • http4k-* : Upgrade some dependency versions.


  • http4k-security-oauth : Added adapter for AccessTokenResponse, meaning you don't need to import Kotlin Reflection JAR when using the OAuthServer


  • http4k-core : Fix #606 - SPA routers do not respond to OPTIONS requests.
  • http4k-security-oauth : Replace Jackson with Moshi. This has had the effect of removing any reflection from the module (and thus saving 2.5Mb of Kotlin-Reflection dependency). If you still need Jackson, then you need to manually add it as a dependency as it was probably missing from your dependency list! :)
  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.4.32 and Jetty to 11.
  • http4k-server-jetty : [Breaking] The upgrade to Jetty 11.0.X has resulted in some repackaged classes in the Jetty source, most notably the Servlet dependency is now based on jakarta.servlet.http.XXX classes instead of the standard javax.servlet package.
  • http4k-opentelemetry : [Breaking] API changes and renames due to library API changes.


  • http4k-core : Fix SunHttp not complaining if the entire request body is not consumed.


  • http4k-* : Upgrade some dependency versions
  • http4k-core : [Slight break] Hide identity of JavaHttpClient and made the . You should be using HttpHandler anyway... ;)
  • http4k-core : Fix #598 - Silent exception on 204 with SunHttp. H/T @ToastShaman
  • http4k-core : Fix #594 - Conditional filter. H/T @jainsahab


  • http4k-* : Upgrade some dependency versions
  • http4k-format-* : Add support for reading inputstreams directly in all automarshaller implementations


  • http4k-* : Upgrade some dependency versions
  • http4k-serverless-lambda : Introduce ApiGatewayRestLambdaFunction to be used with REST Api Gateways


  • http4k-aws : Add x-amz-content-sha256 to SignedHeaders (required for on-premise s3). H/T @tkint


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.4.31
  • http4k-opentelemetry : [Break] OpenTelemetry has hit V1.0, so integrated API changes into filters for collecting data.
  • http4k-format-core : [Break/Repackage] Format value() extension functions are now packaged properly.
  • http4k-server-jetty : We have been alerted to some runtime changes around how Jetty parses paths containing . or /. Workaround is to use HttpConfiguration.httpCompliance = HttpCompliance.RFC7230_LEGACY, but this is marked as legacy and will be deprecated sooner or later. See details at:
  • http4k-format-moshi : Moshi now supports AutoMarshallingEvents out of the box.


  • http4k-* : Disable publishing of gradle module metadata files to Maven Central.


  • http4k-* : Define groupId for all modules so release to Maven Central can use the value from root.


  • http4k-* : Filter out irrelevant root artifact. Maven Central is very very annoying.


  • http4k-* : Fix artefact signing for maven central.


  • http4k-* : Upgrade some dependency versions
  • http4k-core : [New module] Add WebJars support. Activate WebJars with 1LOC!


  • http4k-bom : Fix #588 - Maven Central version of BOM is empty


  • http4k-contract : Support Array of parameters in OpenApi2/3 specs.
  • http4k-template-freemarker : Improvements to configuration of engine.
  • http4k-* : Upgrade some dependency versions


  • http4k-core : Introduce RequestWithRoute and ResponseWithRoute to allow extending messages post-routing. H/T @jenarros


  • http4k-core : Fix "and" logic when mixing handler + request routers.
  • http4k-core : Extend #580 fix to cover absolute paths.


  • http4k-core : Fix #580 - ResourceLoader.Directory can load resources outside of root directory.
  • http4k-core : Added values4k extensions for Lenses.
  • http4k-cloudevents : Jackson is now bundled with the JAR.


  • http4k-* : Upgrade some dependency versions
  • http4k-cloudevents : [New module] Support for CloudEvents using Jackson and pluggable event formats.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.4.30
  • http4k-core : Removing dependency on JCenter for all compile dependencies.
  • http4k-core : Add ETag filter. H/T @jshiell
  • http4k-core : Add more useful filters for request/respons


  • http4k-server-undertow : Add WebSocket and SSE support to Undertow.
  • http4k-core : [Breaking] Related to above, WsHandler is now PolyHandler. The old type has been deprecated, but only API users who are implementing their own handlers may notice.


  • (empty release for testing our automated release process)


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added view support for WebSocket messages.


  • http4k-core : Fix cookie parsing for systems using non-English locale. H/T @dzappold for spotting it.


  • http4k-core : RequestTracing should add a new parent_id even if a previous one wasn't previously set.


  • http4k-* : Upgrade some dependency versions.


  • http4k-core : [Breaking] Remove previously deprecated AutoJsonEvents which was mistakenly left in the release.
  • http4k-core : Strip body of GET request in 303 (See Other) redirections in FollowRedirects. H/T @dgliosca
  • http4k-core : Fix behaviour of FollowRedirects for in-memory routed handlers.
  • http4k-* : Upgrade some dependency versions.


  • New versioning scheme! See announcement for details.
  • http4k-* : Remove all previous deprecations from all modules. To upgrade cleanly, follow the simple instructions in the announcement
  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-webdriver : [Breaking] Upgrade of APIs to match new v4 Selenium APIs. It is quite safe to continue to use previous versions of the http4k-testing-webdriver JAR if you are unable to upgrade immediately. The API is reasonably the same, but some of the imports have changed. The main one is that instead of importing org.openqa.selenium.By you should import org.http4k.webdriver.By, which is the new custom implementation.
  • http4k-core : Replace hostDemux() with reverseProxy().


  • http4k-testing-servirtium : Fixed #553 - Servirtium storage fix for multi-line bodies.
  • http4k-security-oauth : Fixed #552 - AccessTokenFetcher initializes all AccessToken fields. H/T @@paraseba


  • http4k-format-moshi : Undo change relating to reading Moshi body lenses from HTTP message streams.


  • http4k-* : Upgrade some dependency versions, including Jetty to v10.
  • *http4k-server-jetty : [Unlikely API break] Caused by Jetty API change.
  • *http4k-core : Renamed AutoJsonEvents to AutoMarshallingEvents
  • *http4k-serverless-lambda : [Unlikely API break] Remove dependency on AWS Events JAR. We now use a Map instead. This will only affect you if you needed access to the raw ApiGateway events.


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-servirtium : ServirtiumServer now only changes the base Url of proxied requests instead of the entire path.


  • http4k-core : Fix handling of null status descriptions. H/T @Hakky54 for report and fix.
  • http4k-contract : Fix #536 (again) - Path encoding fixed using lens. H/T @usand for the report and sticking with it!


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix #536 - Path encoding fixed using lens.
  • http4k-core : Support multiple, nested RequestContexts.
  • http4k-format-moshi : Add support for (de)serialising Unit.
  • http4k-security-oauth : Ability to provide custom RedirectionUriBuilder for non-JWT cases.
  • http4k-testing-chaos : Ability to name Chaos API in OpenApi document.
  • http4k-opentelemetry : Breaking (dependency change) Upgrade to new 0.12.0 of OpenTelemetry Java API has caused some API changes.
  • http4k-format-jackson : Breaking (dependency change) Upgrade to new version of Jackson. PropertyNamingStrategies will need to be replaced as old one could cause deadlock:
  • http4k-format-jackson-xml : Breaking We recommend that users of this lib DO NOT UPGRADE to this release due to open bug with nullable fields. See: . There is a workaround which is to add default values into the nullable fields in your DTO classes. eg.

kotlin data class MyDto(val field: String? = null)


  • http4k-serverless-* : Tidy implementations to be consistent.
  • http4k-testing-webdriver-* : Fixed radio buttons submitting even when not selected.


  • http4k-* : Upgrade some dependency versions.
  • http4k-* : Rework build to use refreshSrcVersions. Massive thanks to @jmfayard
  • http4k-serverless-lambda* : Fix cookie handling in V2 Lambda adapter.


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-klaxon : New format module for the lightweight Kotlin JSON library.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.4.20
  • http4k-core : Adding routing description to RouterMatch. Simplify Routing logic to remove duplication.
  • http4k-core : [Breaking from Java] Improved API for Java clients for Request and Response. To fix, just replace Request.Companion.create() with Request.create()
  • http4k-format-* : Add ability to override content type for auto-marshalling for JSON .
  • http4k-aws-* : Fix AwsSdkClient to correctly pass body.


  • http4k-security-oauth [Breaking]: extend OAuthPersisence.assignToken to receive an optional IdToken.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Fix routing when it doesn't match both method and path.


  • http4k-graphql : [New module] Adds integration with GraphQL-Java and the ability to serve/consume GQL using the standard routing patterns.


  • http4k-core : Reimplemented core routing logic to be fully based on Routers. It is now possible to nest arbitrary levels of request matching in a mix-and-match way. And it's ace. :)
  • http4k-* : Pulled out a set of core modules for the various module types (format, template). This has shrunk the core module by ~10% in size


  • http4k-* : Upgrade some dependency versions.
  • http4k-format-kotlinx-serialization : Now supports Automarshalling. H/T @zsambek for the PR.
  • http4k-core : Added Markdown to static Mime-types. H/T @razvn for the PR.
  • http4k-security-oauth [Breaking]: Don't store the original call that required authentication in the state as it runs the risk of being used in an open-redirector phishing attack, instead store it as a value in the oauth persistence and retrieved on successful requests H/T @tom


  • http4k-* : Upgrade some dependency versions.
  • http4k-core [Small break]: Rework of ParameterMatch to consolidate with RouterMatch as they are kind of the same thing. ParameterMatch methods are now floating extensions instead, so just import them.
  • http4k-metrics-micrometer : Remove logging spam. H/T @NersesAM for tracking it down!


