Repository  -  API  -  Source


Full Changelog

A major issue was introduced when refactoring the authentication modules. This release addresses only that issue.


Full Changelog

Breaking changes

New Features

  • Adds ability to restrict access through Class Level Permissions to only authenticated users see docs
  • Adds ability to strip sensitive data from _User responses, strips emails by default, thanks to Arthur Cinader
  • Adds password history support for password policies, thanks to Bhaskar Reddy Yasa


  • Bump parse-server-s3-adapter to 1.0.6, thanks to Arthur Cinader
  • Using PARSE_SERVER_ENABLE_EXPERIMENTAL_DIRECT_ACCESS let you create user sessions when passing {installationId: "xxx-xxx"} on signup in cloud code, thanks to Florent Vilmart
  • Add CLI option to pass host parameter when creating parse-server from CLI, thanks to Kulshekhar Kabra

Bug fixes

  • Ensure batch routes are only using posix paths, thanks to Steven Shipton
  • Ensure falsy options from CLI are properly taken into account, thanks to Steven Shipton
  • Fixes issues affecting calls to matchesKeyInQuery with pointers.
  • Ensure that select keys can be changed in triggers (beforeFind...), thanks to Arthur Cinader



Postgres support requires v9.5

New Features


Bug Fixes

  • Fixes issue when sending push to multiple installations, thanks to Florent Vilmart
  • Fixes issues with twitter authentication, thanks to jonas-db
  • Ignore createdAt fields update, thanks to Yuki Takeichi
  • Improve support for array equality with LiveQuery, thanks to David Poetzsch-Heffter
  • Improve support for batch endpoint when serverURL and publicServerURL have different paths, thanks to Florent Vilmart
  • Support saving relation objects, thanks to Yuki Takeichi


New Features

  • LiveQuery: Bring your own adapter (#2902), thanks to Florent Vilmart
  • LiveQuery: Adds "update" operator to update a query subscription (#2935), thanks to Florent Vilmart


Bug Fixes

  • Better support for checking application and client keys, thanks to Steven Shipton
  • Google OAuth, better support for android and web logins, thanks to Florent Vilmart


Bug fixes

  • Fix error when updating installation with useMasterKey (#2888), thanks to Jeremy Louie
  • Fix bug affecting usage of multiple notEqualTo, thanks to Jeremy Louie
  • Improved support for null values in arrays, thanks to Florent Vilmart


  • Minimum nodejs engine is now 4.5

New Features

Bug fixes

  • Fix: Include with pointers are not conflicting with get CLP anymore, thanks to Florent Vilmart
  • Fix: Removes dependency on babel-polyfill, thanks to Florent Vilmart
  • Fix: Support nested select calls, thanks to Florent Vilmart
  • Fix: Use native column selection instead of runtime, thanks to Florent Vilmart
  • Fix: installationId header is properly used when updating _Installation objects, thanks to Florent Vilmart
  • Fix: don't crash parse-server on improperly formatted live-query messages, thanks to Florent Vilmart
  • Fix: Passwords are properly stripped out of logs, thanks to Arthur Cinader
  • Fix: Lookup for email in username if email is not set, thanks to Florent Vilmart


  • Fix: Reverts removal of babel-polyfill


  • New: Adds CloudCode handler for beforeFind, thanks to Florent Vilmart
  • New: RedisCacheAdapter for syncing schema, role and user caches across servers, thanks to Florent Vilmart
  • New: Latest master build available at ParsePlatform/parse-server#latest, thanks to Florent Vilmart
  • Fix: Better support for upgradeToRevocableSession with missing session token, thanks to Florent Vilmart
  • Fix: Removes babel-polyfill runtime dependency, thanks to Florent Vilmart
  • Fix: Cluster option now support a boolean value for automatically choosing the right number of processes, thanks to Florent Vilmart
  • Fix: Filenames now appear correctly, thanks to Lama Chandrasena
  • Fix: _acl is properly updated, thanks to Steven Shipton

