> For the complete documentation index, see [llms.txt](https://docs.p0.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.p0.dev/change-log/2026.md). # 2026 ## May 2026 ### New Features #### API & CLI Enhancements * **File Transfer Command.** New `p0 file-transfer` command uploads files directly to S3 with multipart support, progress tracking, and presigned download URLs. Supports arbitrarily large files with automatic retry on transient failures. * **MCP Gateway Integration.** New `p0 claude mcp add` command registers MCP servers with Claude Code, enabling AI-assisted access management through P0's agentic gateway. #### Security & Compliance Workflows * **Agentic Access Policies.** [Access policies](https://docs.p0.dev/orchestration/just-in-time-access/request-routing) can now match on the AI agent or MCP client that initiated a request, enabling fine-grained rules based on agent identity and agent owner group. * **On-Call Schedule Selection for Auto-Approval.** Auto-approval rules for [Incident.io](https://docs.p0.dev/integrations/approval-integrations/incidentio) now let you select specific on-call schedules, matching the existing [PagerDuty](https://docs.p0.dev/integrations/approval-integrations/pagerduty) behavior for more granular control. #### Cloud Platform Integrations * **RDS PostgreSQL Generally Available.** The Amazon RDS [PostgreSQL integration](https://docs.p0.dev/integrations/resource-integrations/postgresql-new) is now generally available. * **Azure Bastion SSH Generally Available.** The [Azure Bastion SSH](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration) integration is now generally available, with session audit logging for tracking active connections. ### Enhancements #### User Experience * **Policy Studio Redesign.** Compact pill-style selectors replace vertical radio groups so the entire [access policy](https://docs.p0.dev/orchestration/just-in-time-access/request-routing) definition fits on one screen, with per-section status icons for better readability. * **Compact Access Request Lists.** Access request lists display with reduced spacing, making it easier to scan multiple requests at once. * **Session Timeout Handling.** The "Stay Logged In" button hides when your identity provider caps the session length, and dismissing the session warning now correctly resets the session timer. #### Reliability & Performance * **Improved AWS IDC Error Messages.** When a permission-set assignment fails because the target role exceeds the managed-policy quota, P0 now explains the cause and suggests remediation steps. * **Automatic Connector Install Retry.** Database connector installation retries IAM permission validation automatically, eliminating manual retries during initial setup. #### API & CLI Enhancements * **AWS GovCloud SAML Support.** The CLI now supports SAML assertions for AWS GovCloud (`aws-us-gov`) partitions, enabling [role assumption via Okta SSO](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-aws-role-assume) in regulated environments. ### Stability & Fixes * **Web Request Modal.** Fixed an error when changing the resource field after selecting an access type in the [web request modal](https://docs.p0.dev/orchestration/just-in-time-access/requesting-access/web-request-modal). * **Auto-Approval Expiry.** When multiple auto-approval rules apply, P0 now selects the shortest expiry timestamp to ensure least-privilege durations. * **`p0 ssh` Polling.** Fixed a URL construction issue that caused [SSH](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) polling requests to fail with 404 errors. * **CLI Error Handling.** Fixed an error-handling path that could crash during Okta login when reading an HTTP response body twice. ## April 2026 ### New Features #### Integrations & Approvals * **Incident.io On-Call Approvals & Escalation.** Users on-call in [Incident.io](https://docs.p0.dev/integrations/approval-integrations/incidentio) can now approve access requests. Requesters can also escalate by paging the on-call responder directly from P0. #### Database Access * **New PostgreSQL Integration.** A redesigned, connector-based [PostgreSQL integration](https://docs.p0.dev/integrations/resource-integrations/postgresql-new) for AWS RDS. Install, list databases, and manage just-in-time access with improved reliability and setup. #### Access Management * **Custom Durations for Auto-Approved Requests.** Auto-approved requests now honor the requested duration instead of defaulting to one hour. * **Configurable Pending Request Timeout.** Administrators can set how long [access requests](https://docs.p0.dev/orchestration/just-in-time-access/requesting-access) remain pending before automatic denial, with a configurable default. * **GCP and Azure SSH Parent Requests.