  • http4k-* : Upgrade some dependency versions.
  • http4k-opentelemetry : New module for integrating with OpenTelemetry platforms.


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-azure : New serverless module for Azure Functions!


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-alibaba : New serverless module for Alibaba Function Compute!
  • http4k-serverless-tencent : New serverless module for Tencent Serverless Cloud Functions!


  • http4k-contract : Fix #502 - OPTIONS requests not honoured for requests with body
  • http4k-contract : Support for JavaBeans in OpenAPI descriptions.


  • http4k-core : Add Parameter Match routing, so you can match on presence of parameters in a request
  • http4k-testing-kotest: Re-add kotest matcher as is fixed in underlying kotest lib.


  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Add CustomBasicAuth and ProxyBasicAuth filters. H/T @raymanoz for the PR
  • http4k-core : Implemented OriginPolicy for CORS. H/T @kratostaine for the PR
  • http4k-server-netty : Websocket support added. H/T @carbotaniuman for the PR


  • http4k-* : Upgrade some dependency versions.
  • [http4k-security-oauth] [Break (via repackaging of dependent JAR)] - Result4k changed published package structure. Changes made to accommodate new package dev.forkhandles.result4k instead of com.natpryce. To fix, simply find/replace the package names - everything else is identical.
  • http4k-serverless-lambda : Work around various inconsistencies between the APIGateway V1 and V2.
  • http4k-core : Lenses can now be restricted to inject/extract types. This has an effect on BodyLenses which can be tied to Request/Response.


  • http4k-* : Upgrade some dependency versions.
  • http4k-serverless-lambda : Support for ApiGateway V1 & v2 and AppLoadBalancer requests. Just extend the correct class. Converted functions to use the official AWS RequestHandler interfaces (which means that you can refer to just the name of the class when deploying lambda instead of handle())


  • http4k-* : Upgrade some dependency versions.
  • http4k-cloudnative : Add support for loading config files and YAML files into Environments.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.4.10
  • http4k- : Take advantage of Kotlin Functional Interfaces, including for Filter. Breaking change to creation of Filters from Java code only* as they can just be lambdas eg. Filter filter = next -> req -> next.invoke(request.header("foo", "bar"));
  • http4k-testing-kotest - Possible Break: DUE TO KOTLIN 1.4.10. Remove a haveBody matcher which uses Matcher<JsonNode> directly, because of a bug in Kotest:
  • http4k-format-jackson - Possible Break: DUE TO KOTLIN 1.4.10. Inline classes do not deserialise properly. See:


  • http4k-* : Upgrade some dependency versions.
  • http4k-* : Remove some example code which was mistakenly added to some main src dirs. No impact on anything other than JAR size.
  • http4k-aws* : Add pluggable Amazon SDK client, allowing you to plug an HttpHandler into the Amazon SDK.


  • http4k-* : Upgrade some dependency versions.
  • http4k-*, Unlikely break : Added some nicer naming and examples for when people are calling http4k via Java code.
  • http4k-core : Fixed SunHttp server backend not setting content length, and hence responses are always chunked.


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-netty : Fix #141 Http4k-netty performs really badly on all benchmarks. Massive H/T adam-arold!
  • http4k-server-ratpack : Tweak to SO_BACKLOG size (1000).


  • http4k-testing-kotest : [New module] A set of matchers for use with the kotest library. H/T @nlochschmidt for the PR.
  • http4k-* : Upgrade some dependency versions.


  • http4k-serverless-* : Making the Serverless APIs consistent between flavours by ensuring that all Serverless functions act by class extension and not reflection based approach. Deprecated old approach. Hopefully this is simpler.. :)


  • http4k-core : Fix #470. Path.of cannot decode path parameter values containing %/


  • http4k-security-oauth : Add ability to handle form encoded responses in OAuth responses.


  • http4k-* : Upgrade some dependency versions.
  • http4k-*, Breaking (if you're not using it right!) : - Fixed up Maven dependencies so that they are not exporting compileOnly libraries into POMs.
  • http4k-security-oauth : Remove "user" from default list of GitHub scopes as it gives you write access to the profile. New default is empty (just public data).
  • http4k-core : Improve defaults of SunHttp server. H/T @nlochschmidt for the PR.
  • http4k-contract : Add description to OpenApi schema fields using Jackson annotations. H/T @env0der for the PR.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Added hostDemux() routing for when you want to select an HttpHandler based on the Host header.


  • http4k-core : Replaced implementation of JavaHttpClient with one from Java standard library. Should you not yet have access to the Java 11 SDK, we renamed the old implementation to Java8HttpClient. Note that some headers that are added by default by the old Java8 implementation will no longer be added.
  • http4k-core, Breaking : Change Body.binary() lens to use an InputStream instead of a raw Body. To fix, just provide the InputStream by calling or similar.
  • http4k-client-websocket, Unlikely break : Allow API users to pass in their own Draft object for custom protocols. If broken, simple fix is to just use named arguments in the construction call to the client.
  • http4k-* : Upgrade some dependency versions.


  • http4k-server-apache, http4k-client-apache, http4k-client-apache-async, Breaking : Updated to Apache HTTP 5.X.X. H/T to @jshiell. Note that the underlying Apache APIs have changed in the v5 release. For the clients, this should only break if you have customised the underlying HTTP CloseableHttpClient that is passed to the constructor of the http4k client. If you have, we have you covered with....
  • http4k-server-apache4, http4k-client-apache4, http4k-client-apache4-async : New modules to maintain previous integration with Apache HTTP 4.X.X. Intended to reduce the impact on projects that are not ready to move to v5 yet. In these compatibility modules, renamed ApacheClient -> Apache4Client and ApacheAsyncClient to Apache4AsyncClient - which is the only change that should be required in end user code.
  • http4k-serverless-openwhisk : Fixes to support binary content types and overcome issues with the request/response format of the OW Java runtime.
  • http4k-core : Added some Filters for base64 encoding and decoding responses.
  • http4k-* : Upgrade some dependency versions.


  • http4k-core : Added support for multiple "cookie" headers. H/T @jshiell
  • http4k-serverless-openwhisk : New serverless module!
  • http4k-serverless-*, Breaking : - Repackage some functions to org.http4k.serverless package. Just change the package names to fix.


  • http4k-core : Add Request.source to provide extra information about the request origin (address/port/scheme). H/T @kam1sh and @jshiell for the contributions.
  • http4k-security-oauth : Add OAuth provider configuration for Facebook. H/T @knyttl for the PR.
  • http4k-server-netty : Implement KeepAlive. H/T @carbotaniuman for the PR.
  • http4k-bom : New Bill-Of-Materials module!
  • http4k-* : Upgrade some dependency versions.


  • http4k-* : Upgrade some dependency versions.
  • http4k-server-netty : Add support for response streaming. H/T @carbotaniuman for the PR.
  • http4k-serverless-gcf : New serverless module! H/T @ssijak for the PR.


  • http4k-server-ratpack : New backend module!
  • http4k-format-jackson-yaml : [New module]
  • http4k-* : Upgrade some dependency versions.
  • http4k-cloudnative : - Fix #418 - Fix separator propagation when adding values to an existing MapEnvironment. H/T @jshiell
  • http4k-contract : - Add support for securing the API description endpoint. H/T @goodhoko for the PR.
  • http4k-client-websocket : Added auto-reconnection support on blocking WsClient. H/T @alphaho for the PR.
  • http4k-format-* : Rename/deprecate asXYZString(Any) -> asFormatString(Any) in all modules


  • http4k-server-ktornetty : New backend module! H/T @albertlatacz for the contribution!
  • http4k-* : Upgrade some dependency versions.
  • http4k-security-oauth : Fix #414 BasicAuth server filter to not throw an exception on invalid base64 input. H/T @Sebruck for the fix.


  • http4k-* : Upgrade some dependency versions.
  • http4k-template-pebble : Fix #411 - Non-root pebble templates when using CachingClasspath from a compiled JAR. H/T @alyphen


  • http4k-server-ktorcio : Fix #410 - KtorCIO does not stop properly.


