Changelog
All notable changes to the Headless Commerce platform are documented here.Versioning Policy
- API: Versioned via URL path (
/v1/). No breaking changes within a major version. New fields may be added to responses (additive changes) without a version bump. - SDK: Follows Semantic Versioning (semver). Patch releases for bug fixes, minor releases for new features, major releases for breaking changes.
- Dashboard: Continuously deployed. Version numbers track major feature milestones.
- MCP Server: Follows semver, aligned with SDK releases.
api-updates webhook event or watch our GitHub repository for release notifications.
2025-02-10 — Security Update
Security Enhancements
- TossPayments webhook verification: All incoming TossPayments webhook payloads are now verified using HMAC-SHA256 signatures before processing. Unverified payloads are rejected with
401 Unauthorized. - Brute-force prevention: Login endpoints (
POST /storefront/customers/loginandPOST /admin/auth/login) now enforce rate limiting — 5 failed attempts per 15 minutes per IP/email combination. Exceeded limits return429 Too Many Requestswith aRetry-Afterheader. - Password policy enforcement: Customer and admin passwords now require a minimum of 8 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Existing users are prompted to update on next login.
2025-02-03 — New Features
Returns Dashboard
- New Returns section in the admin dashboard with list, detail, and timeline views.
- Filter returns by status (
requested,approved,received,completed,rejected). - Inline actions: approve, receive, complete, or reject a return without leaving the list view.
Regions Settings
- Regions management page in Settings for configuring multi-currency support.
- Create and edit regions with country assignments, currencies, and tax rates.
- Set region-specific prices per variant from the product detail page.
CSV Import/Export
- Import: Upload CSV files to bulk-create or bulk-update products, variants, and customers. Supports
skip,update, orerrorduplicate handling modes. - Export: Download products, orders, or customers as CSV from the dashboard with column selection and date range filters.
- Import jobs run asynchronously with progress tracking and error reports.
Draft Orders
- Create draft orders from the admin dashboard for phone/manual orders.
- Add items, set custom prices, apply discounts, and assign to a customer.
- Convert a draft to a live order with a single click, triggering payment collection.
2025-01-15 — Initial Release
API v1.0.0
The first stable release of the Headless Commerce REST API, featuring:- Products: CRUD operations, variants, options, images, collections, and categories.
- Orders: Create, update, cancel, and 3-axis status tracking (order/payment/fulfillment).
- Carts: Session-based carts with item management, discount application, and checkout.
- Payments: Stripe and TossPayments integration with payment confirmation and refund support.
- Fulfillments: Create, ship, and deliver lifecycle with tracking information.
- Discounts: Percentage and fixed-amount discounts with code-based and automatic application.
- Returns: Customer-initiated return requests with admin approval workflow.
- Refunds: Partial and full refunds linked to orders and return requests.
- Regions: Multi-currency support with region-specific pricing and tax configuration.
- Webhooks: Real-time event notifications with HMAC-SHA256 signature verification and automatic retries.
- Customers: Registration, authentication (JWT), profile management, and order history.
- Admin Authentication: API key (
sk_*/pk_*) and OAuth 2.1 with PKCE support.
SDK v0.2.0
TypeScript SDK for both Node.js and browser environments:- Auto-pagination: Iterate over large collections with
for await...ofwithout manual cursor management. - Automatic retries: Configurable retry logic with exponential backoff for transient errors (5xx, network failures).
- Idempotency keys: Automatically generated for POST/PATCH requests to prevent duplicate operations.
- Admin and Storefront clients: Separate client constructors for server-side admin and client-side storefront usage.
- Full TypeScript types: All request/response types are generated from the OpenAPI specification.
Dashboard v1.0.0
Complete admin dashboard built with Next.js 14:- Product management: Create, edit, and organize products with variants, images, and inventory tracking.
- Order management: View orders with timeline, process payments, create fulfillments.
- Customer management: View customer profiles, order history, and account status.
- Discount management: Create and manage discount codes with usage tracking.
- Settings: Store configuration, API key management, webhook setup, and team members.
- Analytics: Overview dashboard with revenue, order count, and top-selling products.
MCP Server v0.2.0
Model Context Protocol server for AI agent integration:- 28 tools covering products, orders, carts, customers, discounts, fulfillments, and analytics.
- Streamable HTTP transport for cloud deployment and stdio transport for local development.
- Authentication: Supports API key and OAuth 2.1 for secure agent access.
- Compatible with Claude Desktop, Cursor, and other MCP-compatible AI clients.