** Request [SSH access](https://docs.p0.dev/integrations/resource-integrations/ssh) to all nodes in a GCP project or Azure subscription using `p0 request ssh parent`. ### Enhancements #### Cloud Platform Integrations * **Simplified Azure SSH Setup.** [Azure SSH](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/install-ssh-access) no longer requires the full Entra ID directory integration, and the interactive admin consent flow has been removed — significantly reducing installation complexity. * **Okta Group Assignment Now GA.** [Okta](https://docs.p0.dev/integrations/directory-integrations/okta) group assignment is out of beta and available. * **Google Cloud Labels for Grouping.** Google Cloud labels are now used as a fallback for grouping tags when organizing resources. * **AWS Identity Center Email Matching.** P0 now matches on Identity Center user email in addition to username, resolving user-not-found errors for customers whose IDC usernames differ from their email. #### User Experience * **Request Modal Improvements.** [Slack](https://docs.p0.dev/integrations/notifier-integrations/slack) and web request modals now pre-populate dropdown options on focus, and the system preserves form values during slow responses. * **Integration Labels on Notifications.** Notifications and request details now display which cloud platform (AWS, GCP, Azure) a request targets, making multi-cloud approvals clearer. * **Pagination for Active Requests.** Active and [pre-approval](https://docs.p0.dev/orchestration/just-in-time-access/approving-access/pre-approving-access) request pages now support pagination with configurable page sizes. * **Faster GCP Resource Listing.** Listing GCP resources in Slack, CLI, and the web UI is significantly faster for large environments. #### CLI Improvements * **Google Account Selection.** `p0 login` with Google Workspace now forces account selection, preventing accidental login with the wrong account. * **Multi-Org SSH Configuration.** [`p0 ssh`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) proxy now supports the `P0_ORG` environment variable for multi-organization SSH configurations via `~/.ssh/config`. * **SSH Debug Commands.** `p0 ssh` now displays reproducible CLI commands for all providers (AWS, GCP, Azure) to simplify troubleshooting. ### Stability & Fixes * **CLI Network Resilience.** The CLI now retries polling for request status on network interruption without creating duplicate requests. * **CLI Pipe-Friendly Output.** Spinner output from [`p0 ls`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ls) and `p0 request` is suppressed when piped to other tools. * **`--size` with `--json` Fix.** The `--size` flag now correctly limits results when combined with `--json`. * **Access Request Hang Fix.** Fixed an issue where access requests would hang indefinitely while waiting for approval. * **SSH Pre-Approved Sudo Fallback.** Fixed [`p0 ssh`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) failing to fall back to non-sudo access when sudo was not pre-approved. * **AWS SSH from New Machine.** Fixed [SSH access](https://docs.p0.dev/integrations/resource-integrations/ssh) failing when connecting from a new machine or after key regeneration. * **Pre-Approval Date Validation.** Fixed date validation errors that occurred in certain time zones when creating pre-approvals. ## March 2026 ### New Features #### On-Premises Access * **Linux Connector for SSH.**\ SSH access to on-premises Linux machines now uses a lightweight connector instead of requiring the P0 agent on each target host. Includes [session recording](https://docs.p0.dev/orchestration/just-in-time-access/session-recording) and security assessment support. * **On-Premises RDP Access.**\ Request and provision just-in-time access to Windows machines via Remote Desktop Protocol, including session recording and playback. * **`p0 sudo` Command.**\ New CLI command to request just-in-time sudo access and run commands as another user on Linux machines. * **Windows Admin Integration.**\ Manage Windows user accounts and passwords through P0, with Active Directory user listing and password reset lifecycle. #### Integrations * [**Cisco Secure Access**](https://docs.p0.dev/integrations/resource-integrations/cisco-secure-access) **Integration.**\ JIT network routing for SSH through Cisco Secure Access. * **Zscaler Private Access Integration.**\ JIT SSH network routing through Zscaler Private Access. * **incident.io Auto-Approval.**\ Routing rules can now use incident.io on-call schedules as automatic approvers for emergency access workflows. * **Webex Notifier.**\ Send access request notifications and approvals through Webex. * **Splunk Stack Access Integration.**\ Manage access to Splunk Stack environments with manifest-based lifecycle and typed Lambda API. #### Session Recording & Audit * **Unified Terminal Replay.