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : Factored out Http4kServletAdapter to allow usage of the Servlet API outside of creating a Servlet instance.
  • http4k-*, Breaking (prevent API abuse) : Restricted generic with() method actual http4k types. Usage outside our API should not use this method.
  • http4k-contract : Fix #404 - Rework of some FieldRetrieval classes to remove duplication and to support PropertyNamingStrategies set at the global level


  • http4k-* : Upgrade some dependency versions.
  • http4k-*, Breaking (if you're not using it right!) : Fix #397 - Fixed up Maven dependencies so that they are not bringing in runtime libraries.
  • http4k-core : - Add enum StringBiDiMapping #395 - H/T @goodhoko


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.3.72.
  • http4k-security-oauth : A strategy can now be passed into AuthRequestWithRequestAuthRequestExtractor to determine how to combine AuthRequest and RequestObject H/T @tom


  • http4k-* : Upgrade some dependency versions.
  • http4k-testing-servirtium : Improve error diagnostics. H/T @vchekan for the PR.
  • http4k-*, Unlikely Break : Change Router to return RouterMatch instead of nullable HttpHandler. This allows us to support METHOD_NOT_ALLOWED (405) if we match a path but not a verb instead of just NOT_FOUND (404). This should break custom ro H/T @jshiell for the PR.


  • http4k-security-oauth, Breaking : client_id along with the corresponding TokenRequest is passed into access and refresh token generators so additional validation can take place H/T @tom


  • http4k-* : Upgrade Kotlin to 1.3.71.
  • http4k-testing-servirtium : Switch OkHttp client for Apache.
  • http4k-server-jetty : Made some classes non-internal so they can be easily reused for custom ServerConfig implementations.


  • http4k-client-websocket, Breaking : Added extra onError handler when creating a non-blocking websocket.
  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.3.70.


  • http4k-security-oauth : Early work on supporting refresh tokens. H/T @tom


  • http4k-core : Fix #377. Added replaceHeaders() method. Thanks to @bastman for the idea.
  • http4k-contract : Fix nullability of references in OpenApi3


  • http4k-testing-servirtium : Don't pass recording handler into non-test methods as a resolved parameter.


  • http4k-testing-chaos, Break/Rename : ChaosEngine is now exposed when configuring API. Renamed withChaosEngine() to withChaosApi(), replaced toggle() and update() with enable()/disable()


  • http4k-testing-chaos, Break : Tweaked API make it simpler to use the ChaosEngine via programmatically (as opposed to REST).
  • http4k-testing-servirtium, Tiny break : Tweaks to InteractionOptions to make working with Servirtium tests a bit nicer.


  • http4k-testing-servirtium : Upgrade ServirtiumServer to use OkHttp instead of JavaHttpClient (due to streaming restrictions on MiTM).
  • http4k-testing-servirtium, Break : Rename Github to GitHub.


  • http4k-format-kotlinx-serialization : New JSON module! H/T @joscha-alisch for the PR. :)
  • http4k-testing-servirtium : Work around Kotlin @JvmOverloads problem in ServirtiumServer.
  • http4k-* : Upgrade some dependency versions.


  • http4k-testing-servirtium : Making API a bit more Java-compatible friendly. Ability to vary the Server implementation.
  • http4k-server-jetty : Fix #362 - Websocket disconnect early causes lateinit reference race condition. H/T @fintara for the report/fix.


  • http4k-aws : Improved efficiency of building AWS credentials (replace String.format).
  • http4k-testing-servirtium : Making API a bit more Java-compatible friendly.
  • http4k-* : Upgrade some dependency versions.


  • http4k-security-oauth : Allowing for custom authenticate methods when fetching access tokens H/T @tom


  • http4k-testing-servirtium, Breaking : API is still in beta, so moving to a more composed approach which will increase reuse and allow for running Servirtium infra without a dependency on http4k or Junit. Added loading from GitHub. :)
  • http4k-security-oauth, Breaking : Audience on request object is now a list to support multiple audiences. H/T @tom
  • http4k-security-oauth : Nonce is now also passed through on RequestJwts, so it can be added to request jwts. H/T @tom


  • http4k-core : Implmement #340. Support SameSite cookies. H/T @danielwellman for the contribution.
  • http4k-format-jackson : Made JacksonJsonPropertyAnnotated Kotlin 1.4 safe (call to superclass might return null). H/T @pyos for spotting this.


  • http4k-testing-servirtium : Moved Servirtium code to new module - was previously [http4k-incubator].


  • http4k-incubator : Rewrote Servirtium code to support manipulations.


  • http4k-security-oauth : Fix issue where AuthRequestWithRequestAuthRequestExtractor doesn't take into account scopes not being nullable correctly. H/T @tom


  • http4k-security-oauth : Adding expiry to RequestObject. H/T @tom
  • http4k-security-oauth : Fixing issue where unknown fields cause extracting RequestObject from a jwt, fails due to unknown fields. H/T @tom


  • http4k-security-oauth, Breaking : Error responses in the authorise endpoint now take into account values from the request parameter, this will require a validator for that jwt be implemented. H/T @tom
  • http4k-security-oauth, Breaking : State is now its own type, and not just a string, so it can be validated. H/T @tom
  • http4k-security-oauth, Breaking : redirectUri on AuthRequest is now nullable as it might come on a request jwt, this is validated to be always be present downstream. H/T @tom
  • http4k-security-oauth : Allow parsing of request jwt. H/T @tom
  • http4k-security-oauth : Adding RequestObject to AuthRequest. H/T @tom
  • http4k-security-oauth : Adding AuthRequestWithRequestAuthRequestExtractor that will extract the request from the jwt, assuming the validator is implemented which can be used instead of just using AuthRequestFromQueryParameters if support for parsing a request jwt is required. H/T @tom


  • http4k-*, Unlikely break from Java only : Make all custom http4k exceptions extend RuntimeException. This helps with Java compatibility so things like LensFailure inside Java Lambdas don't require catching (as they are caught/dealt with by other bits of http4k automatically)


  • http4k-moshi, Behaviour break : Fix #353 Don't fail by default on unknown properties. This is the expected default behaviour for all JSON implementations. H/T cnusp for the report.


  • http4k-incubator : Next iteration of Servirtium JUnit extensions. Improved API to support multiple storage engines.


  • http4k-incubator : Next iteration of Servirtium JUnit extensions. Correct indexing of interactions.
  • http4k-security-oauth : Authorisation rendering will now taking into account 'response_mode' of either query or fragment in responses and no longer just use the default fo the 'response_type'. H/T @tom
  • http4k-security-oauth, Breaking : Error responses in the authorise endpoint will actually redirect back to ' redirect_uri' assuming the validator correctly validates both the 'client_id' and 'redirect_uri' to be valid. H/T @tom


  • http4k-* : Upgrade some dependency versions.
  • http4k-incubator : Next iteration of Servirtium JUnit extensions. Only check content which is in the contract when replaying.


  • http4k-core, Breaking : Removed clashing Events then() from deprecated (meaning it cannot be used as there is also another then() in that package). Use the one in instead.
  • http4k-security-oauth : Adding nonce to AuthorizationCodeDetails H/T @tom


  • http4k-core : GZip client filters now send correct accept-encoding header. @jshiell
  • http4k-core : New AcceptGZip client filter allows handling of remote GZip without compressing client requests. @jshiell


  • http4k-core : Fix #344 H/T Streaming GZip encoder loses data. @jshiell


  • http4k-security-oauth : Fixing wrong AuthRequestExtractor passed to AuthRequestTrackingFilter. H/T @tom


  • http4k-security-oauth : allowing additional properties to be stored on auth request, if using additional extractors H/T @tom


  • http4k-core : Fixes for #338 - Gzip filters send content-encoding of gzip even when body is empty. H/T @jshiell
  • http4k-security-oauth, Break : OIDC callback urls using the ResponseType 'code id_token' will now have the parameters returned as a fragment not a query as per of the OpenID Connect Core 1.0 spec H/T @tom
  • http4k-security-oauth, Break : Initial support of nonce in OIDC requests H/T @tom


  • http4k-core : Support for GZipping response streams. H/T @jshiell
  • http4k-security-oauth : Adding expires_in to token endpoint response. H/T @tom


  • http4k-* : Added Status to auto-marshalling JSON mappings.
  • http4k-security-oauth : Adding token_type to token endpoint response, and strip out nulls in response. H/T @tom


  • http4k-* : Upgrade some dependency versions.
  • http4k-core : PR #333. Copy zipkin traces across threads. H/T @jshiell for the PR.
  • http4k-testing-approval : Close Readers when reading from them.
  • http4k-incubator : Next iteration of Servirtium JUnit extensions for recording and replaying.


  • http4k-* : Upgrade some dependency versions
  • http4k-incubator : Added first cut of Servirtium classes for recording and replaying traffic. Needs validating in the wild
  • http4k-format-jackson : Fix #320. http4k-format-jackson incompatible with jackson-module-kotlin 2.10.1


  • http4k-* : Upgrade some dependency versions.
  • http4k-contract : Fix #323. Doc generation does not work with multipart lenses.
  • http4k-format-jackson : Fix #313. Jackson serialization is not working properly with polymorphic types stored in a collection. H/T @alphaho for the PR :)
  • http4k-core, Break : Renamed value on ParamMeta to description.


  • http4k-* : Upgrade some dependency versions, including Kotlin to 1.3.61
  • http4k-security-oauth : allowing setting scopes on AccessToken creation so they are set on the response. H/T @tom


  • http4k-core, http4k-aws : - increase efficiency of Hex implementation for trace ids and HMAC. H/T @time4tea
  • http4k-cloudnative : Reimplemented Environment to be more efficient. H/T @time4tea for noticing this.


