Hey developers,
Heads up on a security hardening change landing September 15, 2026: Smartsheet is removing support for a set of weaker TLS 1.2 cipher suites across both api.smartsheet.com and app.smartsheet.com.
Most integrations won't notice a thing. But if you're running on an older TLS stack, custom HTTP client, or a legacy proxy, now's the time to check.
What's changing
We're narrowing TLS 1.2 support down to two AEAD-based cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Everything else (CBC-mode suites and static RSA key exchange suites) is going away. Full list below.
Who should pay attention
- Custom integrations on legacy enterprise runtimes that don't auto-negotiate modern ciphers
- Integrations behind older TLS-terminating proxies or network appliances
- Anything running on an OS/runtime that's fallen out of mainstream support
If you're on a current JDK, .NET, Node.js, Python, Go, or Ruby runtime with an up-to-date Smartsheet SDK — you're already good. No action needed.
Before Sept 15, do this:
- Test against staging now.
api.test.smartsheet.com already has the new configuration live — run your integration against it to confirm compatibility. - Check your TLS client. Custom HTTP client or proxy in the mix? Confirm it supports
ECDHE_RSA_WITH_AES_*_GCM_*. - Upgrade legacy environments where the retained suites aren't supported.
Cipher suites being removed:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 — CBC modeTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA — CBC modeTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 — CBC modeTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA — CBC modeTLS_RSA_WITH_AES_128_GCM_SHA256 — Static RSA key exchangeTLS_RSA_WITH_AES_128_CBC_SHA256 — Static RSA + CBCTLS_RSA_WITH_AES_128_CBC_SHA — Static RSA + CBCTLS_RSA_WITH_AES_256_GCM_SHA384 — Static RSA key exchangeTLS_RSA_WITH_AES_256_CBC_SHA256 — Static RSA + CBCTLS_RSA_WITH_AES_256_CBC_SHA — Static RSA + CBC
Cipher suites being retained:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Why we're doing this
The retiring suites rely on CBC mode, which is vulnerable to padding oracle attacks, and they're prohibited under NIST SP 800-52 Rev 2. Cutting them removes a real man-in-the-middle risk and keeps us aligned with current security standards.
Got questions or hitting compatibility issues in staging? Drop them in this thread — we're watching it closely as the date approaches.