Anaplan is making updates across our APIs to enhance the security and reliability of our systems. These changes are meant to reduce risk and ensure that your integrations remain stable and supported as we scale.
Note: These changes are effective as of June 19, 2026.
Field addition to certificate-based authentication
Our certificate-based authentication API requires a new encodedDataFormat field in the request. The value entered should be v2. This ensures that each request is time-specific, improving security, and preventing potential misuse. Also, when the encodedDataFormat is v2, encodedData is prefixed with 8 bytes of timestamp.
If you use our certificate-based authentication API, please work with your technical teams to enable the new field encodedDataFormat into your header along with changes in the contents of encodedData by June 19, 2026.
Changes
| Field | Usage | Endpoint | Direction |
encodedDataFormat | New field. Value entered should be v2 | /token/authenticate | Request |
Example request payload
{
"encodedDataFormat": "v2",
"encodedData": "AAAAAGhaH7pebU386At+2uv/3lpGFMjzXvyg/9l1/imcrKrbW/jGgC+GBboUEyQ0xNA654rA==",
"encodedSignedData": "dL7D64YlMIk//2Bq9nBN6CwCcM8/tMNAdEY/SQpRrr+YFLZ80/zMrrThuG0xK1qA/ug8vj+i8v/zHQ=="
}
Refresh token added to authentication API response
The token authentication API response includes an additional field called refreshToken. In preparation for JSON Web Token (JWT) support for rolling out signed authentication tokens, a new field/attribute refreshToken is introduced to auth response. This is a long-lived, securely stored token used in JWT authentication to obtain new, short-lived access tokens without requiring the user to log in again. Ensure this field is marked as OPTIONAL and ignore unknowns.
If you use the token authentication API, we recommend checking with your technical team to ensure that your authentication integration can handle the new refreshToken field in the API response. Specifically, if your systems validate the API response, confirm that they'll still accept this field when it's present, if it's not being ignored.
Changes
| Field | Usage | Endpoint | Direction |
refreshToken | Ensure your integrations accept this field | /token/authenticate | Response |
Example response
{
"meta": {
"validationUrl": "https://auth.anaplan.com/token/validate"
},
"status": "SUCCESS",
"statusMessage": "Login successful",
"tokenInfo": {
"expiresAt": 1754089739887,
"tokenId": "9e4daefeb4-6df27-11f0-9013-1dacef4",
"tokenValue": "encoded auth token",
"refreshTokenId": "9e4efadaeb5-6f27-11f0-9013-f6c35678",
"refreshToken": "encoded refresh token"
}
}
For more information, see: https://anaplanauthentication.docs.apiary.io/