  • http4k-security-oauth : On generating tokens allowing for the client id to be based on the result of validation rather than just the form parameters of the request. To support client assertions. H/T @tom


  • http4k-security-oauth : Adding new errors to support issues with client assertions. H/T @tom


  • http4k-security-oauth : Allowing a scope to be set on AccessToken. Allowing for more low level validation of Authorise and Token Requests, by implementing and respectively. H/T @tom


  • http4k-contract : Support multiple request bodies in OpenApi v3


  • http4k-format-jackson : Fix #313 Part 2 - Revert default behaviour for collections of polymorphic types, but is now overridable by using autoBody() instead of auto(). Reopened #313.


  • http4k-format-jackson, Breaking : Fix #313 - ConfigurableJackson.autoBody implementation would not work with collections of polymorphic types. This fix has the effect of blowing up auto-json behaviour when classes are defined inside functions (causing nasty java.lang.reflect.GenericSignatureFormatError: Signature Parse error exceptions). To remedy, just move inlined classes outside of the functions that they are defined in. H/T @alphaho for the PR.
  • http4k-* : Update some dependency versions


  • http4k-core, Breaking : Reworking of ContentType to support multiple directives. directive field is now directives, so just add the extra 's' to fix :)
  • http4k-security-oauth : Moar options on OAuthProviderConfig. H/T @tom


  • http4k-* : Update some dependency versions, including Kotlin to 1.3.60.
  • http4k-core : Make Query value optional when setting on a Request.
  • http4k-core, Breaking : Fix #316. Optional Query lens handling is more accurate. See issue for details of change in behaviour.


  • http4k-* : Update some dependency versions.
  • http4k-format-jackson, http4k-format-gson : Add support for auto marshalling Throwable in a sensible way.
  • http4k-cloudnative : Renamed badly named UpstreamRequestFailed to RemoteRequestFailed. Improved error handling.


  • http4k-cloudnative : Fix adding value to overridden environment when using set(). H/T @jippeholwerda for the PR


  • http4k-security-oauth : Tweak to handle Content-Type comparisons (with and without directive). H/T @jippeholwerda for the PR
  • http4k-multipart] - [Breaking : Added support for setting custom headers in Multipart form fields and files. This has removed the String as the default field type (it is now MultipartFormField. Calls to create lenses using MultipartFormField will now require MultipartFormField.string() instead.


  • http4k-contract : Useful tweaks to the contracts API


[http4k-cloudnative] Fix #304 - map get() does not respect fallback values in overridden environment.


  • http4k-contract : Marking endpoints as deprecated in OpenApi3


  • http4k-template-jade4j : [New module] H/T @RichyHBM for the contribution! :)


  • http4k-contract : Better support for overriding of raw map definition id in JSON schema generation


  • http4k-core : Added method to (immutably) modify status on Response. H/T @brandon-atkinson for the suggestion
  • http4k-core : Added composite object support to lens system, allowing creation of simple lenses which draw from several different values (of the same location only - e.g Query/EnvironmentKey)
  • http4k-contract : Support for overriding the entity definition id in JSON schema generation
  • http4k-* : Update some dependency versions.


  • http4k-server-netty : Fix reported port in Netty. H/T @fantayeneh for the PR :)
  • http4k-security-oauth : Add validateScopes() to ClientValidator. H/T @tom


  • http4k-contract : Support multiple-response models in OpenApi2 and 3. Note that this currently is unsupported in the OpenApi UI due to a bug (which doesn't display the schema for the response correctly). However, the JSON schema is generated correctly in these cases.
  • http4k-* : Update some dependency versions.


  • http4k-* : Update some dependency versions, and changes to various APIs involved (Jackson and Resilience4J)
  • http4k-core : - Add YearMonth support to standard JSON mappings
  • http4k-format-jackson, http4k-format-gson, Possible break : - Moved reified NODE.asA() method from JsonLibAutoMarshallingJson down onto the instances of the Json (ConfigurableJackson/ConfigurableGson). This is so that we can handle generified classes such as lists and maps correctly. (As per the problems fixed in 3.181.0)


  • http4k-core : - Rollback a couple of places which were using Java9+ APIs (for no good reason).


  • http4k-contract : Improvements to rendering enums as their own objects in JSON Schema.


  • http4k-contract : Add Cookies options to contract DSL


  • http4k-serverless-lambda : Add ability to access Lambda context. H/T @ivoanjo for the PR.
  • http4k-contract : Fix rendering of OrSecurity when there are more than 2 parts.


  • http4k-core : Rename EventsFilter to EventFilter because sanity.
  • http4k-format-jackson, http4k-format-gson : Reintroduce autoBody() method


  • http4k-core : Added base events implementations for StructuredLogging.
  • http4k-core, Repackage : Events classes are now in
  • http4k-core, Breaking : EventCategory is no longer a field of Event. To fix, just remove override from your Event classes.
  • http4k-format-jackson, http4k-format-gson : Fixed problem when attempting to deserialise generic Lists.


  • http4k-* : Update various dependencies.
  • http4k-testing-hamcrest : Improve messages of Hamkrest matchers. H/T @albertlatacz
  • http4k-cloudnative : Fix #291 - Readiness check result when there are > 2 checks may not report the correct result. H/T @alfi
  • http4k-security-oauth, Possibly breaking : Making client_secret optional in AuthorizationCodeAccessTokenRequest to support non client_secret flows. H/T @tom


  • http4k-client-okhttp : Include status description in Response object.


  • http4k-contract : Added OpenApiExtension interface, which allows the definition of extensions that will modify the OpenApi specification JSON. H/T @rgladwell for the inspiration.
  • http4k-contract : Support composite security models using or() and and(). Once again, H/T @rgladwell :)


  • http4k-security-oauth, Possibly breaking : Request is passed as a parameter to the ClientValidator. Just pass it in! :) H/T @tom
  • http4k-contract, Behaviour change : When specified, individual route security now replaces global security (this is as the security model in the OpenApi spec is specified) as opposed to both being applied.


  • http4k-security-oauth, Possibly breaking : More support for OIDC, adding state to AuthorizationCodeDetails, and passing it into createForAccessToken on IdTokens. H/T @tom


  • http4k-security-oauth : More support for OIDC. H/T @tom


  • http4k-* : Update various dependencies, including Kotlin to 1.3.50.
  • http4k-security-oauth : Some support for OIDC. H/T @tom


  • http4k-* : Update various dependencies, including Jackson for a CVE.


  • http4k-core : Fix #273 - parentSpanId trace incorrectly populated when no previous traces
  • http4k-contract, Unlikely Break : Remodelled how Security is rendered, so it's possible that this may break slightly for customer implementations
  • http4k-contract : Added support for Implicit OAuth flow, with suport for custom googleCloudEndpoints Security. H/T @rgladwell


  • http4k-core : Added uni-directional serialization/deserialization options to JSON lib auto-conversion configuration.


  • http4k-core, Break (mitigation) : Replaced default resource loader location for singlePageApp() to /public instead of root - this is for safety of NOT serving the root of the classpath by default.


  • http4k-core : Add a warning when static() is used with no package path, thus exposing the contents of the classpath remotely.


  • http4k-* : Update various dependencies.


  • http4k-contract : Collect LensFailure causes into a single place when validating.


  • http4k-contract, Possibly Break : Open out ErrorResponseRenderer interface to take LensFailure instead of the individual failures when rendering badResponse(). To fix, simply wrap the list of failures into a LensFailure.


  • http4k-core : Tweak singlePageApp() routing handler, to correctly apply filters when fallback page is used.


  • http4k-core : Added singlePageApp() routing handler, which matches both static content or falls back to the root path index file


  • http4k-contract : Fix invalid OpenApi2 when root and base path match. H/T @rgladwell
  • http4k-contract : ContractRoute is now an HttpHandler, so no need to wrap contract routes in a contract {} to test them. H/T @rgladwell for the inspiration.
  • http4k-contract : Support Host/baseUri values in OpenApi2. H/T @rgladwell
  • http4k-contract : Optionally add description route to route list H/T @rgladwell


  • http4k-* : Update various dependencies, including Kotlin to 1.3.41.
  • http4k-testing-approval : Upgrade of HTML library from above may have an effect on output of HTML approval tests.
  • http4k-contract : Support for more Jackson annotations in JSON Schema rendering. H/T @tom for the PR contributing this.


  • http4k-testing-chaos : Add detail to Chaos OpenApi interface.


  • http4k-testing-chaos : Add detail to Chaos OpenApi interface.


  • http4k-cloudnative : Added Forbidden request exception to HandleUpstreamRequestFailed.


  • http4k-testing-chaos : Countdown chaos trigger fixed.


  • http4k-testing-chaos : Slight fix to avoid consuming stream body when setting chaos.


  • http4k-* : Update various dependencies.
  • http4k-client-okhttp : Updated OkHttp to v4.0.0 (Kotlin edition).
  • http4k-contract : Tweak to JSON Schema rendering to handle recursive objects better.


