What Shipped in April 2026: REBAC, API Keys, and Trust Center

This month we shipped four things that have been on the roadmap since our first design-partner conversations: relationship-based access control (REBAC), API key authentication, SDK v1.0 on PyPI and npm, and a Trust Center that documents how we handle your data.

**REBAC: 1-hop direct relations.** You can now attach named relations between principals and resources: owner_of, viewer_of, or any relation name your model needs. A policy condition like `relation.owner_of == true` grants access only when that specific tuple exists. One indexed query, ~1ms overhead. Create and manage relations via the new `/api/relationships` endpoints or the SDK's `client.relationships` namespace.

**API key authentication.** The `X-API-Key` header is now first-class. Create keys in Settings → API Keys, copy the plaintext once, and use them in server-to-server integrations without a user session. Keys use a prefix-indexed lookup plus bcrypt verify so the plaintext is never stored.

**SDK v1.0.** `pip install gateco` and `npm install @gateco/sdk` now work. Both SDKs expose the same namespace structure: `client.retrievals`, `client.policies`, `client.principals`, `client.relationships`, `client.data_catalog`. The Python SDK includes the CLI and optional MCP server (`pip install gateco[mcp]`).

**Trust Center.** `/trust` documents our security posture: fail-closed default (policy eval error → deny), AES-256 at rest, TLS 1.3 in transit, 90-day audit retention, subprocessors, and our SOC 2 Type II roadmap (target H2 2026). The Design Partner Program is open; `/design-partners` has the application form.

What's next: the roadmap is shaped by design partners. If you're building AI products that touch regulated data and want input on where we go next, apply for the program.