Other fixes by Mathias Rangel Wulff


  • New: support for upgrading to revocable sessions, thanks to Florent Vilmart
  • New: NullCacheAdapter for disabling caching, thanks to Yuki Takeichi
  • New: Account lockout policy #2601, thanks to Diwakar Cherukumilli
  • New: Jobs endpoint for defining and run jobs (no scheduling), thanks to Florent Vilmart
  • New: Add --cluster option to the CLI, thanks to Florent Vilmart
  • New: Support for login with, thanks to Nurdaulet Bolatov
  • New: experimental support for postgres databases, thanks to Florent Vilmart
  • Fix: parse-server doesn't call next() after successful responses, thanks to Florent Vilmart
  • Fix: Nested objects are properly includeed with Pointer Permissions on, thanks to Florent Vilmart
  • Fix: null values in include calls are properly handled, thanks to Florent Vilmart
  • Fix: Schema validations now runs after beforeSave hooks, thanks to Florent Vilmart
  • Fix: usersname and passwords are properly type checked, thanks to Bam Wang
  • Fix: logging in info log would log also in error log, thanks to Florent Vilmart
  • Fix: removes extaneous logging from ParseLiveQueryServer, thanks to Flavio Torres
  • Fix: support for Range requests for files, thanks to Brage G. Staven


  • Fix: Improve support for objects in push alert, thanks to Antoine Lenoir
  • Fix; Prevent pointed from getting clobbered when they are changed in a beforeSave, thanks to sud
  • Fix: Improve support for "Bytes" type, thanks to CongHoang
  • Fix: Better logging compatability with, thanks to Arthur Cinader
  • New: Add Janrain Capture and Janrain Engage auth provider, thanks to Andrew Lane
  • Improved: Include content length header in files response, thanks to Steven Van Bael
  • Improved: Support byte range header for files, thanks to Brage G. Staven
  • Improved: Validations for LinkedIn access_tokens, thanks to Felix Dumit
  • Improved: Experimental postgres support, thanks to Florent Vilmart
  • Perf: Use native bcrypt implementation if available, thanks to Florent Vilmart


July 23, 2016

Full Changelog


July 10, 2016
  • New: Expose InMemoryCacheAdapter publicly, thanks to Steven Shipton
  • New: Add ability to prevent login with unverified email, thanks to Diwakar Cherukumilli
  • Improved: Better error message for incorrect type, thanks to Andrew Lane
  • Improved: Better error message for permission denied, thanks to Blayne Chard
  • Improved: Update authData on login, thanks to Florent Vilmart
  • Improved: Ability to not check for old files on, thanks to OzgeAkin
  • Fix: Issues with email adapter validation, thanks to Tyler Brock
  • Fix: Issues with nested $or queries, thanks to Florent Vilmart


June 30, 2016
  • Fix: Type in description for Parse.Error.INVALID_QUERY, thanks to Andrew Lane
  • Improvement: Stop requiring verifyUserEmails for password reset functionality, thanks to Tyler Brock
  • Improvement: Kill without validation, thanks to Drew Gross
  • Fix: Deleting a file does not delete from fs.files, thanks to David Keita
  • Fix: Postgres stoage adapter fix, thanks to Vitaly Tomilov
  • Fix: Results invalid session when providing an invalid session token, thanks to Florent Vilmart
  • Fix: issue creating an anonymous user, thanks to Hussam Moqhim
  • Fix: make http response serializable, thanks to Florent Vilmart
  • New: Add postmark email adapter alternative Glenn Reyes


June 25, 2016
  • Hotfix: Fix Parse.Cloud.HTTPResponse serialization


June 12, 2016
  • Hotfix: Pin version of deepcopy


June 9, 2016
  • New: Custom error codes in cloud code response.error, thanks to Jeremy Pease
  • Fix: Crash in beforeSave when response is not an object, thanks to Tyler Brock
  • Fix: Allow "get" on installations
  • Fix: Fix overly restrictive Class Level Permissions, thanks to Florent Vilmart
  • Fix: Fix nested date parsing in Cloud Code, thanks to Marco Cheung
  • Fix: Support very old file formats from