  • http4k-server-netty : Fix #260 - cannot set multiple response headers with same name
  • http4k-server-undertow : Fix #260 - cannot set multiple response headers with same name


  • http4k-contract : POSSIBLE BEHAVIOUR CHANGE DUE TO BUG: Fix #259 - Contract blocks do not produce 400s if an external CatchAll is provided. This may have an effect on how errors are generated (a 400 is produced instead of the previous 500 from the CatchAll).


  • http4k-security-oauth : Fix broken deprecation annotation.


  • http4k-security-oauth : Default to JSON format response in Access Token response
  • http4k-security-oauth : Renamed a couple of classes (AccessTokenContainer -> AccessToken), and removed isValid method from AuthorizationCodes because it doesn't make sense for this to be on the OAuthServer.


  • http4k-* : Update Kotlin to 1.3.40
  • http4k-contract : Support OAuthSecurity renderer.


  • http4k-* : Update various dependencies.
  • http4k-* : Dokka improvements. Does not mitigate #196 as we run the main build on OpenJdk11. H/T @ivoanjo


  • DO NOT USE - broken


  • DO NOT USE - broken


  • http4k-multipart : Made the multipart header parser case-insensitive. H/T @tenniscp25


  • http4k-contract : Add SchemaModelNamer to allow for custom JSON Schema model names.


  • http4k-contract : OperationIds are generated without illegal characters {}.


  • http4k-contract : Support non-string keys for "text convertible" values in maps for Auto-schema generation.


  • http4k-contract : Fixed Auto-schema generation to detect and remove duplicate items from list schemas.


  • http4k-security-oauth : Make authentication mechanism for grant types configurable.


  • http4k-security-oauth : Initial support for client_credentials grant type.


  • http4k-contract : Jackson property searching in OpenApi3 now searches superclasses.


  • http4k-contract : Support custom JsonProperty annotation for OpenAPi3 generation
  • http4k-cloudnative : New exception type for unuathorised. H/T @tom


  • http4k-contract : Fix #228 - Support Map-based fields in OpenApi 3 Auto-schema generation as additionalProperties. H/T @noahbetzen-wk for the idea.


  • http4k-contract : Reimplement Auto-schema generation using reflection. Added test cases to use the OpenApi generator to create valid code-based OpenApi clients using the OpenApi generator.
  • http4k-format-jackson : Removed reflective JSON schema creator, since it was not actually OA3 compliant.


  • http4k-* : Update various dependencies.
  • http4k-contract : Improvements to better adhere to OA3 spec.
  • http4k-security-oauth : Allow injecting OpenID's request parameter into the authorization request.
  • http4k-security-oauth : Expose request to AuthRequestTracking.


  • http4k-core : Replace RequestContexts with reference to Store. H/T @amcghie
  • http4k-contract : Added some missing deprecations.
  • http4k-contract : Fix #243 - Nulls not allowed in OpenApi V3 JSON models.


  • http4k-contract : Fix #239 - OpenApi v3 schemas for raw lists blow up when rendering.
  • http4k-* : Update various dependencies.


  • http4k-contract : Both OpenApi v2 and v3 are now supported, including automatic schema generation. Some classes for OpenApi2 have moved to a new package - Deprecations should provide most alternatives. See module docs for details. For OpenApi v3, optionally include http4k-format-jackson to get JSON schema models based on JVM objects.
  • http4k-format-jackson : Added reflective JSON schema creator, to be used for generating named models from JVM objects.


  • http4k-core : - Fix #233 - MemoryBody blows up with "java.nio.ReadOnlyBufferException"
  • http4k-core : - Tighten up security on Basic and Bearer auth server filters. H/T @andymoody
  • http4k-security-oauth : - Add filter to check bearer token is valid access token. H/T @andymoody


  • http4k-* : Update dependencies (including Kotlin bump to 1.3.31)
  • http4k-security-oauth : Handle user rejecting/failing authentication. H/T @andymoody


  • http4k-security-oauth : Allow access token generation to explicitly reject an authorization code already used. H/T @andymoody


  • http4k-security-oauth : Amend error responses from access token generation. H/T @andymoody


  • http4k-contracts : Tweaks to Security model for http4k-contracts. (Renamed) ApiKeySecurity is now a proper class, and added BasicAuthSecurity. You can now also override the security model on a per-route basis.
  • http4k-contract : Added ability to set the Security on each individual contract route. This overrides any Security set on a contract-level basis.


  • http4k-serverless : Allow invocation of serverless functions locally. H/T @Charlyzzz
  • http4k-core : Fix #226 - ResourceLoadingHandler not close stream


  • http4k-security-oauth : Rename AuthRequestPersistence to AuthRequestTracking


  • http4k-security-oauth : Allow the http request to be referenced when generating OAuth authorization codes. H/T @andymoody


  • http4k-core : Change mime.types location so it doesn't conflic with other libraries. H/T @benusher and @dgliosca
  • http4k-testing-chaos : Added SnipRequestBody behaviour.
  • http4k-core : (Small) Breaking Fixed location of some extension files to be relevant to the particular package that they are referencing. This will require reimporting the new location into your source if you were using the imports.


  • http4k-testing-approval : Made content-type aware approval tests check the content type after the content. This is friendlier for failing tests, as it is more important that the content is correct than the content-type (and often errors don't have content type set so you get an erroneous error message which masks the fact that the content was wrong).


  • http4k-cloudnative : HandleUpstreamRequestFailed client filter now takes a predicate (Response) -> Boolean instead of a boolean. This allows for more fine grained custom control of which Responses are acceptable.
  • http4k-* : Upgrade deps, including Kotlin to 1.3.30.
  • http4k-contract : Fix #221 - Contract path fixed segments cannot contain slash characters.


  • http4k-format-jackson : Convert Jackson to use readValue instead of convertValue. This fixes some problems with type conversions.


  • http4k-core : (Possible) Break: Made lense implementations Query, Header etc clear previous values by default instead of appending. This leads to a more consistent behaviour. In order to be able to set multiple values on an object using a lense, use the multi form instead - eg. Header.required("foo") -> Header.multi.required("foo"). We envisage the impact of this change is limited as it's only Queries that generally can have multiple possible values, and in the vast majority of cases a replace rather than append is expected.


  • http4k-contract : Generify contract handling code to allow for custom HttpMessageMeta<XYZ>


  • (Slight) Break: Collapsed UpstreamRequestFailed exceptions to contain the status, and thus removing non-special cases like BadRequest and BadGateway. This makes them much easier to use in practice as users have access to the the status. To migrate, simply replace previous classes with UpstreamRequestFailed(Status.XYZ, message).
  • http4k-contract : Open up ContractRoute API to facilitate extension when defining a custom ContractRenderer.
  • http4k-* : Upgrade deps.


  • http4k-core : Added base64 to the supported mappings for Query/Headers etc...
  • http4k-testing-approval : Approver does not write actual output if there is none to write and there is no approved content


  • http4k-testing-approval : Improved Approver interface to more closely match the traditional assert<XYZ> approach - this results in a more discoverable/obvious API.
  • http4k-testing-hamkrest : Added ability to create a Hamkrest matcher directly from the Approver instance to be combined with other relevant matchers.


  • http4k-testing-approval : Add support for XML and HTML approval tests.


  • Added http4k-testing-approval module, which is compatible with JUnit5 tests and integrates with the OkeyDoke approval testing files and IntelliJ plugin. H/T to @jshiell for the inspiration Gist containing the base Junit5 Extension.


  • http4k-security-oauth : Make authentication response available when creating AuthorizationCode.


  • http4k-security-oauth : Introduce OAuthServer to http4k-security-oauth to assist in the creation of authorization servers.


  • Generified GenerateXmlDataClasses filter, and added default implementations for http4k-format-jackson-xml and http4k-format-xml modules.
  • (Rename) Break: GenerateXmlDataClasses filter in http4k-format-xml is now GsonGenerateXmlDataClasses
  • Removed superfluous CatchLensFailure filter from http4k-contracts module. This is not required as lens failures are already handled by the main contract handler.


  • Moved Jackson XML support to new module http4k-format-jackson-xml. Note that this is for auto-marshalling of data-classes only and does not expose an XML DOM model.


  • Deprecated Body.view() lens construction in favour of a Body.viewModel() call which removes the implicitly called toLens(). This allows further mapping from one ViewModel type to another, and brings the view lens construction into line with the rest of the extension functions on Body.
  • Add auto-marshalling XML support to http4k-format-jackson module.
  • Upgrade deps.


  • Add UpstreamRequestFailed exceptions and HandleUpstreamRequestFailed filters to http4k-cloudnative. These allow apps to neatly deal with upstream failure in a sensible way.


  • Tweak contract() DSL to add remaining options for configuration.


  • Renamed ChaosControls (deprecated) to ChaosEngine.


  • Added new templating module http4k-templates-freemarker. H/T @amcghie for the PR implementing this
  • http4k-contract has a new DSL for construction of the contract which replaces the old one (now deprecated). This is consistent with the meta DSL used to construct individual contract routes and avoids repetition of the old API. We attempted to implement the standard replace-with deprecation, but IntelliJ didn't like it (too complex maybe), so we've hard coded the warning instead which code which should work.
  • Added PreFlightExtraction to contract module, which adds the ability to disable body-checking for contract routes. This will allow refining of routes or entire contracts to be more efficient.
  • Upgrade deps.


