2026-03-07 12:14:10 +01:00
5 changed files with 45 additions and 45 deletions
--- a/content/application-service-api.md
+++ b/content/application-service-api.md
@ -446,12 +446,11 @@ achieved by including the `as_token` on a `/register` request, along
 with a login type of `m.login.application_service` to set the desired
 user ID without a password.

-```http
+```
 POST /_matrix/client/v3/register
 Authorization: Bearer YourApplicationServiceTokenHere
-```

-```json
+Content:
 {
  "type": "m.login.application_service",
  "username": "_irc_example"
@ -477,12 +476,11 @@ along with a login type of `m.login.application_service`:

 {{% added-in v="1.2" %}}

-```http
+```
 POST /_matrix/client/v3/login
 Authorization: Bearer YourApplicationServiceTokenHere
-```

-```json
+Content:
 {
  "type": "m.login.application_service",
  "identifier": {
@ -547,13 +545,19 @@ client-server endpoint.
 Application services need to be able to create and delete devices to manage the
 encryption for their users without having to rely on `/login`, which also
 generates an access token for the user, and which might not be available for
-homeservers that only support the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
+homeservers that only support the [OAuth 2.0 API](client-server-api/#oauth-20-api).

 ##### Creating devices

 Application services can use the [`PUT /_matrix/client/v3/devices/{deviceId}`](/client-server-api/#put_matrixclientv3devicesdeviceid)
 endpoint to create new devices.

+When a new device was created, the homeserver MUST return a 201 HTTP status code.
+It MUST still return a 200 HTTP status code if a device was updated.
+
+This endpoint is rate-limited for device creation. Servers MAY want to use login
+rate limits.
+
 ##### Deleting devices

 The following endpoints used to delete devices MUST NOT require [User-Interactive
--- a/data/api/client-server/cross_signing.yaml
+++ b/data/api/client-server/cross_signing.yaml
@ -21,17 +21,13 @@ paths:
      x-addedInMatrixVersion: "1.1"
      x-changedInMatrixVersion:
        "1.11": UIA is not always required for this endpoint.
-        "1.17": |-
-          This endpoint no longer requires User-Interactive Authentication when used by an
-          application service.
      summary: Upload cross-signing keys.
      description: |-
        Publishes cross-signing keys for the user.

-        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api),
-        except when used by an application service.
+        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).

-        User-Interactive Authentication MUST be performed for regular clients, except in these cases:
+        User-Interactive Authentication MUST be performed, except in these cases:
        - there is no existing cross-signing master key uploaded to the homeserver, OR
        - there is an existing cross-signing master key and it exactly matches the
          cross-signing master key provided in the request body. If there are any additional
@ -50,6 +46,12 @@ paths:
        authentication type if the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/note %}}
+
+        {{% boxes/note %}}
+        {{% added-in v="1.17" %}}
+        When this endpoint is used by an application service, the server MUST NOT require
+        User-Interactive Authentication, even if cross-signing keys already exist.
+        {{% /boxes/note %}}
      operationId: uploadCrossSigningKeys
      security:
        - accessTokenQuery: []
--- a/data/api/client-server/device_management.yaml
+++ b/data/api/client-server/device_management.yaml
@ -88,20 +88,20 @@ paths:
        - Device management
    put:
      summary: Create or update a device
-      x-changedInMatrixVersion:
-        "1.17": The ability to create new devices was added.
      description: |-
-        Updates the metadata on the given device, or creates a new device.
+        Updates the metadata on the given device.

-        The ability to create new devices is only available to application
-        services: regular clients may only update existing devices.
+        {{% boxes/note %}}
+        {{% added-in v="1.17" %}}
+        This endpoint can be used by application services to create a device.

        When a new device was created, the homeserver MUST return a 201 HTTP
-        status code. It MUST return a 200 HTTP status code if a device was
+        status code. It MUST still return a 200 HTTP status code if a device was
        updated.

-        This endpoint is rate-limited for device creation. Servers MAY use login
-        rate limits.
+        This endpoint is rate-limited for device creation. Servers MAY want to
+        use login rate limits.
+        {{% /boxes/note %}}
      operationId: updateDevice
      security:
        - accessTokenQuery: []
@ -156,20 +156,21 @@ paths:
        - Device management
    delete:
      summary: Delete a device
-      x-changedInMatrixVersion:
-        "1.17": |-
-          This endpoint no longer requires User-Interactive Authentication when used by an
-          application service.
      description: |-
-        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api),
-        except when used by an application service.
+        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).

        Deletes the given device, and invalidates any access token associated with it.

        {{% boxes/warning %}}
-        When this endpoint requires User-Interactive Authentication, it cannot be used when the access token was obtained
+        Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
+
+        {{% boxes/note %}}
+        {{% added-in v="1.17" %}}
+        When this endpoint is used by an application service, the server MUST NOT
+        require User-Interactive Authentication.
+        {{% /boxes/note %}}
      operationId: deleteDevice
      security:
        - accessTokenQuery: []
@ -218,20 +219,21 @@ paths:
  /delete_devices:
    post:
      summary: Bulk deletion of devices
-      x-changedInMatrixVersion:
-        "1.17": |-
-          This endpoint no longer requires User-Interactive Authentication when used by an
-          application service.
      description: |-
-        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api),
-        except when used by an application service.
+        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).

        Deletes the given devices, and invalidates any access token associated with them.

        {{% boxes/warning %}}
-        When this endpoint requires User-Interactive Authentication, it cannot be used when the access token was obtained
+        Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
+
+        {{% boxes/note %}}
+        {{% added-in v="1.17" %}}
+        When this endpoint is used by an application service, the server MUST NOT
+        require User-Interactive Authentication.
+        {{% /boxes/note %}}
      operationId: deleteDevices
      security:
        - accessTokenQuery: []
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@ -243,13 +243,8 @@ paths:
                    }
                  }
        "400":
-          description: |-
-            Part of the request was invalid. For example, the login type may not be recognised.
-
-            Specific error codes used with this status code include:
-              * {{% added-in v="1.17" %}} `M_APPSERVICE_LOGIN_UNSUPPORTED`: an application service
-                used the `m.login.application_service` type, but the server doesn't support logging
-                in via the Legacy authentication API.
+          description: Part of the request was invalid. For example, the login type may
+            not be recognised.
          content:
            application/json:
              schema:
--- a/data/api/client-server/registration.yaml
+++ b/data/api/client-server/registration.yaml
@ -215,9 +215,6 @@ paths:
            * `M_INVALID_USERNAME` : The desired user ID is not a valid user name.
            * `M_EXCLUSIVE` : The desired user ID is in the exclusive namespace
              claimed by an application service.
-            * {{% added-in v="1.17" %}} `M_APPSERVICE_LOGIN_UNSUPPORTED`: an application service
-              used the `m.login.application_service` type without setting `inhibit_login` to `true`,
-              but the server doesn't support logging in via the Legacy authentication API.

            These errors may be returned at any stage of the registration process,
            including after authentication if the requested user ID was registered