March 2026

RBAC for Insights, Schema Registry Proxy, and cryptographic signing

Insights now respects RBAC permissions and adds dedicated pages for deeper analysis. Schema Registry Proxy secures and governs schema access. A new Gateway interceptor verifies data integrity with cryptographic signing.

View full release notes →

Schema Registry Proxy

Schema Registry Proxy sits between Kafka clients and a Confluent Schema Registry, adding authentication and authorization as a transparent layer. Producers and consumers keep working with just a URL change.

Authentication supports any OAuth2/OIDC provider via JWT. Authorization rules are set per subject, controlling read and write access per service account with wildcard patterns. Permissions are managed in Console and applied in real time over Kafka, so access changes take effect without a restart.

Insights for every team, not just admins

Insights now respects RBAC permissions, opening access to non-admin users for the first time. Platform teams can give developers, SREs, and team leads direct visibility into the health and cost of the topics they own. Cluster-level permissions provide full visibility across a cluster, while topic-level permissions scope results to the specific topics that user can access. Learn about Insights →

Dedicated pages and deeper filtering for Insights

Insights now splits into four dedicated pages: Overview, Risk Analysis, Cost Control, and VIP Topics. The Overview page surfaces top-level signals, with each card linking through to its detailed view.

New filtering options allow scoping by application or by topic prefix pattern (e.g., orders-*). Combined with RBAC, each user sees a view shaped by the topics and teams they work with. Explore Insights →

Filtering Insights by topic prefix pattern and topic type

Verify data integrity with cryptographic signing

A new Gateway interceptor signs records on produce and verifies them on consume, detecting if data was modified in flight or at rest. Gateway applies signatures transparently with no client code changes. Records that fail verification are dropped before reaching the consumer. Signing keys are managed in HashiCorp Vault with built-in versioning and rotation. Configure integrity signing →

Federated ownership improvements

Transactional ID support: Applications using exactly-once processing can now manage transactional ID ownership and permissions through self-service, eliminating manual admin intervention
Assignable permissions for access requests: Requesting and approving access is now an assignable permission scoped to each app instance, keeping the app owner as the decision-maker
Prefixed topic access: Teams can request access to an entire family of topics with a single request, removing friction from cross-team data sharing at scale

Learn about federated ownership →

Confluent Server topic configurations

Initial support for Confluent Server-specific topic configurations gives Confluent customers better visibility into their cluster setup directly within Console. Configure clusters →

Label insights (preview)

A new page under Settings shows how labels are used across your Kafka resources—coverage rates, most-used labels, and per-label breakdowns by resource type. Coverage is tracked across clusters, topics, consumer groups, connectors, applications, and service accounts. Filter by cluster or resource type to focus on specific areas. Learn about insights →

Label insights page

For a full list of changes, read the complete release notes.

Enjoying the new features? Share your experience on G2