Change Header
Change Type: API change
Product area: Platform services
Component: REST API
Deployed at: eu.latest.cumulocity.com
Technical details
Build artifact: cumulocity (2025.116.0)
Internal ID: MTM-62399
Change Description
A new security feature has been introduced to restrict the decryption of encrypted tenant options with the credentials. prefix. These options can now only be decrypted by system users (such as bootstrap or microservice users) if they own the options.
Ownership is determined based on the category of the tenant option, in the following priority:
- The
settingsCategorydefined in the microservice manifest. - The microservice’s context path.
- The microservice name.
This change is currently disabled by default and can be enabled via a feature toggle secure-tenant-options through the API.
Important
In Q4 2025 for the SaaS instances and in 2026 for the yearly releases, this restriction will become mandatory. We strongly recommend reviewing your microservices now to ensure compatibility with the upcoming enforcement. This gives microservice developers time to adapt, especially if their services depend on readingcredentials.*options in categories not owned by the microservice.