Exploring SDG OpenCAPIF Release 4

A new version of OpenCAPIF is now available! Release 4.0.0 focuses on improving the platform architecture, deployment flexibility and security, while also introducing the first steps toward Visibility Control, one of the most anticipated CAPIF features.

In addition, OpenCAPIF is now aligned with the latest 3GPP CAPIF Release 19 specifications, keeping the project fully compliant with the evolving standard.

Let’s take a look at the highlights of this new release.

First Step Towards Visibility Control

One of the most important additions in this release is the initial implementation of the Visibility Control API.

Visibility Control will allow API providers to define which invokers are able to discover and access specific APIs, enabling more granular control over API exposure in CAPIF environments.

The current implementation provides the foundations for this capability, although the feature is not yet fully functional. The complete implementation is planned for the next OpenCAPIF release, where the visibility policies will become fully operational.

A More Scalable Certificate Architecture

In previous versions, certificate generation assumed a single CAPIF instance, which could lead to conflicts when several deployments shared the same Vault instance.

Release 4 introduces a completely redesigned certificate workflow that solves this limitation.

Key improvements include:

• Services now generate their own keys and CSRs locally.
• Vault acts purely as a Certificate Authority, responsible for signing certificates.
• Each deployment is uniquely identified using a CAPIF Core Function identifier (ccf_id).
• Certificates are stored in instance-scoped paths, avoiding collisions between deployments.

This change makes OpenCAPIF much easier to deploy in multi-instance environments, such as shared Kubernetes clusters or multi-tenant infrastructures.

Cleaner and More Flexible NGINX Configuration

The NGINX configuration used in OpenCAPIF deployments has also been refactored.

Previously, endpoint validation and routing logic were implemented directly in the main configuration file. In this release, the configuration has been reorganized using modular maps, separating different concerns such as:

• routing logic
• policies
• error handling
• service definitions

This modular structure simplifies maintenance and makes it easier to add new endpoints or policies in future releases.

Security Improvements and Fixes

Security continues to be a major focus of the project. Release 4 includes several improvements and fixes across the platform.

Among the most relevant updates:

• Security vulnerabilities in setuptools, protobuf-python, and OpenSSL (cryptography wheels) have been resolved.
• A potential Denial of Service vulnerability related to missing HTTP header validation has been fixed.

The Security Service has also been improved:

• Invokers can now correctly create multiple security contexts for different APIs.
• The priority logic for selecting security methods has been clarified depending on whether they are defined in the AEF profile or the interface description.
• An issue preventing correct PSK generation in certain scenarios has been resolved.

Easier Deployments with Improved Helm and Tools

Deployment tooling has also received significant improvements to simplify installation and configuration.

Helm scripts now support environment files, making it easier to adapt deployments across different environments such as development, staging, or production.

Additional improvements include:

• New configurable variables for logging, monitoring and registry configuration.
• Updated Vault installation scripts compatible with newer Kubernetes versions.
• Improvements to internal tooling scripts used for generating APIs and managing images.

These updates aim to make OpenCAPIF deployments more predictable and easier to operate in real-world environments.

Alignment with 3GPP CAPIF Release 19

Another important milestone in this release is the upgrade of OpenCAPIF services to 3GPP CAPIF Release 19, following the specification defined in 3GPP TS 29.222.

This update ensures that OpenCAPIF remains aligned with the latest normative data models, APIs and security flows defined by the CAPIF standard.

Documentation Improvements

Several new documentation sections have been added to support users and developers:

• A new How to Deploy Using Helm guide explaining how to deploy OpenCAPIF in Kubernetes environments.
• A new Certificate Generation Architecture section describing the redesigned certificate workflow.
• A Download Repository section to simplify access to the source code.
• The How to Run section has been renamed to How to Run Locally for better clarity.

Getting Started with OpenCAPIF 4.0.0

To deploy or test this release, clone the OpenCAPIF repository from ETSI Labs and switch to the corresponding release tag.

The documentation provides detailed guides for:

• running OpenCAPIF locally
• deploying the platform in Kubernetes using Helm
• testing APIs with Postman or Robot Framework

You can also experiment with OpenCAPIF using the public sandbox environment described in the documentation.

Get Involved

Want to contribute? Learn how to join SDG OpenCAPIF, it’s easy and free¹! 🎉

For more information, please contact us.

Learn More

For further information, please consult the following resources:

• 3GPP Forge Repository for the Common API Framework
• OpenCAPIF Code Repository
• OpenCAPIF Documentation
• OpenCAPIF SDK
• OpenCAPIF Example Clients