  • Fix #217 - Cannot override the definitionId of a top-level array in OpenAPI
  • Upgrade deps


  • Chaos now do not blat x-uri-template when used with a RoutingHttpHandler
  • Simplified usage of Once chaos trigger.
  • (Slight break) Consistentified (!) construction of Chaos Behaviours, Stages and Triggers. Replaced singletons with function calls. Eg. Always -> Always()


  • (Possible Break): Fix #215 - LensFailure does not always include target object. Only change to the API is that IN generic in Lenses is now bounded by IN : Any. This fix is a actually internally consistent as we could not always include the target otherwise (which is an Any?).
  • Trim leading and trailing whitespace from extracted EnvironmentKey values.
  • Secret value is now only usable once via the use() function.
  • Upgrade to various deps.
  • Removed deprecations.


  • Added some common types for Environmental setup, and equivalent BiDiLens mappings
  • Handle null response in Java Http client. H/T @FredNordin


  • Fix #212 - allow null values in HTTP contract definitions. This does mean we lose the type definition for that field, but we don't blow up silently (which was the previous behaviour). H/T @xhanin


  • Re-add Path.nonEmptyString() which was accidentally removed.


  • Add support for prohibiting String unmarshalling in JSON auto-marshalling configuration.
  • HTTP Contracts now use the underlying ContractRenderer to produce the BadRequest and NotFound responses. Made OpenAPI open so that these responses can be customised.


  • Add support for JSON views in Jackson module. H/T @xhanin for the donkey work.


  • Breaking: slight rearrangement of RouteMeta receiving/returning methods to provide consistency when defining route contracts.


  • Moved the set of predefined String BiDiMapping instances to their own class. Bulked out the auto-mapping configuration options.


  • Upgrade to various deps.
  • Extracted out new BiDiMapping type, which encapsulates string <-> type conversions and removes a boatload of duplications. These conversions are now used consistently across all the various places (Lenses, auto-mapping).
  • Improved configurability of AutoMarshallingJson instances.


  • Upgrade to various deps.
  • Fix #208 - Xml auto deserialisation incorrectly converting strings to numbers


  • Fix #207 - repeating prefixes in static routes are not handled correctly. H/T @ruXlab for the PR to fix.


  • Add http4k-server-ktorcio server backend. Note that whilst this module does allow http4k apps to plug into the Ktor-CIO engine, it does not provide fully front-to-back coroutine support.


  • Preventing FallbackCacheControl from duplicating existing headers. H/T @leandronunes85
  • Breaking: Make Body.length nullable instead of throwing exception when value is not available. H/T @zvozin


  • Upgrade to various deps.
  • Add session token support to AWS filter, and "credentials provider" to allow for rotating AWS sessions. H/T @dhobbs.
  • Breaking: Moved WsClient from org.http4k.testing to org.http4k.websocket.


  • Fix access-control-allow-origin returned when server supports multiple origins H/T @johnnorris


  • (Properly) Fix #198 - Rewrote OpenApi contract to ensure it stays fixed. H/T @reik-wargaming for the help in tracking this down.


  • "Fix" #198 - Breaking change made in http4k-contracts to clarify/deconfuse API. Hid body parameter in contract route meta DSL - it is now receiving().
  • Upgraded some dependencies, including Gradle to v5.0.
  • Breaking: Resilience4j dependency upgrade causes a break when providing custom config. Simply insert the Config type generic to fix: e.g. RetryConfig.custom() -> RetryConfig.custom<RetryConfig>()


  • Fix #197 - Swagger spec for form fields had incorrect description.


  • Introduce interface for Environment


  • Upgrades to dependencies
  • Improved Client-side HTTP status descriptions
  • Lenses now support Durations out of the box
  • Environments now support multi-value keys (comma separated)


  • Make Undertow API friendlier
  • Fix to JsonReadinessCheckResultRenderer to actually implement the correct interface


  • Enhancement of http4k-cloudnative - now supports extra-health check routes, and provide way to load app configuration via Properties files.


  • Add filter allowing Gzipping based on an allowed set of content types. H/T @jshiell
  • Change HttpHandler extending HttpClients to use object invoke() mechanism, as the individual clients have no visible API surface of their own. Introduced DualSyncAsyncHttpHandler interface.


  • Webdriver checkbox handling improved. H/T @gypsydave5
  • upgrade to various versions


  • upgrade to Kotlin 1.3.0


  • Tweak to K8S port variables.


  • (Unlikely break): Change Http4kServer interface to return Unit from stop(). This affects all server implementations.
  • Added DSL function for working with JSON objects (scopes JSON as this). fun <T> Json<NODE>.invoke(Json<NODE>.() -> T)
  • New module http4k-cloudnative contains classes to help run http4k services inside cloud-native environments, including K8S.
  • Upgrade some dependencies
  • Deprecation: Moved Header.Common fields to main Header object. Extension properties should go there now.


  • Use UTC when checking cookie expiry


  • Deprecate String.toBody()
  • Fix checkbox behaviour in webdriver

~v3.39.4~ v3.93.4

  • Use Jetty latest release version (rather than RC one)


  • Fix #189 - Uri toString now omits leading slash if the authority of a Uri is blank. This could be a potential break, but is actually more consistent as a Uri can currently be relative or absolute.


  • Extend SetBaseUriFrom to support query parameters


  • Added SetBaseUriFrom filter


  • (Possible breaking change): Json is now only generified by a single type parameter instead of 2. For most usages, this type would have been identical anyway, but the upgrade of Argo has finally allowed the removal of this dead generic. Simply replace Json<Node, Node> with Json<Node>.
  • Added Offset datetime types to all JSON auto-marshalling libraries
  • Build logic for versioning is now in Kotlin. H/T @jmfayard for the PR
  • Upgrade Kotlin, and various other dependencies


  • Fix withChaosControls URL pattern so that it matches sub-routes ok on original handler


  • Added BearerAuth and BasicAuth implementations which populate RequestContexts. Plus howto example :)


  • Fix #177 - Make RequestContexts thread-safe.


  • Upgrades to http4k-testing-webdriver. H/T @dickon for the PRs
  • Added ProxyHost request filter which is useful for writing proxy-type apps.


  • Fix #168 - Fix rest of hamkrest matchers caused by generics mishap.
  • Upgrade HTTP client dependency versions.


  • Added http4k-testing-chaos module, designed to enhance failure-mode testing for http4k apps. Massive H/T to @IgorPerikov for the PR which drove this module's creation.
  • Added http4k-incubator module, for hosting developing projects and other code which might be promoted to top-level modules in the future.


  • Fix #167 - Reintroduce hasBody compatibility with common matchers such as containsString()
  • Remove deprecations.


  • Fix #165 - AWS auth filter does not replace headers - it sets them (which breaks for request signing)
  • Fix #164 - Webdriver internal state breaks when navigating to a full URL
  • Fix #162 - SetHostFrom doesn't set 'Host' header correctly (missing port). H/T @elifarley


  • Added some regex matchers to http4k-testing-hamkrest.
  • Added BearerAuth authentication Server and Client Filters - these work similarly to BasicAuth.
  • Added option for defaulted() lenses to fall back to another supplied lens in the case of missing value. Thanks to @dmcg for the inspiration. :)


  • Fix #160 - JavaHttpClient does not copy body stream correctly onto URL connection.


  • Fix #159 - Contracts should not have Security applied to the description route by default.


  • Fix #158 - Static and contract routes filters are applied in the wrong order.


  • Add default SamplingDecision param to ZipkinTraces - defaults to always sample.
  • Fix #150 - StaticRoutingHandler filters being called twice.
  • Fix #151 - POTENTIAL BREAK: Rework of Status objects to fix equality against the Status constant vals when a description has been overridden. This involves the following potential breaking change: The Status class is no longer a data class to tighten up encapsulation - user calls to copy() will have to be replaced.


  • Raise SO_BACKLOG in Apache and Netty server implementations.


  • No change from 3.33.0. Previous version couldn't be made available to maven central.


  • Add convenient way to extract from as a Map from http message. H/T to @dmcg (this version is available in jcenter only)


  • Fix #142 - Pebble templates don't load from JAR files.


  • Add support for propagation of the Zipkin x-b3-sampled header


  • Changes to the Netty factory to enable running http4k on GraalVM. H/T @RichyHBM


  • Allow all server implementations to start on port 0 (ie. find a free port) and then report it back as a part of the Http4kServer interface


  • Make HTTP clients resilient to unknown host and connection refused exceptions
  • Implemented #134 - Added default (de)serialization for common JDK primitives to all Auto-marshalling JSON modules - eg. date times and UUIDs


  • Fix #131 - Uri's created with paths that don't contain leading slashes.
  • Added etag parser filter. H/T @dgliosca for the PR
  • Fix #132 - Ensured that disableDefaultTyping is called in default Jackson implementation. This should be the default anyway, but has been added to ensure that we don't fall foul of CVE-2017-7525 and to surface awareness of this issue.


  • OpenAPI now provides example values in the generated schema. H/T @skewwhiffy for the PR.