**\ Session recordings across all integrations now use a terminal replay player with full ANSI color support, playback controls, and search. * **Splunk Session Audit.**\ Read SSH session recordings directly from Splunk for centralized audit trail. * **Self-Hosted SSH Session Recording.**\ View SSH session evidence including terminal replay and audit trail for [self-hosted](https://docs.p0.dev/integrations/resource-integrations/ssh/self-hosted) instances. #### Vault & Secrets * **Secrets Vault Viewer.**\ New vault page in the UI to view and manage secrets created by P0, with filtering, caching, and management tags. * [**GCP Secret Manager**](https://docs.p0.dev/integrations/resource-integrations/google-cloud) **Access.**\ Request access to GCP Secret Manager secrets via resource requests, with project-level IAM policies. #### Security & Compliance * **SSH Security Assessment.**\ Assess SSH security posture across AWS SSM and self-hosted instances, with risk findings. * **Workload Identity Federation (WIF) Support.**\ WIF identities can authenticate, request access, and manage policies through Policy Studio. * **SSH Risk Findings in Assessment.**\ SSH security assessments now include actionable risk findings. * **Self-Hosted SSH Assessment.**\ Run security assessments against self-hosted SSH instances. #### Cloud Platform Integrations * **RDP Proxy Access in CLI.**\ New RDP proxy access support in the [P0 CLI](https://docs.p0.dev/p0-cli/p0-commands-and-usage) for remote desktop connections. ### Enhancements #### Search & Navigation * **Regex Search in Inventory and Monitors.**\ Use regex patterns (`/pattern/`) in the [query search](https://docs.p0.dev/inventory/query-search) bar for inventory and monitor queries. * **SSH Targeting by FQDN and Public IP.**\ Target [GCP](https://docs.p0.dev/integrations/resource-integrations/google-cloud), [Azure](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/install-ssh-access), and AWS SSH instances by FQDN, public IP, or custom tags instead of instance ID. * **Hostname-Based Access Requests.**\ Users can request SSH access by hostname instead of requiring a UUID. * **Linux User Listing.**\ List users on Linux machines directly from the P0 UI for access requests. #### Authentication & Access * **Self-Hosted SSH Key Authentication.**\ Self-hosted SSH switches from certificate signing to public key push for broader compatibility. * **Sudo Access via Groups.**\ Sudo access provisioning now uses groups, removing the need to start a new shell session after access is granted. * [**Azure Bastion**](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration) **Premium SKU.**\ Azure Bastion integration now supports premium SKU. * [**`p0 ssh`**](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) **Retry on Unknown Port Errors.**\ Automatically retries connection failures during self-hosted SSH access propagation. #### Reliability & Performance * [**PostgreSQL**](https://docs.p0.dev/integrations/resource-integrations/postgresql-new) **Duplicate Provisioning.**\ PostgreSQL no longer errors when provisioning access to a user who already has it. * **Improved CLI Network Resilience.**\ The CLI retries transient network errors with exponential backoff instead of failing immediately. #### User Experience * **Dashboard Empty State.**\ The posture dashboard panel shows clear empty results instead of an infinite loading state when no findings exist. * **Removed Stale Announcement Banners.**\ Cleans up outdated Policy Studio announcement banners from the UI. * **Fixed Cisco in SSH Installer.**\ [Cisco](https://docs.p0.dev/integrations/resource-integrations/cisco-secure-access) now appears correctly in the SSH network access provider list during installation. #### Stability & Fixes * **Slack OAuth Token Handling.**\ Fixes stale [Slack](https://docs.p0.dev/integrations/notifier-integrations/slack) OAuth tokens that accumulated errors silently. * **RDP Session Recordings.**\ Fixes RDP session recordings not appearing in production. * **`p0 scp` Error Messages.**\ Suppresses spurious "SSH session terminated" messages for [`p0 scp`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-scp) and surfaces missing file and permission errors. * **GCP Access Conditions.**\ Fixes condition chaining for GCP access requests across multiple grants. * **Terraform Null Field Crash.**\ Fixes a crash when optional Terraform provider fields are set to null. * **Integration Error Surfacing.**\ Integration errors from Cloud Run now surface to end-users with actionable messages instead of failing silently. *** ## February 2026 ### New Features #### SIEM Integrations * [**Datadog**](https://docs.p0.dev/integrations/siem-integrations/datadog-setup) **Audit Log Integration.