May 31, 2016
  • Security: Censor user password in logs, thanks to Marco Cheung
  • New: Add PARSE_SERVER_LOGS_FOLDER env var for setting log folder, thanks to KartikeyaRokde
  • New: Webhook key support, thanks to Tyler Brock
  • Perf: Add cache adapter and default caching of certain objects, thanks to Blayne Chard
  • Improvement: Better error messages for schema type mismatches, thanks to Jeremy Pease
  • Improvement: Better error messages for reset password emails
  • Improvement: Webhook key support in CLI, thanks to Tyler Brock
  • Fix: Remove read only fields when using beforeSave, thanks to Tyler Brock
  • Fix: Use content type provided by JS SDK, thanks to Blayne Chard and Florent Vilmart
  • Fix: Tell the dashboard the stored push data is available, thanks to Jeremy Pease
  • Fix: Add support for HTTP Basic Auth, thanks to Hussam Moqhim
  • Fix: Support for MongoDB version 3.2.6, (note: do not use MongoDB 3.2 with migrated apps that still have traffic on, thanks to Tyler Brock
  • Fix: Prevent pm2 from crashing when push notifications fail, thanks to benishak
  • Fix: Add full list of default _Installation fields, thanks to Jeremy Pease
  • Fix: Strip objectId out of hooks responses, thanks to Tyler Brock
  • Fix: Fix external webhook response format, thanks to Tyler Brock
  • Fix: Fix beforeSave when object is passed to success, thanks to Madhav Bhagat
  • Fix: Remove use of deprecated APIs, thanks to Emad Ehsan
  • Fix: Crash when multiple Parse Servers on the same machine try to write to the same logs folder, thanks to Steven Shipton
  • Fix: Various issues with key names in Parse.Objects
  • Fix: Treat Bytes type properly
  • Fix: Caching bugs that caused writes by masterKey or other session token to not show up to users reading with a different session token
  • Fix: Pin mongo driver version, preventing a regression in version 2.1.19
  • Fix: Various issues with pointer fields not being treated properly
  • Fix: Issues with pointed getting un-fetched due to changes in beforeSave
  • Fix: Fixed crash when deleting classes that have CLPs


May 15, 2016
  • Fix: Write legacy ACLs to Mongo so that clients that still go through can read them, thanks to Tyler Brock and carmenlau
  • Fix: Querying installations with limit = 0 and count = 1 now works, thanks to ssk7833
  • Fix: Return correct error when violating unique index, thanks to Marco Cheung
  • Fix: Allow unsetting user's email, thanks to Marco Cheung
  • New: Support for Node 6.1


May 9, 2016
  • Fix: Fix a regression that caused Parse Server to crash when a null parameter is passed to a Cloud function


May 8, 2016
  • New: Support for Pointer Permissions
  • New: Expose logger in Cloud Code
  • New: Option to revoke sessions on password reset
  • New: Option to expire inactive sessions
  • Perf: Improvements in ACL checking query
  • Fix: Issues when sending pushes to list of devices that contains invalid values
  • Fix: Issues caused by using babel-polyfill outside of Parse Server, but in the same express app
  • Fix: Remove creation of extra session tokens
  • Fix: Return authData when querying with master key
  • Fix: Bugs when deleting webhooks
  • Fix: Ignore _RevocableSession header, which might be sent by the JS SDK
  • Fix: Issues with querying via URL params
  • Fix: Properly encode "Date" parameters to cloud code functions


April 15, 2016


April 5, 2016


April 4, 2016


March 29, 2016
  • Hotfix: fixed imports issue for S3Adapter, GCSAdapter, FileSystemAdapter #1263 (drew-gross
  • Fix: Clean null authData values on _User update #1199 (yuzeh)


March 29, 2016


March 23, 2016
  • Important Fix: Mounts createLiveQueryServer, fix babel induced problem #1153 (flovilmart)
  • Move ParseServer to it's own file #1166 (flovilmart)
  • Update remove deploy buttons replace with community links #1139 (drew-gross)
  • Adds #1138 (flovilmart)
  • Fix: Do not override username #1142 (flovilmart)
  • Fix: Add pushId back to GCM payload #1168 (wangmengyan95)


March 22, 2016
  • New: Add FileSystemAdapter file adapter #1098 (dtsolis)
  • New: Enabled CLP editing #1128 (drew-gross)
  • Improvement: Reduces the number of connections to mongo created #1111 (flovilmart)
  • Improvement: Make ParseServer a class #980 (flovilmart)
  • Fix: Adds support for plain object in $add, $addUnique, $remove #1114 (flovilmart)
  • Fix: Generates default CLP, freezes objects #1132 (flovilmart)
  • Fix: Properly sets installationId on creating session with 3rd party auth #1110 (flovilmart)


March 18, 2016
  • New Feature: Real-time functionality with Live Queries! #1092 (wangmengyan95)
  • Improvement: Push Status API #1004 (flovilmart)
  • Improvement: Allow client operations on Roles #1068 (flovilmart)
  • Improvement: Add URI encoding to mongo auth parameters #986 (bgw)
  • Improvement: Adds support for apps key in config file, but only support single app for now #979 (flovilmart)
  • Documentation: Getting Started and Configuring Parse Server #988 (hramos)
  • Fix: Various edge cases with REST API #1066 (flovilmart)
  • Fix: Makes sure the location in results has the proper objectId #1065 (flovilmart)
  • Fix: Third-party auth is properly removed when unlinked #1081 (flovilmart)
  • Fix: Clear the session-user cache when changing _User objects #1072 (gfosco)
  • Fix: Bug related to subqueries on unfetched objects #1046 (flovilmart)
  • Fix: Properly urlencode parameters for email validation and password reset #1001 (flovilmart)
  • Fix: Better sanitization/decoding of object data for afterSave triggers #992 (flovilmart)
  • Fix: Changes default encoding for httpRequest #892 (flovilmart)


