.png?width=365&height=122&name=BTLogo%20(1).png)
April 2026 Changelog
April was a month of reliability. From a rebuilt BIN data pipeline to improved merchant onboarding, the focus was on making Basis Theory's core infrastructure more resilient and reducing friction across the platform.
BIN Details Reliability Overhaul
BIN details now draw from a master dataset that merges 50+ weeks of historical card network data, replacing the previous system that swapped in a single weekly file.
The previous approach replaced the entire dataset with each weekly file from the networks. When networks removed ranges by mistake or published incorrect data, customers lost access to valid BIN information with no warning. The new merge pipeline preserves when new files have gaps. Automated integrity checks validate every weekly update before it goes live, and the data is served from a new DynamoDB-backed service within PCI-compliant infrastructure.
Why this matters:
- Fewer missing BIN details. Ranges are preserved even when upstream sources remove them, so fraud checks, routing decisions, and customer verification workflows no longer break unexpectedly.
- Weekly updates resume safely. Automated quality gates catch anomalies before they reach customers, eliminating the need for manual file pinning or patching.
- No action required. The API interface is unchanged—this is an automatic improvement for all customers.
Account Updater Batch Result Improvements
Account Updater batch result CSVs now include a full set of new_* fields when a PAN update occurs: new_last4, new_fingerprint, new_brand, new_expiration_year, and new_expiration_month. These fields are populated for all UPD_PAN and UPD_BRAND_CONV results.
Previously, the batch result file only included the new_token ID. Retrieving the updated card's last four digits, brand, fingerprint, or expiration required a follow-up API call for each token individually. All of these fields are now included directly in the batch result file, giving you everything you need to update downstream records in a single pass.
Why this matters:
- Update card display information in bulk without per-token API calls, reducing processing time and API volume for high-scale Account Updater integrations.
- All card metadata needed for downstream record updates—last four digits, brand, fingerprint, and expiration—is now available in a single file download.
Proxy: Non-ASCII Response Header Support
Proxied requests to upstream APIs that return non-ASCII characters in response headers no longer fail with 502 errors. The proxy now supports Latin-1 encoded headers, matching the behavior expected by APIs that include extended character sets in their responses.
Bug Fixes
Web Elements Firefox and LastPass Compatibility
Fixed an issue where Web Elements API calls failed in Firefox when the LastPass extension was enabled and the user was logged in. The error — "The API is unreachable" — blocked tokenization and payment flows entirely, preventing production go-lives for affected customers.
Session Access Rules with ID-Equals Conditions
Fixed a bug where token: update operations returned a 403 error when session access rules used id equals conditions, even though the same operation succeeded with container starts_with conditions. The session permission evaluation logic now correctly handles ID-based conditions.
Access Rule Container Default Value
Fixed an issue in the portal where leaving the access rule container field blank sent an empty string instead of causing unexpected permission behavior.
