SeloraXDEVELOPERS

Changelog

Changelog

All notable changes to the SeloraX Platform API are documented here. Dates are in YYYY-MM-DD format.

2026-03-15

Added

  • Storefront Extensions: 9 new extension targets for the customer-facing store. Apps can now inject widgets, upsells, reviews, trust badges, countdowns, and more directly onto product pages, checkout, homepage, header, footer, and as floating embeds. Includes a dedicated StorefrontRenderer with 35+ components (including storefront-specific: Rating, Countdown, TrustBadges, ProductCard, SocialProof, StickyBar, Newsletter, Testimonial, VideoPlayer, Carousel, QuantitySelector, Modal).
  • Storefront Extension API: Public endpoints (no auth required):
    • GET /api/apps/extensions/storefront — fetch extensions by store + target
    • POST /api/apps/extensions/storefront/action — action proxy with SSRF protection, session token, 60 req/min rate limit
  • Cart Integration: Extensions can add/remove products from the shopper's cart via add_to_cart and remove_from_cart action types, with deduplication.
  • Customer Context Enrichment: Storefront extensions automatically receive is_logged_in, cart_item_count, and cart_total in their context.
  • Extension Analytics: Automatic impression tracking (EXT_impression), click tracking (EXT_click), action timing (EXT_action), and custom event support (EXT_custom). All events flow through the store's existing tracking system (FB Pixel, GTM).
  • Extension Caching: 5-minute sessionStorage cache for storefront extension data. Eliminates re-fetches on page navigation.
  • Lazy Loading: IntersectionObserver-based loading with 200px pre-load margin. Below-the-fold extensions don't fetch until near-visible.
  • Error Isolation: React Error Boundary per extension — one crash doesn't break others.
  • SeloraX Flow: Visual workflow automation app published to the marketplace. Drag-and-drop builder with 11 triggers, 13 actions, conditions (AND/OR logic), and wait delays. Includes template library (9 pre-built workflows), analytics dashboard, activity feed, undo/redo, keyboard shortcuts, and test run capability. Appears in the dashboard sidebar via navigation.link extension.
  • Developer Docs: New documentation sections: Storefront Extensions, Storefront Components, Context & Analytics, Storefront Sandbox, SeloraX Flow.

Fixed

  • Webhook retry policy: Corrected from "10 attempts / 10 failures" to 6 retry attempts (~14.5hr window) and auto-disable after 20 consecutive failures.
  • Billing commission: Corrected from "20%" to 10% platform commission across all documentation.
  • Rate limits: Corrected /session/verify rate limit from 60 to 300 requests/minute.

2026-03-09

Added

  • Extension Platform: Full extension system for building UI that renders natively inside the merchant dashboard. Supports 34 extension targets across orders, products, customers, dashboard, POS, checkout, fulfillment, navigation, settings, and the customer-facing storefront.
  • JSON Extensions: Declarative UI mode with 74 built-in components, 9 action types, template expressions ({{state.xxx}}), conditional rendering (when prop), and state management (bind, set_state, initial_state) — no JavaScript or hosting required.
  • Sandbox Extensions: JavaScript extensions running in isolated iframes with the @selorax/ui SDK. Full access to the selorax global object: API proxy, resource pickers, modal/drawer control, toast notifications, title bar, save bar, metafields, billing, webhooks, and i18n.
  • Extension CLI (@selorax/cli): Developer CLI for building, validating, and deploying extensions. Commands: auth:login, deploy, dev, generate, validate, versions, rollback. Available on npm.
  • Extension UI SDK (@selorax/ui): Component builder package with 74 builder functions and the selorax global object. Available on npm.
  • Extension API Endpoints: POST /api/apps/extensions/app (create), PUT /api/apps/extensions/app/:id (update), DELETE /api/apps/extensions/app/:id (delete), POST /api/apps/extensions/app/deploy (atomic deploy), GET /api/apps/extensions/page (fetch by target), GET /api/apps/extensions/sandbox-token (sandbox JWT), POST /api/apps/extensions/api-proxy (scoped API proxy).
  • Metafields API: Attach custom key-value data to orders, products, customers, and stores. Namespace-scoped, app-isolated, with batch operations.
  • Merchant Settings: Let merchants configure extensions with 6 field types (text, number, toggle, select, textarea, color) via a JSON schema.
  • Extension Version Management: Up to 25 version snapshots per app with rollback support.
  • Developer Docs: Six new documentation pages covering Extension Overview, JSON Extensions, Sandbox Extensions, CLI Reference, Metafields, and Merchant Settings.

Security

  • Store ownership middleware: All sensitive app management routes now validate that the authenticated user has access to the requested store.
  • SSRF prevention: call_backend and webhook URLs are validated against private/internal network addresses (IPv4 + IPv6).
  • Transaction safety: All metadata read-modify-write operations use database transactions with SELECT FOR UPDATE to prevent race conditions.
  • Path traversal prevention: API proxy paths are decoded and checked for .. sequences.
  • Scope enforcement: API proxy requests enforce the app's granted OAuth scopes.

2026-03-02

Added

  • Products API: category_id query parameter -- filter products by category.
  • Products API: price_min and price_max query parameters -- filter products by variant price range. Matches any non-deleted variant within the range.
  • Products API: search query parameter -- search products by name (partial match).
  • Products API: sort query parameter -- sort by created_at, updated_at, or name with optional :asc/:desc direction.
  • Orders API: customer_id query parameter -- filter orders by customer (user) ID.
  • Orders API: sort query parameter -- sort by created_at, updated_at, or grand_total with optional :asc/:desc direction.
  • Developer Docs: Changelog page (this page).
  • Developer Docs: FAQ page with common developer questions.

2026-02-28

Added

  • Custom Apps: Merchants can create private apps directly from the dashboard with instant API credentials.
  • Custom App Access Tokens: 1-year expiry with regeneration from the Manage page.
  • Custom App Webhooks: Optional webhook configuration during app creation with per-subscription signing secrets.

2026-02-01

Initial Release -- API v1

The SeloraX Platform API v1 is now available. This release includes:

Authentication

  • OAuth 2.0 Authorization Code flow with 60-second auth codes and 24-hour access tokens
  • Client credentials (server-to-server) with non-expiring client_id + client_secret
  • Session tokens for iframe-embedded apps (10-minute TTL, HMAC-SHA256 signed)

API Endpoints

  • Orders: list with pagination, get by ID with line items
  • Products: list with pagination, get by ID with variants
  • Customers: list and get by ID
  • Inventory: read stock levels
  • Store: read store information
  • Billing: create one-time, recurring, and usage-based charges; wallet debit/credit
  • Webhooks: create, list, and delete subscriptions programmatically

Webhooks

  • HMAC-SHA256 signed payloads delivered via Inngest
  • Event topics: order.*, product.*, customer.*, inventory.*, app.*, charge.*
  • Automatic retry with exponential backoff (6 total attempts: immediate, 1min, 5min, 30min, 2hr, 12hr — ~14.5hr window)
  • Auto-disable after 20 consecutive delivery failures

Billing

  • One-time charges, recurring subscriptions (monthly/annual), usage-based metering
  • Wallet system with pre-loaded balance
  • Platform commission (default 10%)

Embedded Apps

  • App Bridge for dashboard-iframe communication via postMessage
  • Session token flow for secure iframe loading

Identity Provider

  • "Sign in with SeloraX" (OAuth 2.0 + OIDC)
  • PKCE support for public clients
  • OpenID Connect Discovery endpoint
Previous
Permissions
Next
Migration Guide