**\ Send P0 audit logs directly to Datadog with a self-service installer in the UI. * **S3 Audit Log Archival.**\ Automatically archive audit logs to an Amazon S3 bucket on a 15-minute schedule. #### Cloud Platform Integrations * [**AWS RDS**](https://docs.p0.dev/integrations/resource-integrations/aws/managed-services/aws-rds) **Token Generation.**\ New `p0 aws rds generate-db-auth-token` CLI command to generate database authentication tokens using P0 grants. * [**AWS RDS**](https://docs.p0.dev/integrations/resource-integrations/aws/managed-services/aws-rds) **Terraform Install.**\ Set up AWS RDS integration via Terraform directly from the web UI installer. * [**MySQL**](https://docs.p0.dev/integrations/resource-integrations/mysql) **and RDS Terraform Installers.**\ Set up MySQL and AWS RDS integrations via Terraform directly from the web UI. * **GCP Security Perimeter Region Configuration.**\ [GCP security perimeter](https://docs.p0.dev/integrations/resource-integrations/google-cloud/security-perimeter) Cloud Run deployments are no longer hard-coded to `us-west1`; specify your preferred region during installation. * **SSH Alternative Name Targeting.**\ [SSH](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) nodes can be targeted via hostname, FQDN, instance ID, or custom tags using `p0 ls` and `p0 ssh`. #### Authentication & Access * [**Okta**](https://docs.p0.dev/integrations/directory-integrations/okta) **Groups as Security Reviewers.**\ Assign Okta groups as Security Reviewers in P0 Management, not individual users only. * **AWS IDC Delegated Admin Accounts.**\ Manage access in AWS Identity Center environments using delegated admin accounts. * **SSH Host Key Caching.**\ The CLI caches SSH host keys locally for faster connections and detects host key mismatches with guided recovery. * **SSH Password Authentication Disabled.**\ The CLI now enforces public key authentication for [SSH](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) and [SCP](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-scp), preventing fallback to less secure methods. #### User Experience * **Refreshed Navigation.**\ We redesigned the sidebar navigation with a light theme and outlined icons for a cleaner look. * **Integration Documentation in UI.**\ Integration pages now display contextual documentation, descriptions, prerequisites, and use-case guidance directly in the setup flow. ### Enhancements #### User Experience * **Audit Logs for Request Creation.**\ The `api.jit.permission-requests.created` event now fires for all request sources: UI, CLI, Slack modal, and slash command. * **MySQL Connectivity Instructions.**\ [Slack](https://docs.p0.dev/integrations/notifier-integrations/slack) notifications for approved MySQL/RDS access now include connection instructions. * **AWS Permission Set Validation.**\ Requests for AWS Identity Center permission sets with customer-managed policies are validated at submission time. #### Authentication & Access * [**Kubernetes**](https://docs.p0.dev/integrations/resource-integrations/kubernetes) **EKS Auto-Mode Support.**\ The Kubernetes installer now supports EKS clusters with Auto-Mode enabled. #### Stability & Fixes * [**Microsoft Entra ID**](https://docs.p0.dev/integrations/directory-integrations/microsoft-entra-id) **Group Caching.**\ Fixes a bug where Entra ID groups were not listed in the Slack access request modal. * **Device Code Authentication.**\ Fixes the device code login flow that was always showing "User Not Logged In." * **Database Connector Error Messages.**\ Database connector commands now provide actionable error messages and suggestions instead of misleading privilege errors. * [**`p0 kubeconfig`**](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-kubeconfig) **Windows Fix.**\ Fixes `p0 kubeconfig` to use OS-safe command execution on Windows. * **Slack Pre-Approval Validation.**\ Fixes a bug where re-requesting access from [Slack](https://docs.p0.dev/integrations/notifier-integrations/slack) bypassed pre-approval validation. * **GCP API Error Handling.**\ Fixes error handling in GCP API calls that caused issues for Google Cloud requests. * **Magic Link Login.**\ Fixes a 500 error when clicking the email magic link for newly provisioned organizations. * **Okta Token Exchange Errors.**\ Surfaces specific [Okta](https://docs.p0.dev/integrations/directory-integrations/okta) token exchange errors instead of a generic "session expired" message. * [**`p0 scp`**](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-scp) **Error Surfacing.**\ Surfaces missing file/directory and permission denied errors during `p0 scp` operations. * [**`p0 kubeconfig`**](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-kubeconfig) **Bug Fix.