Developer Features in 26R2
Filters
Application Family
Tags
We are pleased to bring you the following additions and enhancements to Developer Portal features in 26R2.
Service Announcements
Section link for Service AnnouncementsService Announcements are changes that may affect existing integrations. Organizations should assess these features against their existing integrations and make updates where necessary.
Global API Header Changes
Section link for Global API Header ChangesWe are making the following changes to all Vault API versions starting with the 26R1.2 release:
- Status Line: Vault API will return a numeric-only status line. For example,
HTTP/1.1 200instead ofHTTP/1.1 200 OK. Integration logic must be updated to validate responses based on the numeric status code (integer) rather than searching for descriptive text strings like "OK." Per RFC 9112, the reason phrase is optional and deprecated in modern protocols. - Cache-Control: Vault API will no longer return the
Expiresheader. Integrations should use the explicitCache-Control: no-store, no-cachedirectives. Legacy clients that previously relied on the 1970 epoch date for cache invalidation must be updated to recognize modern Cache-Control headers. This ensures consistent data privacy across modern CDNs and browsers. - Vary: The header "Vary: Accept-Encoding" will be transmitted in lowercase format "vary: accept-encoding" to comply with HTTP/2 and HTTP/3 standards.
Support ExecuteAs for Documentaction
Section link for Support ExecuteAs for DocumentactionAdded @ExecuteAs support for DocumentAction entry points.
Additionally, DocumentActionContext.getDocumentVersions() now defaults to Java SDK Service Account instead of the Request Owner. Please review your implementations to ensure this shift in default permissions aligns with your security requirements:
- 26R1 Behaviour:
getDocumentVersions()runs as Request Owner by default - 26R2 Behaviour:
getDocumentVersions()runs as System by default
SDK HttpService no longer supports TLS v1 and v1.1
Section link for SDK HttpService no longer supports TLS v1 and v1.1With this release, we no longer support the TLS v1 and v1.1 insecure protocols and ciphersuites.
NotificationService SDK Enhancements
Section link for NotificationService SDK EnhancementsWe are changing the way notifications can be sent to users via Vault Java SDK using NotificationService. We are introducing the following new interfaces:
NotificationQueueRequestrepresents a request to queue a notification for deliveryNotificationQueueMessagedefines the content of a notificationNotificationQueueOperationthe event handlerNotificationQueueResponserepresents the response of a notification queue requestNotificationQueueOperationErrorrepresents an error that occurred during a notification queueing operationNotificationQueueOperationErrorTypeenum defines categories of errors for queueing a notification
NotificationLanguageContextprovides context for resolving localized language tokens for a notificationNotificationLanguageResponserepresents the localized token mappings for specific languages
The following interfaces or methods using these will be deprecated:
NotificationMessageNotificationTemplateNotificationParameters
Vault Docs MCP
Section link for Vault Docs MCPAs of June 8th, 2026, the Vault Developer Docs MCP is now the Vault Docs MCP. This name change reflects the addition of the search_vault_help_docs tool, which allows LLM clients to directly access Platform Vault Help documentation. Existing tools still allow access to the Vault API reference, Vault SDK Javadocs, VAPIL Javadocs, and Vault Developer Portal documentation, providing a full range of Vault expertise from the convenience of your favorite LLM. Learn more about the Vault Docs MCP.
Release Highlights
Section link for Release HighlightsAPI Access Tokens
Section link for API Access TokensThis feature allows a long-lived API access token to be used to authenticate to the Vault API. This enables integration with tools that expect a static token, as well as allowing authentication sub-processes in integrations to be replaced.
Access tokens do not give Vault UI access, are valid for one specific Vault, and grant the permissions of the user who generated the access token. Each user can have up to 25 active access tokens.
Only users who have API permission can create access tokens. The maximum access token expiry duration is set in the user's security policy.
Veeva AI
Section link for Veeva AIAPI Access Control for Agent Actions
Section link for API Access Control for Agent ActionsThis feature introduces a new agent action attribute, API Access (api_access), that controls whether an agent action is visible to the MCP server and Vault API. If set to false, no call to Vault API or MCP server can be made to the agent action.
Query Profiler
Section link for Query ProfilerThis feature allows Admins and Developers to monitor VQL query performance with the new query profiling tool. Analysing the profile of queries is a key part in monitoring their performance and overall health, but previously this process has been challenging.
