{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiertebfdcpzztr4xyuwtvrwcfgtb5ojsqlmnorupmzdfdioab5fwm",
"uri": "at://did:plc:qk2qnafs6es6f2znn6gexjid/app.bsky.feed.post/3mhzup45lg4r2"
},
"path": "/blog/2026/03/26/matrix-v1.18-release/",
"publishedAt": "2026-03-26T16:00:43.000Z",
"site": "https://matrix.org",
"tags": [
"Matrix 1.18",
"policy servers",
"announcement post",
"MSC4192",
"MSC4380",
"a single on/off toggle for invites",
"MSC4155",
"Matrix 1.13",
"MSC4277",
"reporting endpoints",
"MSC4323",
"2278",
"2311",
"MSC4191",
"2270",
"MSC3824",
"2272",
"MSC4356",
"2291",
"MSC4267",
"2292",
"MSC4169",
"2298",
"MSC4313",
"2299",
"MSC4153",
"2301",
"2305",
"MSC4335",
"2315",
"MSC4341",
"2320",
"MSC4230",
"2328",
"2338",
"MSC4284",
"2332",
"MSC4183",
"2277",
"2280",
"2283",
"2304",
"2306",
"2316",
"2318",
"2324",
"2336",
"2337",
"MSC4376",
"2319",
"2191",
"2284",
"2288",
"2300",
"2329",
"2330",
"2297",
"2303",
"2307",
"2276",
"2222",
"2275",
"2282",
"2287",
"2289",
"2290",
"2317",
"2323",
"@HarHarLinks.",
"@velikopter",
"@thetayloredman."
],
"textContent": "Hey all,\n\nToday’s release of Matrix 1.18 brings a total of 16 MSCs to the protocol. Many of those proposals improve Trust & Safety in Matrix, introducing features like invite blocking, policy servers, account suspension & locking, and general quality of life improvements to the reporting APIs. This blog post covers those safety features in a bit more detail - read on to the full changelog at the bottom for full details of everything in Matrix 1.18.\n\n## 🔗Policy servers\n\nAfter about a year of development, policy servers have made their way into the stable spec. Typically paired with reactive tooling like moderation bots, these servers can _optionally_ be added to a room when needed to provide proactive moderation. When enabled, all servers in a room ask the policy server for an opinion on their events before sending them with normal full mesh routing. If the policy server refuses to sign the event due to unwelcome content, it will not be delivered to other homeservers or local users.\n\nHow and what policies a policy server uses is left as an implementation detail. Some policies might be simple, like limiting the number of mentions allowed in a message, or more complex. Policy servers also do not need to track the underlying room DAG, allowing them to be relatively lightweight to build.\n\nFor more information on what policy servers can be used for, read the announcement post for the Foundation’s own implementation, named policyserv.\n\n## 🔗Invite blocking\n\nSeveral proposals (tracked largely by MSC4192) have been opened over the years to limit the ability for unknown users to send invites to another user. These proposals often try to add safety features that are incredibly desirable, but are hard to put a UI on top of. In an effort to get _something_ into the spec, MSC4380 boiled the feature down to its essential component: a single on/off toggle for invites. Future expansion to block based on servers, user IDs, Space members, etc is possible and tracked in other MSCs like MSC4155.\n\nWe look forward to seeing design teams take on those more advanced safety controls to expand the capabilities of invite blocking beyond MSC4380’s simple toggle!\n\n## 🔗Account suspension & locking\n\nAccount suspension and locking were introduced back around Matrix 1.13, but API endpoints to manage the states were not introduced at the time. As the new account states continue to gain popularity in server implementations, MSC4323 added those missing endpoints. Security and safety tooling can now use the new standard endpoints instead of having implementation-specific logic and switch statements.\n\n## 🔗Reporting improvements\n\nThough small, MSC4277 harmonizes the various reporting endpoints to be similar in functionality, making it a little easier for clients to predict what happens when submitting reports. This is a highly welcome change ahead of the Foundation’s T&S team working on “Reporting v2” to modernize submitting reports (and appeals) to communities, servers, and federated locations later this year - stay tuned to the blog for updates on that project!\n\n## 🔗The full changelog\n\nThe full changelog for Matrix 1.18 is:\n\n### 🔗Client-Server API\n\n**New Endpoints**\n\n * Add `GET /_matrix/client/v1/admin/suspend/{userId}`, as per MSC4323. (#2278)\n * Add `PUT /_matrix/client/v1/admin/suspend/{userId}`, as per MSC4323. (#2278)\n * Add `GET /_matrix/client/v1/admin/lock/{userId}`, as per MSC4323. (#2278)\n * Add `PUT /_matrix/client/v1/admin/lock/{userId}`, as per MSC4323. (#2278)\n\n\n\n**Removed Endpoints**\n\n * The `score` request parameter on `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` was removed as per MSC4277. (#2311)\n\n\n\n**Backwards Compatible Changes**\n\n * Add the account management capabilities for the OAuth 2.0 authentication API, as per MSC4191. (#2270)\n * Add OAuth 2.0 aware clients, as per MSC3824. (#2272)\n * Add administrator endpoints to lock and suspend server-local users and add the `m.account_management` capability, as