  • Fix #126 - ResourceLoadingHandler can expose mapped resources into the root. <-- We think this is an important update, so please upgrade!


  • Fix #125 - ApacheServer implementation now sets content length if present.


  • Fix #123 - Multipart Body objects blow up when parsed after being debugged. As with all streams, care should be taken to not blow heap when internalising them for debugging purposes.


  • Debugging filter now supports ignoring Multipart streams.


  • Tweak: OpenAPI now doesn't return null values in the schema.


  • Fix #124 - headers in WebSocket upgrade request are incorrectly joined.


  • Removed supportedContentTypes field from OpenApi contract JSON, since this is a legacy field.


  • Added option to Undertow to enable HTTP2 from main ServerConfig


  • Upgrade various dependencies for Java 10 compatibility. H/T @tom
  • Fix bug with repeated params in Websocket upgrade request. H/T @tom


  • Composite LensFailures now capture (at least) the first failing cause (probably the body parameter in the case of an http4k-contract module.


  • Fix #116 - Can provide a custom Response creation method for CatchLensFailure. H/T @elifarley for the inspiration!


  • Added singleton method for Json.array, since if you pass in a single JsonNode (Jackson), it accidentally iterates over the fields in the node instead of using the object as an entry in the array.
  • Fix #115 - Only add content-length for methods that allow content in AwsAuth filter


  • Preserve routing information on request/response manipulation


  • http4k-security-oauth module added - with support for OAuth2 Authorization Grant flow
  • Replaced classes reliant on javax.activation package, which allows Java 9+ to not require any external dependencies. \o/
  • Fix #112 - ApacheClient incorrectly sets headers on GET requests (this breaks F5 load balancers). H/T @simojenki
  • PR #110 - Websocket client timeouts are incorrectly translated as seconds instead of millis. HT @anorth
  • Core JavaHttpClient does not support streaming due to limitations with HttpURLConnection


  • Fix #109 - Jackson treats integer values inconsistently, leading to matching errors when using hamkrest.


  • Fix #107 - Killed the x-uri-template header and fixed the ReportHttpTransaction to have access to the routingGroup.
  • Altered ordering of filters in http4k-contract so that the route is identified before pre-filters and security are applied. This allows knowledge of the path to be accessible at the time of application of those filters.


  • Introduce JavaHttpClient to http4k-core. It provides a very basic http client without any other 3rd party dependencies.


  • PR #104 - Add optional time/date formatters to LensSpecs so you can choose you serialisation format. H/T @elifarley
  • Fix #105 - Swagger API json file: duplicate key in "definitions".


  • Fixed PR #100 - URI template regex required extra escaping. This only affects Android deployments as IDE shows the regex escaping is redundant. H/T @privatwolke


  • Breaking: converted contract pre-security filter to be a post-security filter. This means that all standard filters are applied before the security later, which allows for logging and monitoring and context setup. The previous filter mechanic applied security first, which didn't allow for this. In the unlikely event that post-security filters still need to be applied, use the withPostSecurityFilter() function when building the contract.
  • Docs for contract RouteMeta function parameters, and deprecated some unused functions (missed when we introduced the DSL).
  • PR #99 - Contract routes now support up to 10 path segments. Thanks to @scap1784 for the PR! :)


  • Fix #97. Moshi does not fail when deserialise non-nullable fields correctly. Note that GSON still suffers from this problem


  • Added a pre-security filter option to contract creation, so that you can explicitly specify behaviour to occur before security kicks in.


  • Convert Security (from sealed class) and ApiKey to be interfaces. This allows users to implement their own security models.


  • Introduce HttpTransaction and new ReportHttpTransaction filter provide better generic API for reporting, along with the ability to label transactions for this purpose.
  • Breaking: Rework the metrics request counter and timer Filter API. There is now a HttpTransactionLabeller for you to add as many labels as required to the transaction. Each of these labels will be used to tag the metric.


  • Fix #95 - Filters are now applied to "route not found" responses


  • Fix #93 - Apache server doesn't like content-length or transfer-encoding headers present in http4k response.
  • Add ability to "name" input and output contract body definitions in an OpenAPI JSON doc. This applies to only the top level entity. If no override is passed, the objects are named according to their hashcode.


  • Fix #92 - cookie date should always use US locale


  • Further tweak to Netty. H/T @FredDeschenes


  • Fix #91 - large message handli ng in Netty


  • Upgrade to Kotlin 1.2.20


  • Support for operationId in OpenApi route metadata. H/T @danschultz for the PR.
  • Removed previously deprecated methods.


  • New client module http4k-client-jetty, which supports both sync and async models.


  • Fix #84. OPTIONS requests are not detected by contract routes.
  • Added option to NOT authorise OPTIONS requests in ApiKey security filter.
  • Added support for Async HTTP clients and added new AsyncHttpClient interface, which is obviously used for HTTP clients only**, and not server-side calls. :)
  • New client module http4k-client-apache-async.
  • New metrics gathering module http4k-metrics-micrometer. Big H/T to @kirderf for the PR.
  • Added support for async to OkHttp client module.


  • P/R 81 - adding headers and timeout to websocket client.


  • Added compactify and prettify to Json implementations
  • Added Json.hasBody Hamkrest matchers for comparing bodies. Note these are extension methods and need to be referenced/imported as such.


  • Added facility for non-blocking websocket client to react to onConnect event. This API is the same as the inbound, server-side API - ie. there are no explicit connection event handlers. H/T @tom for the idea.


  • P/R #13 Create extension methods for Response to add caching headers. H/T @k0zakinio.


  • Fix #78. Serialisation of raw lists using Moshi fails in the same way as the Jackson auto-conversions do. Added convenience methods to get around this.


  • Added http4k-format-moshi to support the Square auto-marshalling library.


  • Fix #76 - encoding of path segments to use URI encoding instead of URL form encoding.


  • Added support for multiple HotReload template directories in HandlebarsTemplates. H/T @TomShacham
  • Fix #74 - Request tracing span/parentSpan set too early so was shared between outgoing requests.


  • New server backend http4k-server-apache. H/T @kirderf for the PR :)
  • We now set the length of the incoming request body when it is available in the incoming request.


  • Handlebars now uses combination of Class and Template name to cache templates.


  • Facility to compose TemplateRenderers with then() to provide fallback behaviour.


  • PR #70: Header order equality for Request/Response - H/T @gypsydave5.


  • Switched out Status for WsStatus (with proper RFC code set) in Websockets.


  • Typesafe Websockets! Jetty now supports websockets, using the same style of API in the main http4k routing.
  • (Possible) Breaking change: Because WsHandler (typealias) implements the same inbound interface as HttpHandler, you now cannot declare HttpHandlers without specifying the input type, so any "anonymous" handlers will not compile as a result. The required fix is very simple, but manual: `{ Response(OK) } should become { _:Request -> Response(OK) }


  • Fix Request.form() for streaming requests


  • Remove possibility of empty message for Path Lens failure.


  • New (better!) API for http4k-contract module. Old meta DSL has been deprecated.


  • Fix #63 - Apache Client Connect. timeout exception handling.


  • Added http4k-serverless-lambda module, allowing http4k applications to be deployed into AWS Lambda and then called from API Gateway. Effectively, the combination of these two services become just another Server back-end supported by the library. \o/


  • RequestContextKey now follow the standardised Lens structure of required, optional, defaulted, and can now be removed (set to null). Replace calls to RequestContextKey.of() with RequestContextKey.required()
  • Removed previously deprecated values. See below for details on replacements.


  • Added http4k-resilience4j module, which adds Circuits, RateLimiters, Retrying and Bulkheading.
  • Fix #60 (H/T @michaelhixson for the spot).


  • Added a couple of useful ServerFilters.
  • Upgrade various dependency versions.
  • Tidying of Multipart code.


  • Fix #57. Static handlers behave oddly when combined with an HTTP verb in the routing tree.


  • Fix #56. Altered behaviour of CatchLensFailure to NOT catch errors from unmarshalling Response objects. This was causing BAD_REQUEST to be incorrectly generated.
  • Simplification of generics around LensSpecs. This should not be a breaking change, (there were 3 generics, now the MID has been removed so there are just 2) but could break if signatures are used explicitly.


  • Reordered generics in LensInjector to make sense. This should have no effect on most code-bases, but could break if signatures are used explicitly. Just flip the generic types to switch.


  • Added support for unsigned AWS requests, which enables streaming content to S3.


  • Added BodyMode.Request to configure streaming for clients.
  • ResponseBodyMode is now BodyMode.Response (Breaking change. Fixable with simple find/replace).


  • Added ServerFilter.ProcessFiles filter to stream Multipart Files, convert them into references and replace inline in the Form.


  • Avoid realising StreamBody unless necessary, which could break common usages of streaming.


  • Tweaks to Server backends to improve efficiency.


  • Webdriver will keep only the final URI after redirects.


  • Increased granularity of Replay.DiskStream and ensure that traffic is returned in exact order on all OSes.
  • Add support for redirects to Webdriver.


  • Multipart module tweaked to provide a more consistent API.
  • Fix FollowRedirects for POST/PUT request.