Now with Query Profiler, the results makes it easy to analyse the queries running in Vault, by looking at the data obtained during a profiling session. Users will need to start a profiling session where they will also be able to set filters on what kind of VQL queries should be included in the results. These filters include:
- Origin: filters where the VQL query originated from (API, SDK, or ALL)
- Targets: filters the specific Query Targets of the VQL query (e.g.: restricting to queries on
user__sys) - Result Count: filters queries to only be included if their result count is in a Min / Max range
- Query Time: filters queries to only be included if their execution time is in a Min / Max range
- Response Status: filters whether the query was a SUCCESS, FAILURE or if it received a WARNING
Hierarchy: VQL Relationship
Section link for Hierarchy: VQL RelationshipA new VQL relationship for hierarchy nodes allows Admins and Developers to see the ordering of hierarchical objects like EDL and EDL Item. Previously the order for these types of object records was only visible in the hierarchy viewer UI.
Object Record Roles for VQL
Section link for Object Record Roles for VQLUsers can now run queries on object record roles. This functionality is available as a subquery, meaning you can query object record roles as related data with the Vault object as the primary query target.
The query supports role assignments granted via the following mechanisms:
- Manual Assignment
- Custom Sharing Rules
- Matching Sharing Rules
- Child Security (where parent's security is supported)
SELECT id, name__v,
(SELECT role_name__sys, user__sys, assignment_type__sys FROM roles__sysr)
FROM product__v
WHERE id = 'V0B000000003009'Retrieve Document Properties in VQL
Section link for Retrieve Document Properties in VQLUsers can now retrieve document permissions and field editability information when executing VQL queries by including the X-VaultAPI-DocumentProperties header, enabling more efficient permission checking for document operations. This brings documents closer together with objects that already had the X-VaultAPI-RecordProperties header available.
Vault Java SDK
Section link for Vault Java SDKSupport Paging for QueryService
Section link for Support Paging for QueryServiceThis feature allows pagination when running VQL queries in the Vault Java SDK, making it simpler for developers to return results of a specific size.
Previously, the QueryService was designed to return a Stream of results and explicitly did not support the VQL pagination clauses PAGESIZE and PAGEOFFSET.
Developers can add withPageSize(int) to the Builder, mirroring the VQL query syntax, and we have added new QueryPaginationResponse and QueryPageRequest interfaces.
RenditionService SDK
Section link for RenditionService SDKUsers can now query for information related to the structure of their document and its contained content using RenditionService. This includes information about the page count, page sizes, page crop, page rotations, contained bookmarks, and contained named destinations.
Enhancements to SDK DocumentService
Section link for Enhancements to SDK DocumentServiceA new set of DocumentService SDK methods for creating new documents, updating existing document versions, and deleting documents and document versions. New interfaces also add support for updating previous document versions, and creating new versions of documents not in migration mode, which are current gaps in the SDK.
The following new methods are added to the existing DocumentService interface:
batchCreateDocuments(DocumentBatchCreateRequest request);batchUpdateDocumentVersions(DocumentVersionBatchUpdateRequest request);batchDeleteDocuments(DocumentBatchDeleteRequest request);
The following existing methods will be deprecated from DocumentService:
createDocuments(List<DocumentVersion> documentVersions)deleteDocumentVersions(List<DocumentVersion> documentVersions)saveDocumentVersions(List<DocumentVersion> documentVersions)
Connection API Name Support for Integration Rule SDK
Section link for Connection API Name Support for Integration Rule SDKThis enhancement introduces the ability to retrieve integration rules using the Connection API Name rather than strictly requiring the connectionId. Using the new withConnectionName() method makes the code more portable, easier to read, and it simplifies the use for developers.
// Locate service
IntegrationRuleService integrationRuleService =
ServiceLocator.locate(IntegrationRuleService.class);
// Build request using API Name
GetIntegrationRulesRequest request =
integrationRuleService.newGetIntegrationRulesRequestBuilder()
.withConnectionName("verneo_clinical_conn__c") // Human-readable API Name
.build();SDK: Workflow Task Metadata & Completion
Section link for SDK: Workflow Task Metadata & CompletionWe are enhancing the WorkflowTaskService and WorkflowMetadataService to support programmatic workflow task completion. This new functionality allows developers to inspect the requirements (prompts) of a task instance and construct a completion request that satisfies those requirements.
Developers will be able to perform "discovery" to understand what inputs will be required (Task Level, Verdicts, Verdict Reason, Verdict Capacity, etc.) and then perform the "execution" by constructing a completion request.
Doctype Triggers: Add New Version Context Details
Section link for Doctype Triggers: Add New Version Context DetailsAdds new DocumentTypeCreateDraftExecutionContext and DocumentTypeCheckInExecutionContext interfaces to give doctype trigger developers the ability to differentiate how the new document version was created (Create Draft vs Check-In etc.).