March 11, 2016
  • Improvement: Full query support for badge Increment (#931) #983 (flovilmart)
  • Improvement: Shutdown standalone parse server gracefully #958 (raulr)
  • Improvement: Add database options to ParseServer constructor and pass to MongoStorageAdapter #956 (steven-supersolid)
  • Improvement: AuthData logic refactor #952 (flovilmart)
  • Improvement: Changed FileLoggerAdapterSpec to fail gracefully on Windows #946 (aneeshd16)
  • Improvement: Add new schema collection type and replace all usages of direct mongo collection for schema operations. #943 (nlutsenko)
  • Improvement: Adds CLP API to Schema router #898 (flovilmart)
  • Fix: Cleans up authData null keys on login for android crash #978 (flovilmart)
  • Fix: Do master query for before/afterSaveHook #959 (wangmengyan95)
  • Fix: re-add shebang #944 (flovilmart)
  • Fix: Added test command for Windows support #886 (aneeshd16)


March 9, 2016
  • New: FileAdapter for Google Cloud Storage #708 (mcdonamp)
  • Improvement: Minimize extra schema queries in some scenarios. #919 (Marco129)
  • Improvement: Move DatabaseController and Schema fully to adaptive mongo collection. #909 (nlutsenko)
  • Improvement: Cleanup PushController/PushRouter, remove raw mongo collection access. #903 (nlutsenko)
  • Improvement: Increment badge the right way #902 (flovilmart)
  • Improvement: Migrate ParseGlobalConfig to new database storage API. #901 (nlutsenko)
  • Improvement: Improve delete flow for non-existent _Join collection #881 (Marco129)
  • Improvement: Adding a role scenario test for issue 827 #878 (gfosco)
  • Improvement: Test empty authData block on login for #413 #863 (gfosco)
  • Improvement: Modified the npm dev script to support Windows #846 (aneeshd16)
  • Improvement: Move HooksController to use MongoCollection instead of direct Mongo access. #844 (nlutsenko)
  • Improvement: Adds public_html and views for packaging #839 (flovilmart)
  • Improvement: Better support for windows builds #831 (flovilmart)
  • Improvement: Convert Schema.js to ES6 class. #826 (nlutsenko)
  • Improvement: Remove duplicated instructions #816 (hramos)
  • Improvement: Completely migrate SchemasRouter to new MongoCollection API. #794 (nlutsenko)
  • Fix: Do not require where clause in $dontSelect condition on queries. #925 (nlutsenko)
  • Fix: Make sure that ACLs propagate to before/after save hooks. #924 (nlutsenko)
  • Fix: Support params option in Parse.Cloud.httpRequest. #912 (carmenlau)
  • Fix: Fix flaky Parse.GeoPoint test. #908 (nlutsenko)
  • Fix: Handle legacy _client_permissions key in _SCHEMA. #900 (drew-gross)
  • Fix: Fixes bug when querying equalTo on objectId and relation #887 (flovilmart)
  • Fix: Allow crossdomain on filesRouter #876 (flovilmart)
  • Fix: Remove limit when counting results. #867 (gfosco)
  • Fix: beforeSave changes should propagate to the response #865 (gfosco)
  • Fix: Delete relation field when _Join collection not exist #864 (Marco129)
  • Fix: Related query on non-existing column #861 (gfosco)
  • Fix: Update markdown in .github/ #859 (igorshubovych)
  • Fix: Issue with creating wrong _Session for Facebook login #857 (tobernguyen)
  • Fix: Leak warnings in tests, use mongodb-runner from node_modules #843 (drew-gross)
  • Fix: Reversed roles lookup #841 (flovilmart)
  • Fix: Improves loading of Push Adapter, fix loading of S3Adapter #833 (flovilmart)
  • Fix: Add field to system schema #828 (Marco129)


