New lj_pk_test_ key prefix for prototyping. Test keys tag writes with is_test=true, skip real email sends, skip webhook dispatch, and skip earnings limit checks. Dashboards filter test data by default. Live keys keep the lj_pk_ prefix (backwards compatible).

Dedicated setup guides for Claude Desktop, ChatGPT, Cursor, VS Code, Windsurf, and other MCP clients. Each includes verified config snippets, deeplink install buttons where supported, and official documentation links.

Task-oriented tutorials under /developers/guides — track a conversion, invite affiliates programmatically, sync conversions from your database, auto-approve commissions, set up webhooks, build a custom dashboard.

Outbound webhook URLs now validated via isPublicHttpsUrl() — blocks localhost, 127.0.0.0/8, RFC1918 private ranges, 169.254 metadata endpoints, 100.64 CGNAT, IPv6 loopback, and .local/.internal hostnames. Re-checked on test dispatch.

Parity with webhook handlers: hasReachedMonthlyEarningsLimit() blocks conversions past plan cap, detectSelfReferral() runs when clickId + customerEmail are supplied. Test keys bypass both.

Every write (POST/PATCH/DELETE) and every failed auth attempt is now logged with api_key_id, merchant_id, method, path, status_code, error_code, ip_address, user_agent. Successful GETs skipped. Query via Neon MCP for abuse investigation.

Lightweight key-verification endpoint. Returns merchant info, key permissions, keyType (live/test), plan, and current rate-limit status. Replaces hitting a real endpoint to check if your key works.

Fetch a single affiliate with campaign associations and aggregated earnings across your campaigns.

POST /v1/webhooks/:id/rotate generates a new signing secret. POST /v1/webhooks/:id/test sends a signed ping event and returns the HTTP status from your URL.

All list endpoints (campaigns, affiliates, conversions) accept sort=<field>:<asc|desc>. Default sort varies per endpoint.

Pro plan bumped to 60 req/min (from 10). Ultimate plan bumped to 300 req/min (from 10). The /v1/affiliates/invite endpoint has a tighter 10/min cap to protect email deliverability.

All errors now use { error: { code, message, details? } } envelope with a consistent machine-readable code. Previously some endpoints returned { error: "string" }. Old callers may need to update parsing.

Every API response now includes X-API-Version, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and proper CORS headers. 429 responses include Retry-After.

Public REST API with 15 endpoints covering campaigns, affiliates, conversions, stats, webhooks. Bearer token auth via lj_pk_ keys. Available on Professional (read-only) and Ultimate (read + write) plans.