ObjectMetadataService SDK Enhancements
Section link for ObjectMetadataService SDK EnhancementsThis feature enhances the ObjectMetadata and ObjectFieldMetadata SDK interface so that all attributes available in our MDL are retrievable in the SDK interface as well. This allows developers to retrieve the complete definition of MDL components.
The following, previously unavailable attributes can now be retrieved from the SDK:
ObjectMetadata
descriptionhelp_contentin_menuenable_esignaturesdynamic_securityavailable_lifecyclesuser_role_setup_objectsecure_audit_trailsecure_sharing_settingssecure_attachmentsprevent_record_overwritemulti_selecttriggers_disallowedconfiguration_dataenable_mergesrelate_records_select_allsecure_copy_record
ObjectFieldMetadata
editable:isSystemManaged()returnstruewheneditableisfalse
ObjectTextFieldMetadata
system_managed_name
ObjectLookupObjectReferenceFieldMetadata & ObjectLookupParentReferenceFieldMetadata
relationship_inbound_labelrelationship_inbound_namerelationship_outbound_nameobjectrelationship_deletion
Localization Java SDK Service
Section link for Localization Java SDK ServiceThe LocalizationService SDK enables developers to format Date, DateTime, Number, and Currency values according to Vault locale settings. It provides programmatic access to Vault base locale settings, locale metadata (codes and labels for 244 supported locales), and generates formatted display strings from raw base values.
Record Migration Mode Inheritance
Section link for Record Migration Mode InheritanceWhen records are created, updated, or deleted in Record Migration Mode, it can cause other records to be created or updated within the same process. In these scenarios, the related records inherit many of the same Record Migration Mode behaviours.
This feature introduces two changes to the current behaviour:
- In the Object Record Audit History log, "in migration mode" will be added to the description for related records.
- In the SDK,
isMigrationModeEnabledwill returntruein theRecordTriggerContextfor related records.
SDK to Reclassify Documents
Section link for SDK to Reclassify DocumentsThis feature adds interfaces to allow reclassifying documents via the Vault Java SDK in bulk, with functional parity with today's existing reclassify behavior. Previously this was only possible by leveraging Vault API.
A new DocumentService interface was created to reclassify documents:
batchReclassifyDocuments(DocumentBatchReclassifyRequest request)
SDK Support for Creating New Document Versions
Section link for SDK Support for Creating New Document VersionsDevelopers can now utilize a new method to create new document versions in the SDK, and specify between creating a new draft or uploading a new version.
We have added a new set of DocumentService SDK methods for creating, updating, and deleting documents for an improved developer experience. New interfaces also support updating previous document versions, and creating new versions of documents not in migration mode.
The following new methods will be added to the existing DocumentService interface:
batchCreateDocuments(DocumentBatchCreateRequest request);batchCreateDocumentVersions(DocumentVersionBatchCreateRequest request);batchUpdateDocumentVersions(DocumentVersionBatchUpdateRequest request);batchDeleteDocuments(DocumentBatchDeleteRequest request);
The following existing methods will be deprecated from DocumentService:
createDocuments(List<DocumentVersion> documentVersions)deleteDocumentVersions(List<DocumentVersion> documentVersions)saveDocumentVersions(List<DocumentVersion> documentVersions)
Vault API v26.2
Section link for Vault API v26.2Hierarchy: Bulk Update Node Order
Section link for Hierarchy: Bulk Update Node OrderWe are introducing a new API endpoint to give users the ability to update the node order of hierarchical records in bulk, so users no longer need to manually reorder the nodes in the Vault UI.
Hierarchical records are objects that have self-referential parent-child relationships that form a tree, such as Expected Documents. Vault Applications may have their own implementations of these hierarchies.
/api/{version}/composites/trees/{hierarchyName}/batchRecord Migration Mode for Delete Operations
Section link for Record Migration Mode for Delete OperationsVault now supports Record Migration Mode for delete operations, along with a No Triggers option. This feature allows users to delete migrated records without firing record triggers and action triggers. Blocking references will still prevent record delete operations, even in Record Migration Mode.
This feature is supported for both Vault API and Vault Loader.
Vault Loader Performance Enhancements
Section link for Vault Loader Performance EnhancementsVault Loader jobs now leverage the distributed job framework, which leads to faster load times for Vault datasets.
This means there could be a change in the order in which the datasets are loaded as a later batch may get processed faster than an earlier batch. For example, Batch 3 may get processed faster than Batch 1.