  • Multipart form support through new module http4k-multipart.
  • Deprecation: Replaced Swagger with OpenApi and deprecated the former (via typealias).
  • Deprecation: Replaced FormValidator with Validator and deprecated the former (via typealias).


  • Refactor release.


  • Fix #50 - Webdriver does not normalise relative links correctly.


  • Http client modules now catch and convert Socket Timeout exceptions to HTTP 504s (with a custom message)


  • Tweaks to how recorded traffic is stored on disk. Thanks to @dkandalov for the PR around this.


  • Added TrafficFilters for recording and replaying HTTP traffic. See org.http4k.traffic package for details.


  • Added http4k-template-dust for Dust template engine support. Thanks to @npryce for the PR to add this.


  • Fix #44 - Use quotes around cookie values


  • Raise proper Exception (instead of LensFailure) when RequestContexts are not set up correctly, so we don't accidentally classify developer errors as BadRequests


  • Added facility to assign values into a RequestContext which is passed down the Filter chain.


  • Fix #44 - Request cookies should not be wrapped in quotes.


  • Fix #43 - AWS does not sign binary requests correctly.


  • Fix #41 - Sending binary body alters the size of the payload.


  • Added "catch all" routing option, which matches all methods to a handler.


  • Fix #40 - GZip filters now use content-encoding headers instead of transfer-encoding.


  • Fix #39 - ResponseBodyMode.Memory properly closes streams (breaks jetty + gzip).


  • Ensure that streams are closed properly when consuming from an upstream client.


  • Remove Apache client request streaming because it may not release connections properly.


  • Add streaming support to HTTP Server and Client modules.
  • Remove CatchLensFailure ClientFilter as it will never be used.


  • Added CatchLensFailure for ClientFilters - which catches un-deserializable invalid responses from clients and generates a BAD_GATEWAY error.


  • Switch XML generation to Gson over Jackson because Jackson doesn't handle uppercase field names well.
  • Switch native XML parsed type to Document over Node.


  • New algorithm for XML data class deserialisation, so un-deprecated XML methods.


  • Deprecated methods in XML support due to limitation with underlying Jackson implementation.


  • Fixed bug with GenerateXmlDataClasses filter


  • Renamed http4k-format-jackson-xml module to http4k-format-xml.
  • Improved XML unmarshalling support.


  • Fixed 36: Form entry is too strict with content encoding.


  • Added http4k-format-jackson-xml module, with XML parsing support.
  • Upgrade several dependencies


  • Fixed Hamkrest matchers to be on HttpMessage and not Http Request.


  • Default body Content Negotiation strategy changed to None


  • Converted Content-Negotiation strategy from an Enum to an interface, so that users can define their own strategies. We also now check encoding so there are 4-built in strategies to choose from: Strict, StrictNoDirective, NonStrict and None.


  • Fixed #31 - Matching of segments in URIs is done after URLs are decoded, which results in not capturing encoded slashes in the path segments.


  • Fixed #30 - CachingClasspath template ResourceLoader not working with non-root packages.


  • Fixed #29 - webdriver submission of text area.
  • Http clients now use a new instance of the default for each instantiation. Previously there was a shared instance.
  • Add regex body type for parsing values out of bodies, and "None" option for content negotiation.


  • Fix AWS request signing for requests containing empty path


  • Fix AWS request signing for requests containing path with special characters


  • Added support for newRequest() in new RouteBinder mechanic.


  • Add support for unlimited nesting for routes() blocks. Removed the raw Route object, which can be replaced with Router or RoutingHttpHandler where appropriate.
  • As part of above, rejigged route setup logic. Deprecated old routing structure, so now "/path" to GET bind is "/path" bind GET to. To fix deprecation, simply switch the calls to "to" and "bind" in routing setup.
  • Rename of bind() in http4k-contract to be bindContract()


  • Added missing eclectic HTTP method. :)


  • Added GZip filters to http4k-core to zip request and response bodies.


  • Improved messages for http4k-testing-hamkrest matchers.


  • Added http4k-testing-hamkrest which contains a set of Hamkrest matchers for Http4k objects.


  • More features for http4k-testing-webdriver. Cookie support added.


  • More features for http4k-testing-webdriver. We now support Form entry and submission.


  • More features for http4k-testing-webdriver.


  • Added http4k-testing-webdriver module, an ultralight Selenium WebDriver for http4k apps


  • Fix #26 - GenerateDataClasses does not recurse into nested object trees


  • Fix filter application on GroupRoutingHttpHandler to apply the filter when it is applied with then(RoutingHttpHandler()


  • Fix static routes not defaulting to index.html when in root context


  • Added SunHttp server implementation (for development use only)


  • Fix cookie parsing when value contains '='


  • Add method to set form values in the request


  • Added PURGE HTTP method as it's used commonly by various caches.


  • Repackage AWS classes for consistency with rest of project


  • Alter AWS Auth filter creation. Now use ClientFilters.AwsAuth


  • Add AWS module


  • Newly created Zipkin traces are now populated onto incoming request in ServerFilters.


  • Slight tweak to GSON auto-marshalling to allow for use of raw Arrays with auto-marshalling


  • Add Thymeleaf templating support


  • Add Pebble templating support


  • Make Route a Router so we can nest them together.


  • Remove excess "charset" from headers in Undertow.


  • Rename by() to bind() in routing for clarity.


  • Fix for #24 - UriTemplate captures query parameters when the trailing path parameter is a regex.


  • Added GSON full-auto functions to convert arbitrary objects to/from JSON.


  • Fix #23. Contract now supports multi-part URL params (for hardcoded parts)


  • Fix #22. Uri template does not parse out correct path params when URL starts with a path part.


  • toString() implementations to aid debugging


  • Readded missing default parameter for newRequest() on RouteSpec


  • Breaking: Inversion of routing API. GET to "/someUri" is now "/someUri" to GET for consistency across the entire API.


  • Reimplementation of http4k-contract API to match main routing API. Contracts are now nestable.


  • Fix Filters being applied twice in ContractRoutingHttpHandler


  • More work on http4k-contract contract API


  • Rework http4k-contract routing to be mounted in the same way as other RoutingHttpHandlers


  • Filters are now applied consistently to all Routers


  • Tweak to DSL for defining StaticRouters


  • Fix for #18: FollowRedirect will now work if location header includes charset information.


  • New DSL for defining StaticRouters


  • Merged StaticContent and StaticRouter and repackage of contract API into other packages


  • Extend fix for #17 to request Cookie header.


  • Fix for #17. Cookie can now parse a cookie without attributes and ending in semicolon.


  • Added nestable Routers.
  • Merging of Modules and Routers. Router is the new Module! RouteModule is now ContractRouter, so rename in code will be required.


  • Fix for #15. OkHttp client handling of POSTs with no body.


  • Can add custom mime types to Static Content
  • GenerateDataClasses is capable of more complex object graphs


  • Remove HttpHandler.asServer in favour of HttpHandler.startServer to avoid confusion.
  • Introduce Status.description().


  • Netty sets content-length header.


  • Fix for #12. Undertow not constructing response correctly.


  • New module with support http4k-server-undertow
  • Jackson implementation now ignores unknown properties in incoming messages
  • Netty implementation tidied up


  • Fix for #11. Netty implementation returns incorrect status codes.


  • Add synonym methods for Lenses to aid readability. We now have invoke(IN)/extract(IN) and `invoke(IN, TARGET) /inject(IN, TARGET)


  • http4k-contracts: Add option to change the route of the module description route


  • http4k-contracts: Fix for contract module description routes not being authenticated via security filter


  • http4k-contracts: Add Swagger module rendering with JSON schema models for messages.


  • Add nonEmptyString() lens type to all request parts.


  • General rework


  • Further work on Path Lenses. They are now fully supported and consistent for both simple and contract routing scenarios.


  • Path lenses are now bidirectional, so can be used to populate requests as well as bodies an headers etc.
  • Routes can now create shell Requests for themselves, using route.newRequest()


  • Body is now non-nullable (use Body.EMPTY instead)
  • Rename methods BodyLens API for consistency and clarity. required() is now toLens(). to()' binding method is nowof().


  • New client module: http4k-client-okhttp


  • Tidying


  • Added option for Body content-negotiation to be strict or non-strict (the default). Always be strict in what you send, relaxed in what you will accept. :)


  • Moved Credentials to org.http4k.core package.
  • Add various filters, including SetHostFrom and CatchAll.


  • Added GenerateDataClasses so you can generate Kotlin data classes from JSON messages.


  • Added CORs support


  • Added auto() to Jackson, so you can auto convert body objects into and out of Requests/Responses


  • Added CachingFilters


  • Removed static factory methods for Request/Response. They were confusing/incomplete and users can easily recreate them via extension functions.
  • Merge org.http4k.core.Body and org.http4k.lens.Body.
  • Add Request/Response message parsers.


  • Turn Body into ByteBuffer wrapper rather than typealias. That should make .toString() behave as most people would expected.


  • Removed non-mandatory parameters from Request and Response constructors. This is aid API clarity. and force users to use the API methods for properly constructing the objects.
  • Regex Lens added.


  • Initial major release.