1.4.0rc0

ACA-Py 1.4.0 delivers a major internal upgrade centered on the introduction of Kanon Storage, a new modular storage architecture that separates cryptographic key management from general data persistence. Kanon moves ACA-Py’s non-key data (connections, credentials, protocol records, etc.) out of the encrypted Askar wallet into a dedicated, database-native storage layer. Askar now functions purely as a Key Management Service (KMS), responsible for secure creation and use of keys and secrets. This shift enables ACA-Py deployments to leverage the full capabilities of their database engines—better indexing, analytics, and scalability—while preserving strong security boundaries around key material.

Kanon Storage is optional and fully backward compatible. Developed by the team at VeriDID (https://verid.id), this contribution represents a major advancement in ACA-Py's modular architecture and storage flexibility, and we extend our thanks to the VeriDID developers (notably dave-promulgare and vinaysingh8866) for their work in designing and implementing this foundational change. Existing ACA-Py deployments using Askar for all storage continue to function unchanged and can migrate to Kanon at any time. New deployments are encouraged to adopt Kanon for improved performance and operational flexibility.

Documentation for Kanon Storage for this 1.4.0rc0 release is limited to the Kanon Storage PR 3850. Additional documentation will be available before we finalize the 1.4.0 release.

Alongside Kanon, this release includes significant refactoring in the AnonCreds revocation subsystem, modernization of event handling via an updated EventBus, and improvements to credential signing for SD-JWT to ensure correct verification-method key usage. Developers will also notice lint rule revisions, post-Kanon cleanup, and smaller enhancements to demos and test infrastructure such as the --debug-webhooks flag and interop test fixes. Together, these updates improve maintainability, observability, and readiness for large-scale production use.

1.4.0 Deprecation Notices

In an upcoming ACA-Py release, we will be dropping from the core ACA-Py repository the AIP 1.0 RFC 0036 Issue Credentials v1.0 and RFC 0037 Present Proof v1.0 DIDComm protocols. Each of the protocols will be moved to the ACA-Py Plugins repo. All ACA-Py implementers that use those protocols SHOULD update as soon as possible to the AIP 2.0 versions of those protocols (RFC 0453 Issue Credential v2.0 and RFC 0454 Present Proof v2.0, respectively). Once the protocols are removed from ACA-Py, anyone still using those protocols MUST adjust their configuration to load those protocols from the respective plugins.

The acapy_agent.revocation_anoncreds package has been deprecated and relocated to acapy_agent.anoncreds.revocation for improved consistency across the codebase. The change should only affect ACA-Py Plugins that implement AnonCreds, but other developers should also take note.

⚠️ Breaking Changes

This release introduces no breaking changes for existing ACA-Py deployments. Existing instances can continue to use Askar for both key and data storage by default.

Implementers are encouraged to evaluate Kanon as the preferred approach for new deployments or planned upgrades. Kanon provides better scalability, performance, and integration with database-native capabilities such as indexing, analytics, and external management tools — while maintaining secure handling of cryptographic keys within Askar.

What's Changed

• Add --debug-webhooks config to demo agents by @jamshale in #3865
• chore(deps): Bump openwallet-foundation/acapy-agent from py3.12-1.3.1 to py3.12-1.3.2 in /demo/multi-demo by @dependabot[bot] in #3869
• chore(deps): Bump openwallet-foundation/acapy-agent from py3.12-1.3.1 to py3.12-1.3.2 in /demo/docker-agent by @dependabot[bot] in #3868
• chore(deps): Bump openwallet-foundation/acapy-agent from py3.12-1.3.1 to py3.12-1.3.2 in /demo/playground by @dependabot[bot] in #3867
• chore(deps): Bump github/codeql-action from 3.29.8 to 3.29.11 in the all-actions group by @dependabot[bot] in #3862
• chore(deps): Bump markdown from 3.8.2 to 3.9 by @dependabot[bot] in #3873
• chore(deps-dev): Bump pytest-cov from 6.2.1 to 6.3.0 by @dependabot[bot] in #3872
• ♻️ Refactor and modularize anoncreds revocation package by @ff137 in #3861
• fix: Repair Interop tests url by @jamshale in #3881
• chore(deps): Bump pynacl from 1.5.0 to 1.6.0 by @dependabot[bot] in #3880
• chore(deps): Bump the all-actions group across 1 directory with 4 updates by @dependabot[bot] in #3882
• chore(deps-dev): Bump ruff from 0.12.10 to 0.13.0 by @dependabot[bot] in #3879
• chore(deps-dev): Bump pydevd-pycharm from 252.25557.70 to 252.26199.25 by @dependabot[bot] in #3878
• chore(deps-dev): Bump pytest-cov from 6.3.0 to 7.0.0 by @dependabot[bot] in #3877
• Chore(chart): delete chart files and add chart relocation notice by @i5okie in #3883
• chore(deps-dev): Bump pydevd from 3.3.0 to 3.4.1 by @dependabot[bot] in #3884
• chore(deps): Bump postgres from 17 to 18 in /demo/docker-test/db by @dependabot[bot] in #3889
• chore(deps-dev): Bump pydevd-pycharm from 253.17525.96 to 253.24325.40 by @dependabot[bot] in #3898
• chore(deps): Bump the all-actions group across 1 directory with 4 updates by @dependabot[bot] in #3890
• 🔧 🎨 Revise lint rules by @ff137 in #3900
• Kanon Storage by @dave-promulgare in #3850
• 🎨 Post-Kanon cleanup by @ff137 in #3901
• ♻️ 💥 Refactor EventBus notify method by @ff137 in #3690
• (fix) Properly use VM key when signing [SD-]JWT by @gmulhearn in #3892
• chore(deps): Bump the all-actions group with 3 updates by @dependabot[bot] in #3899
• chore(deps-dev): Bump ruff from 0.13.3 to 0.14.0 by @dependabot[bot] in #3905
• chore(deps): Bump github/codeql-action from 4.30.7 to 4.30.8 in the all-actions group by @dependabot[bot] in #3908
• chore(deps): Bump pydantic from 2.11.3 to 2.12.0 in /scenarios by @dependabot[bot] in #3903
• chore(deps): Bump aiohttp from 3.12.15 to 3.13.0 by @dependabot[bot] in #3902
• 🎨 Move AnonCreds set_active_registry route by @ff137 in #3915
• 1.4.0rc0 by @swcurran in #3912
• 🎨 Fix and simplify AnonCreds-backend checks by @ff137 in #3913

New Contributors

• @dave-promulgare made their first contribution in #3850

Full Changelog: 1.3.2...1.4.0rc0