Processes leveraging the sequential loading of records via Vault Loader will need to process the batches of 500 records manually.
Document Inbox Enhancements: Edit Document Type
Section link for Document Inbox Enhancements: Edit Document TypeThe Document Inbox has been updated to allow document type classifications to be saved on incomplete documents, documents still in the Unclassified lifecycle. Users are now able to save a document type classification on incomplete documents without providing all other required fields for the document type, allowing classification and other information to be populated incrementally when possible. Developers are now able to use the single and bulk Reclassify API endpoints to set just a document type on an incomplete document as well.
Promote Person to User API
Section link for Promote Person to User APIThis feature implements an API endpoint that provides the functionality to Promote a Person object record to a User. This was already available on the UI, and now developers can do it via the below API.
/api/{version}/app/clinical/persons/actions/promote_to_userThe API will require the source_person_id field and any fields the Vault requires to create a User as Body Parameters.
Submissions Archive Scalability Improvements
Section link for Submissions Archive Scalability ImprovementsVeeva Submissions Archive has been updated for performance and reliability. As part of this feature, DAC security is unaffected, and the following has been enhanced:
- Updated Export UI for single submissions
- Multi-Submission Export from the All Submissions tab
- Exports now separate submission files from static CSV manifests
Note: In 26R2, legacy Binder substructures will be sunset. Therefore, customers must assess their integrations.
We have also introduced new API endpoints for Submissions Archive:
Bulk Export Submissions
Allows for the asynchronous export of multiple submissions across multiple applications in a single call.
/api/{version}/app/regulatory/submissions_archive/actions/bulk_exportExport Submission (Single)
Initiates an asynchronous job for a single submission, replacing the legacy binder-based endpoint.
/api/{version}/app/regulatory/submissions_archive/{submission_record_id}/actions/exportRetrieve Submission Export Results
Checks job status and retrieves the final output location on file staging.
/api/{version}/app/regulatory/submissions_archive/export_job/{job_id}Retrieve Submission Import Results
Retrieves Informational, Warning and Data Entry messages associated with a completed import job.
/api/{version}/app/regulatory/submissions_archive/{submission_record_id}/actions/import_resultsSend to Sites API
Section link for Send to Sites APIThis feature introduces an API endpoint that enables the distribution of Safety Letters to Study Sites. This functionality is already available in the UI, and now developers can perform this operation via Vault API. When leveraging the following endpoint, Safety Letters are sent to the provided sites bypassing the in-system filtering. Sending a request to this endpoint requires the Safety Distribution and the Study Site ID.
/api/{version}/app/clinical/safety_distributions/{id}/actions/send_to_select_sitesDirect Data API
Section link for Direct Data APIDirect Data API: Additional Document Metadata in Workflow Extracts
Section link for Direct Data API: Additional Document Metadata in Workflow ExtractsThis release, we are adding existing document and version VQL fields to the Workflow Item (workflow_item__sys.csv) and Workflow Task Item (workflow_task_item__sys.csv) extracts in Direct Data files.
Control Binding for Object Fields
Section link for Control Binding for Object FieldsObject fields can now be configured so that they are bound to a control (UI elements built by Veeva). Fields with control bindings will display the control when added to a layout. In the past, Admins needed to configure controls directly on a page layout and sometimes swap it with a field.
A field with control binding will always be displayed using that control in the record detail view, record list view, and related object sections. This prevents the need to add the control to all layouts, making administration easier and less error prone.
To achieve this, we have added a new attribute, called control_binding, to the Object > Field and Objecttype > Typefield subcomponent's MDL.
Migration Package Validation Enhancements
Section link for Migration Package Validation EnhancementsConfiguration migration package (VPK) validation improves the reliability of configuration deployments by enforcing SDK code compilation checks and detecting missing sub-component dependencies during the validation phase.
SDK Code Validation: Vault now performs a compilation of SDK source code included in a VPK during the validation step. If the code contains compilation errors, the validation process marks the specific code step with a Blocked status. This prevents the package from being deployed until the code issues are resolved.
Enhanced Dependency Detection Validation: Vault now checks for missing sub-components. Even if a parent component exists in the target Vault, the engine verifies that all referenced sub-components are also present. For example, if an object exists in the target Vault, the validation engine verifies that all fields are present.
Packages Support for Record Attachments & Attachment Fields
Section link for Packages Support for Record Attachments & Attachment FieldsVault configuration migration packages (VPKs) now support exporting and importing record attachments and attachment field files when exporting data.
