Change record status: 
Project: 
Introduced in branch: 
8.x-2.x
Introduced in version: 
8.x-2.0
Description: 

Creating, updating or deleting config entities via JSON API is not safe because config entities do not have robust validation constraints at this time.

JSON API 1.x chose to allow mutations without validation. While this is acceptable in a decoupled admin UI case where the API consumer is a trusted party, it is not secure otherwise. Even a trusted consumer could accidentally break their site due to that missing validation.

JSON API 2.x removes support for config mutation. It will be restored when the Drupal core configuration entity API supports the necessary underlying APIs to do so again safely.

If you're currently using this feature and want to continue to do so, regardless of risk (because you're managing the risk), installing JSON API Extras will allow you to do so.

Impacts: 
Site builders, administrators, editors
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done