March 3, 2016
  • New: serverInfo endpoint that returns server version and info about the server's features
  • Improvement: Add support for badges on iOS
  • Improvement: Improve failure handling in cloud code http requests
  • Improvement: Add support for queries on pointers and relations
  • Improvement: Add support for multiple $in clauses in a query
  • Improvement: Add allowClientClassCreation config option
  • Improvement: Allow atomically setting subdocument keys
  • Improvement: Allow arbitrarily deeply nested roles
  • Improvement: Set proper content-type in S3 File Adapter
  • Improvement: S3 adapter auto-creates buckets
  • Improvement: Better error messages for many errors
  • Performance: Improved algorithm for validating client keys
  • Experimental: Parse Hooks and Hooks API
  • Experimental: Email verification and password reset emails
  • Experimental: Improve compatability of logs feature with
  • Fix: Fix for attempting to delete missing classes via schemas API
  • Fix: Allow creation of system classes via schemas API
  • Fix: Allow missing where cause in $select
  • Fix: Improve handling of invalid object ids
  • Fix: Replace query overwriting existing query
  • Fix: Propagate installationId in cloud code triggers
  • Fix: Session expiresAt is now a Date instead of a string
  • Fix: Fix count queries
  • Fix: Disallow _Role objects without names or without ACL
  • Fix: Better handling of invalid types submitted
  • Fix: beforeSave will not be triggered for attempts to save with invalid authData
  • Fix: Fix duplicate device token issues on Android
  • Fix: Allow empty authData on signup
  • Fix: Allow Master Key Headers (CORS)
  • Fix: Fix bugs if JavaScript key was not provided in server configuration
  • Fix: Parse Files on objects can now be stored without URLs
  • Fix: allow both objectId or installationId when modifying installation
  • Fix: Command line works better when not given options


February 24, 2016
  • Feature: Add initial support for in-app purchases
  • Feature: Better error messages when attempting to run the server on a port that is already in use or without a server URL
  • Feature: Allow customization of max file size
  • Performance: Faster saves if not using beforeSave triggers
  • Fix: Send session token in response to current user endpoint
  • Fix: Remove triggers for _Session collection
  • Fix: Improve compatability of cloud code beforeSave hook for newly created object
  • Fix: ACL creation for master key only objects
  • Fix: Allow uploading files without Content-Type
  • Fix: Add features to http requrest to match
  • Fix: Bugs in development script when running from locations other than project root
  • Fix: Can pass query constraints in URL
  • Fix: Objects with legacy "_tombstone" key now don't cause issues.
  • Fix: Allow nested keys in objects to begin with underscores
  • Fix: Allow correct headers for CORS


February 19, 2016
  • Change: The S3 file adapter constructor requires a bucket name
  • Fix: Parse Query should throw if improperly encoded
  • Fix: Issue where roles were not used in some requests
  • Fix: serverURL will no longer default to


February 18, 2016
  • Experimental: Schemas API support for DELETE operations
  • Fix: Session token issue fetching Users
  • Fix: Facebook auth validation
  • Fix: Invalid error when deleting missing session


February 17, 2016
  • Feature: Support for additional OAuth providers
  • Feature: Ability to implement custom OAuth providers
  • Feature: Support for deleting Parse Files
  • Feature: Allow querying roles
  • Feature: Support for logs, extensible via Log Adapter
  • Feature: New Push Adapter for sending push notifications through OneSignal
  • Feature: Tighter default security for Users
  • Feature: Pass parameters to cloud code in query string
  • Feature: Disable anonymous users via configuration.
  • Experimental: Schemas API support for PUT operations
  • Fix: Prevent installation ID from being added to User
  • Fix: Becoming a user works properly with sessions
  • Fix: Including multiple object when some object are unavailable will get all the objects that are available
  • Fix: Invalid URL for Parse Files
  • Fix: Making a query without a limit now returns 100 results
  • Fix: Expose installation id in cloud code
  • Fix: Correct username for Anonymous users
  • Fix: Session token issue after fetching user
  • Fix: Issues during install process
  • Fix: Issue with Unity SDK sending _noBody


February 11, 2016
  • Add: support for Android and iOS push notifications
  • Experimental: cloud code validation hooks (can mark as non-experimental after we have docs)
  • Experimental: support for schemas API (GET and POST only)
  • Experimental: support for Parse Config (GET and POST only)
  • Fix: Querying objects with equality constraint on array column
  • Fix: User logout will remove session token
  • Fix: Various files related bugs
  • Fix: Force minimum node version 4.3 due to security issues in earlier version
  • Performance Improvement: Improved caching