Skip to main content

Changelog

All notable changes to the Headless Commerce platform are documented here.

Versioning Policy

  • API: Versioned via URL path (/v1/). No breaking changes within a major version. New fields may be added to responses (additive changes) without a version bump.
  • SDK: Follows Semantic Versioning (semver). Patch releases for bug fixes, minor releases for new features, major releases for breaking changes.
  • Dashboard: Continuously deployed. Version numbers track major feature milestones.
  • MCP Server: Follows semver, aligned with SDK releases.
We will never introduce breaking changes without incrementing the major version. Subscribe to the api-updates webhook event or watch our GitHub repository for release notifications.

2025-02-10 — Security Update

Security Enhancements

  • TossPayments webhook verification: All incoming TossPayments webhook payloads are now verified using HMAC-SHA256 signatures before processing. Unverified payloads are rejected with 401 Unauthorized.
  • Brute-force prevention: Login endpoints (POST /storefront/customers/login and POST /admin/auth/login) now enforce rate limiting — 5 failed attempts per 15 minutes per IP/email combination. Exceeded limits return 429 Too Many Requests with a Retry-After header.
  • Password policy enforcement: Customer and admin passwords now require a minimum of 8 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Existing users are prompted to update on next login.

2025-02-03 — New Features

Returns Dashboard

  • New Returns section in the admin dashboard with list, detail, and timeline views.
  • Filter returns by status (requested, approved, received, completed, rejected).
  • Inline actions: approve, receive, complete, or reject a return without leaving the list view.

Regions Settings

  • Regions management page in Settings for configuring multi-currency support.
  • Create and edit regions with country assignments, currencies, and tax rates.
  • Set region-specific prices per variant from the product detail page.

CSV Import/Export

  • Import: Upload CSV files to bulk-create or bulk-update products, variants, and customers. Supports skip, update, or error duplicate handling modes.
  • Export: Download products, orders, or customers as CSV from the dashboard with column selection and date range filters.
  • Import jobs run asynchronously with progress tracking and error reports.

Draft Orders

  • Create draft orders from the admin dashboard for phone/manual orders.
  • Add items, set custom prices, apply discounts, and assign to a customer.
  • Convert a draft to a live order with a single click, triggering payment collection.

2025-01-15 — Initial Release

API v1.0.0

The first stable release of the Headless Commerce REST API, featuring:
  • Products: CRUD operations, variants, options, images, collections, and categories.
  • Orders: Create, update, cancel, and 3-axis status tracking (order/payment/fulfillment).
  • Carts: Session-based carts with item management, discount application, and checkout.
  • Payments: Stripe and TossPayments integration with payment confirmation and refund support.
  • Fulfillments: Create, ship, and deliver lifecycle with tracking information.
  • Discounts: Percentage and fixed-amount discounts with code-based and automatic application.
  • Returns: Customer-initiated return requests with admin approval workflow.
  • Refunds: Partial and full refunds linked to orders and return requests.
  • Regions: Multi-currency support with region-specific pricing and tax configuration.
  • Webhooks: Real-time event notifications with HMAC-SHA256 signature verification and automatic retries.
  • Customers: Registration, authentication (JWT), profile management, and order history.
  • Admin Authentication: API key (sk_* / pk_*) and OAuth 2.1 with PKCE support.

SDK v0.2.0

TypeScript SDK for both Node.js and browser environments:
  • Auto-pagination: Iterate over large collections with for await...of without manual cursor management.
  • Automatic retries: Configurable retry logic with exponential backoff for transient errors (5xx, network failures).
  • Idempotency keys: Automatically generated for POST/PATCH requests to prevent duplicate operations.
  • Admin and Storefront clients: Separate client constructors for server-side admin and client-side storefront usage.
  • Full TypeScript types: All request/response types are generated from the OpenAPI specification.

Dashboard v1.0.0

Complete admin dashboard built with Next.js 14:
  • Product management: Create, edit, and organize products with variants, images, and inventory tracking.
  • Order management: View orders with timeline, process payments, create fulfillments.
  • Customer management: View customer profiles, order history, and account status.
  • Discount management: Create and manage discount codes with usage tracking.
  • Settings: Store configuration, API key management, webhook setup, and team members.
  • Analytics: Overview dashboard with revenue, order count, and top-selling products.

MCP Server v0.2.0

Model Context Protocol server for AI agent integration:
  • 28 tools covering products, orders, carts, customers, discounts, fulfillments, and analytics.
  • Streamable HTTP transport for cloud deployment and stdio transport for local development.
  • Authentication: Supports API key and OAuth 2.1 for secure agent access.
  • Compatible with Claude Desktop, Cursor, and other MCP-compatible AI clients.