Skip to main content

Beta Limitations

Mandaitor is in public beta. We want you to know exactly what is production-ready, what is not, and where the rough edges are. This page is the single source of truth for those boundaries — if you rely on a feature that is not listed here as stable, treat it as best-effort.

Stability Tiers

TierWhat it means
StableProduction-ready. Breaking changes only with a 90-day deprecation window.
BetaFeature-complete but may change based on feedback. 30-day deprecation window.
PreviewExperimental. Can change or be removed at any time.

API Surface

Stable

  • POST /verify — mandate verification with reason codes and constraints.
  • POST /mandates, GET /mandates/{id}, GET /mandates — mandate CRUD.
  • POST /mandates/{id}/suspend, /reactivate, /revoke — lifecycle.
  • GET /mandates/{id}/events, GET /events/{id} — audit log reads.
  • POST /onboarding/request — public onboarding intake.
  • API key authentication via x-api-key header.

Beta

  • GET /mandates/{id}/evidence-pack — court-ready evidence export. Schema may gain fields but will not break existing ones.
  • POST /verify?pom=sd-jwt-vc — Proof-of-Mandate Verifiable Credential issuance.
  • Admin dashboard at dashboard.mandaitor.io. UI may evolve rapidly.

Preview

  • EUDI Wallet session APIs (/eudi/*).
  • SCIM provisioning endpoints.
  • DID document resolution (/.well-known/did.json).
  • Trust signal endpoint (/trust-signals).

Operational Limits

  • Region: All data resides in eusc-de-east-1 (AWS European Sovereign Cloud). Cross-region replication is not yet available.
  • Throughput: See Rate Limiting. Beta accounts are capped at 10 req/s sustained, 20 req/s burst, 100k requests/month.
  • Retention: Events and mandates are retained for the lifetime of the account during beta. Long-term retention policies will be announced before GA.
  • SLA: No formal SLA during beta. Best-effort 99.5% availability, targets monitored on the public Trust Page.

What Is Not Yet Supported

  • Multi-region failover.
  • Customer-managed encryption keys beyond the regional default.
  • On-prem / self-hosted deployment.
  • GDPR Article 20 automated data export (manual export on request).
  • Signed webhook delivery (webhooks are best-effort without HMAC headers yet).
  • Fine-grained RBAC inside a single tenant (today: admin / tenant).
  • Audit log export to external SIEM.

Known Rough Edges

  • Evidence pack export returns JSON only. A PDF renderer is available in the dashboard via browser print.
  • Verify Playground API key is stored in sessionStorage and does not persist across browser tabs.
  • Compliance dashboard verification badges may briefly show asserted immediately after a claim is added, before the next weekly generator run reclassifies it.

Reporting Issues

  • Security: security@mandaitor.io (PGP key on the Trust Page).
  • Bugs: GitHub issues.
  • Questions: support@mandaitor.io for direct beta support and onboarding help.

Going to General Availability

We will announce GA with:

  1. A 30-day notice on this page and the dashboard.
  2. An explicit changelog of every breaking change between beta and GA.
  3. A published SLA.
  4. A data residency attestation.

Until then, please treat Mandaitor as beta software: production-safe for pilot workloads, but not yet backed by a formal support agreement.