per MSC4323. (#2278)\n * Add `m.recent_emoji` account data event to track recently used emoji as per MSC4356. (#2291)\n * Add `m.forget_forced_upon_leave` capability for servers to transparently auto-forget rooms that the user leaves as per MSC4267. (#2292)\n * Add support for `m.room.redaction` events at the `PUT /rooms/{roomId}/send/{eventType}/{txnId}` endpoint, as per MSC4169. (#2298)\n * Clients supporting the `ol` HTML element must also support the `start` attribute, as per MSC4313. (#2299)\n * Add recommendation about excluding non-cross-signed devices from encrypted conversations, as per MSC4153. (#2301)\n * Add invite blocking, as per MSC4380. (#2305)\n * `/_matrix/client/v3/rooms/{roomId}/report` and `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` may respond with HTTP 200 regardless of the reported subject's existence or add a random delay when generating responses as per MSC4277. (#2311)\n * Add `M_USER_LIMIT_EXCEEDED` common error code, as per MSC4335. (#2315)\n * Add the OAuth 2.0 Device Authorization Grant (RFC 8628) as a supported grant type, as per MSC4341. (#2320)\n * Add the `is_animated` flag to the `info` object of the `m.image` msgtype and the `m.sticker` event, as per MSC4230. (#2328, #2338)\n * Add a \"Policy Servers\" module, as per MSC4284. (#2332)\n\n\n\n**Spec Clarifications**\n\n * The optional `submit_url` response parameter of the `/requestToken` endpoints uses the same request and response parameters and error codes as the Identity Service API's `POST /_matrix/identity/v2/validate/email/submitToken`, as per MSC4183. (#2277)\n * Update non-historic mentions of matrix-doc repo to matrix-spec/-proposals. Contributed by @HarHarLinks. (#2280)\n * Remove unintended TeX formatting. Contributed by @HarHarLinks. (#2283)\n * Clarify the requiredness of `event_id` in `predecessor`. (#2304)\n * Clarify terminology for keys in cross-signing module. (#2306)\n * Add 404 responses to the OpenAPI of `GET /login` and `GET /auth_metadata` endpoints. The responses were already defined in text but not written in OpenAPI. (#2316)\n * Fix various typos throughout the specification. Contributed by @HarHarLinks. (#2318)\n * Clarified attachment encryption to require secure generation of keys and hash verification. (#2324)\n * Order the common and other error codes alphabetically and remove duplicate `M_THREEPID_IN_USE` definition. (#2336)\n * Fix various typos throughout the specification. (#2337)\n\n\n\n### 🔗Server-Server API\n\n**Removed Endpoints**\n\n * Remove `/v1/send_join` and `/v1/send_leave`, as per MSC4376. (#2319)\n\n\n\n**Backwards Compatible Changes**\n\n * Add a concept of \"Policy Servers\", as per MSC4284. (#2332)\n\n\n\n**Spec Clarifications**\n\n * Clarify what the `minimum_valid_until_ts` field means when it is set in key queries. (#2191)\n * Specify validation for PDUs passed to and returned from federation membership endpoints. (#2284)\n * Specify that callers of `/_matrix/federation/v1/openid/userinfo` must validate the returned user ID. (#2288)\n * Change `m.signing_update` typo to `m.signing_key_update`. Contributed by @velikopter (#2300)\n * Add link to JSON signing algorithm in server-server auth section for clarity. Contributed by @thetayloredman. (#2329)\n * Fix various typos throughout the specification. (#2338)\n\n\n\n### 🔗Application Service API\n\n**Spec Clarifications**\n\n * Fix various typos throughout the specification. (#2330)\n\n\n\n### 🔗Identity Service API\n\n**Spec Clarifications**\n\n * Clarify the error codes that can be returned with a 400 HTTP status code by the `POST /_matrix/identity/v2/validate/email/submitToken` and `POST /_matrix/identity/v2/validate/msisdn/submitToken` endpoints, introducing the `M_TOKEN_INCORRECT` error code, as per MSC4183. (#2277)\n * Order the standard error codes alphabetically. (#2336)\n\n\n\n### 🔗Push Gateway API\n\nNo significant changes.\n\n### 🔗Room Versions\n\n**Spec Clarifications**\n\n * Clarify meaning of floating-point powerlevels. (#2297)\n * Remove the post-1.16 release note for room version 12. (#2303)\n\n\n\n### 🔗Appendices\n\n**Spec Clarifications**\n\n * Add identifier pronunciation guidelines. Contributed by @HarHarLinks. (#2307)\n\n\n\n### 🔗Internal Changes/Tooling\n\n**Backwards Compatible Changes**\n\n * Include the spec release version in the filenames in the tarballs generated by CI. (#2276)\n\n\n\n**Spec Clarifications**\n\n * Clarify vendor prefixing requirements. (#2222)\n * Auto-create draft releases when building release tags. (#2275)\n * Replace the Twitter link in the footer with our BlueSky and Mastodon socials. (#2282)\n * Upgrade to docsy v0.13.0. (#2287)\n * Updates to the release documentation. (#2289)\n * Remove unused leftover CSS files. (#2290)\n * Update the footer social links to match matrix.org. Contributed by @HarHarLinks. (#2317)\n * Fix various typos throughout the specification. Contributed by @HarHarLinks. (#2318)\n * Render error code sections as definition lists to improve readability. (#2323)\n\n",
"title": "Matrix v1.18 release",
"updatedAt": "2026-03-26T16:00:43.000Z"
}