After adding the Data Step (Dataset), you can edit the Dataset Item to enable Include Object Record Attachments, which will export record attachments. In the Columns sections of the Dataset Item, you can add attachment fields, which will also be included in the extract.
In the exported VPK, the attachments are stored in the step's folder structure:
- Record attachments:
##### > content > row_# > recordattachments > file_name > v# - Attachment fields:
##### > content > row_# > attachmentfields > field_name
For each Data Step, an additional DSET-#####-object_name-content.xml is created in the step's folder, which details how the attachments need to be added to the records.
<contentmetadata>
<component name="example_object__c" type="Object">
<records>
<record rowid="1">
<recordattachments>
<recordattachment name="export_1766945124021.csv">
<version versionnumber="1">
<source>components\00010\content\row_1\recordattachments\test.csv\v1\test.csv</source>
</version>
</recordattachment>
</recordattachments>
<attachmentfields>
<attachmentfield name="attachment_field__c">
<source>components\00010\content\row_1\attachmentfields\attachment_field__c\test.png</source>
</attachmentfield>
</attachmentfields>
</record>
</records>
</component>
</contentmetadata>Bitmask Field
Section link for Bitmask FieldThis feature introduces a Bitmask field type for objects, enabling apps to securely filter records efficiently without performance degradations at high volumes.
Only Veeva can create Bitmask fields, and in MDL there is a new possible value 'Bitmask' for the type() attribute of the Object > Field subcomponent.
In VQL, a new bitwise operator, AND (&), is added for Bitmask fields only.
The below example returns a list of master data that is unmasked according to user's permissions in the form of a bitmask value (40049) and the access group value (Bitmask field) stored on the record.
SELECT id, name__v, status__v
FROM master_data__v
WHERE access_group__v & 40049 > 0Layout Rules: Automatic Controlled Field Management
Section link for Layout Rules: Automatic Controlled Field ManagementLayout rules now automatically add controlled fields when their controlling field is hidden, and controlling fields when their controlled field is displayed as required. Auto-added fields are locked with a tooltip naming the dependency, and existing layout rules stay in sync as field dependencies change.
This means the system will add additional fields to the Layoutrules component MDL when adding controlled or controlling fields.
Complaint Intake Follow-Up: Manual Processing
Section link for Complaint Intake Follow-Up: Manual ProcessingThis feature adds support for managing manual Complaint Intake Follow-Ups. The feature will not be enabled until 26R3, but we have pre-loaded the components in Vaults. The components will not be visible to end users until the feature is turned on, but can show up on Vault Compare reports, and in the Pagelayout MDL.
<vault:control reference="cifu_complaint_contacts_field_control__v" name="cifu_complaint_contacts_field_control__c" label="Complaint Contacts"/>
<vault:control reference="cifu_notification_template_field_control__v" name="cifu_notification_template_field_control__c" label="Email Template"/>
External Notifications: Alternate Communication Languages
Section link for External Notifications: Alternate Communication LanguagesThis feature adds support for Complaint Intake and Complaint to send external emails in alternate languages using Quality External Notifications.
A new configParameterValue with name extNotifUseCommunicationLanguage is available in the Objectlifecycleentryaction for enabling this feature for the Send a Notification action on Complaint Intake and Complaint records:
<rule>
<actions>
<action type="Recordaction.com.veeva.vault.app.quality.qms.sendexternalnotification.action.SendExternalNotificationEntryAction">
<configParameters>
<configParameter valueType="Picklist" name="extNotifParam">
<configParameterValue><![CDATA[complaint_intake_complaint_intake__c]]></configParameterValue>
</configParameter>
<configParameter valueType="Picklist" name="extNotifTemplateParam">
<configParameterValue><![CDATA[ci_complaint_intake__c]]></configParameterValue>
</configParameter>
<configParameter valueType="Boolean" name="extNotifUseCommunicationLanguage">
<configParameterValue><![CDATA[true]]></configParameterValue>
</configParameter>
</configParameters>
</action>
</actions>
</rule>External Notifications: Complaint Enhancements
Section link for External Notifications: Complaint EnhancementsAdmins can now configure External Notifications for Complaints and Quality Events (Complaint and Medtech Complaint object types) to use the new Complaint Contact object to capture information about reporters and complainants.
This update introduces a new recipient_option attribute for the Qualityexternalnotificationtemplate MDL component, with the possible values PERSON or COMPLAINT_CONTACT.
If COMPLAINT_CONTACT is selected, the component will be expecting Qualitynotificationcomplaintcontact subcomponents, instead of completing the recipients() attribute.