**\ Fixes incorrect parameter ordering in `p0 request k8s resource` generated by `p0 kubeconfig`. *** ## January 2026 ### New Features #### Core Platform Capabilities * **Policy Studio.**\ New Policy Studio tab consolidates [routing rules](https://docs.p0.dev/orchestration/just-in-time-access/request-routing) and approval policies into a single management view. * [**Microsoft Entra ID**](https://docs.p0.dev/integrations/directory-integrations/microsoft-entra-id) **Manager Approvals.**\ Approval workflows can now route to the requester's manager via Entra ID manager lookup. * **Approvers Can Revoke Pre-Approvals.**\ Designated approvers can now revoke standing [pre-approvals](https://docs.p0.dev/orchestration/just-in-time-access/approving-access/pre-approving-access), not only admins. * **In-App Announcement Banner.**\ New in-app banner for surfacing product updates and important notices to users. * **AWS SSH IP Address Search.**\ Search for SSH targets by IP address in the AWS integration. * **GCP Role Removal Suggestions.**\ Posture management now surfaces suggestions to remove unused GCP roles. * **P0 Tags on Permission Sets.**\ Permission sets display P0 metadata tags for better visibility into managed resources. #### API & CLI Enhancements * [**`p0 ls`**](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ls) **Filtering.**\ Filter results by resource type or name with the `p0 ls` command. * **CLI Version Check Messaging.**\ The CLI notifies you about available updates and can display custom messages from P0 (security advisories, deprecation notices). * **`--request=false` for Role Assumption.**\ New flag for [`p0 aws role assume`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-aws-role-assume) to bypass the access request check, useful for debugging federated SSH. * **`--debug` Flag for AWS/SSM Validation.**\ Validates AWS CLI and SSM plugin installations to help troubleshoot SSH connection issues. * **Sudo Access by Default (Environment Variable).**\ New environment variable to control whether [`p0 ssh`](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh) requests sudo access by default. * **Two-Character SSH Group Search.**\ Lowered the minimum search length to two characters when searching SSH group targets. * **Date Column in Request History.**\ Request history table now shows a visible date column. ### Enhancements #### User Experience * **Activity Page Search and Filtering.**\ Search and filter controls on the activity and audit log pages in the web UI. * **Configurable Page Sizes.**\ Page-size selectors on pre-approvals and activity log pages for viewing more entries at once. * **AWS Account Filtering in Routing Rules.**\ Filter [routing rules](https://docs.p0.dev/orchestration/just-in-time-access/request-routing/aws-filtering) by specific AWS accounts. #### Notifications & Integrations * [**Slack**](https://docs.p0.dev/integrations/notifier-integrations/slack) **Re-Request Duration Selector.**\ Choose a different time window when re-requesting access from a Slack notification. #### Reliability & Performance * **AWS SSH Node Refresh Interval.**\ Configurable refresh interval for AWS node discovery, improving SSH target visibility timing. * **Concurrent SSH Grant/Revoke.**\ Fixes reliability issues when granting and revoking SSH access simultaneously on the same host. * **AWS IDC Credential Retries.**\ Increases retries for AWS credential fetching with a user-friendly transient error message. #### Stability & Fixes * [**EKS**](https://docs.p0.dev/integrations/resource-integrations/kubernetes) **ARN Fix for us-east-1.**\ Corrects ARN formatting for EKS clusters in `us-east-1` that prevented access requests. * **EKS Auto-Mode Installer Warning.**\ Warns during Kubernetes setup if the cluster uses Auto-Mode, which requires extra configuration. * **Slack Modal Timeout.**\ Slack modals no longer time out during access requests; heavy processing runs in the background. * **CLI Login Page Text.**\ Fixes login success page to not show a premature success message before login completes. * [**Snowflake**](https://docs.p0.dev/integrations/resource-integrations/snowflake) **Installer.**\ Resolves an error in the Snowflake integration installer that blocked initial setup. * [**Okta**](https://docs.p0.dev/integrations/directory-integrations/okta) **Session Expiration.**\ Improves behavior when an Okta session expires, prompting re-authentication instead of showing an error. * **Kubernetes Permission Display.**\ Fixes incorrect permission display for certain Kubernetes RBAC configurations. * **Web Modal Validation.**\ Surfaces field-level validation errors in access request modals instead of silently failing. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/change-log/2026.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.