API inbound JSON/XML parameter parsing disabled

Note: This issue only concerns developers that are directly communicating with our API. This does not affect users using 3rd party services like IFTTT to receive Pushover notifications.

Due to a recently discovered security concern in 3rd party software used by our API service, we’ve recently disabled inbound JSON and XML parameter parsing for requests to our API.

Please note that this does not affect receiving JSON or XML responses from our API (specified by the suffix of the URL you are accessing, such as https://api.pushover.net/1/messages.json) and only affects whether our API servers will parse parameters that you are sending encoded in JSON rather than percent-encoding.

We take security very seriously and have disabled this feature as a precaution, although we intend to keep it disabled after this point. This feature was used infrequently according to our API statistics, as most HTTP libraries and utilities like cURL encode POST data with percent- or form-style encoding, so most developers and users should not be affected by this change.

For questions about this change, please feel free to contact us directly.