1.4.0rc1

ACA-Py 1.4.0 delivers a major internal upgrade centered on the introduction of Kanon Storage, a new modular storage architecture that separates cryptographic key management from general data persistence. Kanon moves ACA-Py’s non-key data (connections, credentials, protocol records, etc.) out of the encrypted Askar wallet into a dedicated, database-native storage layer that is encrypted at rest. Askar now functions purely as a Key Management Service (KMS), responsible for secure creation and use of keys and secrets. This shift enables ACA-Py deployments to leverage the full capabilities of their database engines—better indexing, analytics, and scalability—while preserving strong security boundaries around key material.

Kanon Storage is optional and fully backward compatible. Developed by the team at VeriDID (https://verid.id), this contribution represents a major advancement in ACA-Py's modular architecture and storage flexibility, and we extend our thanks to the VeriDID developers (notably dave-promulgare and vinaysingh8866) for their work in designing and implementing this foundational change. Existing ACA-Py deployments using Askar for all storage continue to function unchanged and can migrate to Kanon at any time. New deployments are encouraged to adopt Kanon for improved performance and operational flexibility. See the Kanon Storage documentation for details on configuration, migration, and best practices.

Alongside Kanon, this release includes significant refactoring in the AnonCreds revocation subsystem, modernization of event handling via an updated EventBus, and improvements to credential signing for SD-JWT to ensure correct verification-method key usage. Developers will also notice lint rule revisions, post-Kanon cleanup, and smaller enhancements to demos and test infrastructure such as the --debug-webhooks flag and interop test fixes. Together, these updates improve maintainability, observability, and readiness for large-scale production use.

1.4.0 Deprecation Notices

In an upcoming ACA-Py release, we will be dropping from the core ACA-Py repository the AIP 1.0 RFC 0036 Issue Credentials v1.0 and RFC 0037 Present Proof v1.0 DIDComm protocols. Each of the protocols will be moved to the ACA-Py Plugins repo. All ACA-Py implementers that use those protocols SHOULD update as soon as possible to the AIP 2.0 versions of those protocols (RFC 0453 Issue Credential v2.0 and RFC 0454 Present Proof v2.0, respectively). Once the protocols are removed from ACA-Py, anyone still using those protocols MUST adjust their configuration to load those protocols from the respective plugins.

The acapy_agent.revocation_anoncreds package has been deprecated and relocated to acapy_agent.anoncreds.revocation for improved consistency across the codebase. The change should only affect ACA-Py Plugins that implement AnonCreds, but other developers should also take note.

The wallet-type configuration value askar is now deprecated and all deployments still using that wallet type should migrate to either the askar-anoncreds or (ideally) kanon-anoncreds wallet types.

⚠️ Breaking Changes

This release introduces no breaking changes for existing ACA-Py deployments. Existing instances can continue to use Askar for both key and data storage by default.

Implementers are encouraged to evaluate Kanon as the preferred approach for new deployments or planned upgrades. Kanon provides better scalability, performance, and integration with database-native capabilities such as indexing, analytics, and external management tools — while maintaining secure handling of cryptographic keys within Askar.

What's Changed

• ✨ Implement ProfileSessionHandle by @ff137 in #3914
• Upgrade demo dockerfile acapy images to 1.3.2 by @jamshale in #3910
• Documentation for Kanon Storage under Features/Kanon Storage by @dave-promulgare in #3918
• chore(deps-dev): Bump pydevd-pycharm from 253.24325.40 to 253.27642.35 by @dependabot[bot] in #3919
• chore(deps): Bump github/codeql-action from 4.30.8 to 4.30.9 in the all-actions group by @dependabot[bot] in #3921
• fix(kanon):fixed password bug and tests for kanon postgres by @vinaysingh8866 in #3922
• Update bcvrin test genesis url by @PatStLouis in #3926
• Add document metadata to response by @PatStLouis in #3925
• chore(deps): Bump the all-actions group with 2 updates by @dependabot[bot] in #3930
• Add skip verification option for credential storage by @PatStLouis in #3928
• Enable remote config by @PatStLouis in #3927
• chore(deps): Bump github/codeql-action from 4.31.0 to 4.31.2 in the all-actions group by @dependabot[bot] in #3932
• fix(kanon):storage postgres provisioning issues by @vinaysingh8866 in #3931
• 1.4.0rc1 by @swcurran in #3933

New Contributors

• @vinaysingh8866 made their first contribution in #3922

Full Changelog: 1.4.0rc0...1.4.0rc1