Last month, we announced the release of Review Board 5 beta 1, a feature-packed beta introducing SAML Single Sign-On, Trojan Source attack detection, new APIs, and more.

Today, we're following up with another beta, this time introducing:

Enhanced API Tokens

We're increasing the security of API tokens, and giving both users and administrators more control over their lifecycle.

  • Expiration: API tokens can now be set to expire after a period of time, helping with testing or compliance with internal best practices. Once expired, a token will no longer be accepted. (Currently, expiration can only be set via the API, but the next beta will offer UI for this.)

  • Invalidation: Administrators can invalidate tokens for specific users or all users on a server, helping to lock things down in the event of a security breach.

  • Secret Scanning: Tokens are now 255 characters, and can be identified by secret scanning. We'll be updating Review Bot to help scan for leaked tokens in posted code, and will be working with other companies offering secret scanning.

All existing tokens will continue to work, but we recommend migrating over to the new enhanced API tokens.

Repository Access Control List APIs

Repositories can be locked down to a specific set of users and groups, and now these ACLs can be managed programmatically via new Repository Group ACL and Repository User ACL APIs.

We're introducing this in 5.0, but we plan to bring these same APIs to the upcoming 4.0.11 release as well.

Help When Upgrades Go Wrong

We work hard to ensure upgrades go smoothly, but sometimes things just go wrong.

Now, whenever there's a problem with an upgrade, rb-site will generate a debug log file containing information you can send to your Beanbag Support contact. We can use this to more quickly help you get going again.

If you don't have a support contract, and you're on your own supporting Review Board for your company, talk to us about how we can help lend a hand.


  • Mitigation against SAML Single Sign-On replay attacks
  • Updates to Single Sign-On to work with multiple Review Board server hostnames
  • Performance improvements with the Search field
  • Usability improvements in the administration UI and My Account page
  • Bug fixes throughout the product.

See the release notes for the complete list of changes.

Want to Help Us Test?

We’d love to have your help! We have installation information in the release notes.

Please make sure you have a dedicated testing server and database. Do not test this beta in production!

You can use the beanbag/reviewboard:5.0b2 Docker image as well. See our Docker instructions for information on setting up an environment.