M
MAXFIdeveloper hub
Changelog

Changelog

Substantive changes to the API, webhooks, dashboard and docs. Subscribe via RSS at /changelog/rss.xml (coming soon) or get the same feed via webhook on maxfi.changelog events.

API

Bearer auth for API keys · status=open · success_url on root

  • ›Authorization: Bearer sk_live_… / sk_test_… now works everywhere (was routing to JWT verifier and 401-ing).
  • ›X-API-Key remains a legacy alias — pick one per request.
  • ›success_url / cancel_url canonical location is the top level of the body (Stripe-compatible). Legacy settings.* path kept for back-compat; top-level wins when both are set.
  • ›Checkout session initial status reported as `open` (was internal `pending`). Matches the documented enum open → processing → requires_action → succeeded/failed/expired.
  • ›Internal `connector` field removed from the POST /v2/payments/checkout public response (brand rule: merchants see only MAXFI).
API

Refunds v2: idempotency, partial chaining, audit log, payment.refunded webhook

  • ›POST /v2/payments/{id}/refund accepts idempotency_key (24h Redis cache).
  • ›refunded_amount + refund_count tracked atomically; over-refund returns 400 with remaining balance.
  • ›Each refund call enqueues a signed payment.refunded webhook to the merchant.
  • ›Audit stages refund_request and refund_response with duration_ms persisted.
API

GET /v2/payments and /v2/payments/{id} return full PCI-safe payment fields

  • ›Added card_last4, card_brand, source, customer_email, error_code, error_message, checkout_session_id, connector_transaction_id, metadata.
  • ›Lookup accepts payment_id, order_id, checkout session id (cs_*), or upstream reference.
  • ›Stable payment_id == checkout sessionId. No more duplicate rows when the upstream id is assigned later.
Webhooks

Outbound webhook delivery worker shipped (8 retries, exp backoff to 24h)

  • ›merchant_webhook_deliveries outbox table with FOR UPDATE SKIP LOCKED.
  • ›X-MAXFI-Signature: sha256=<hex>, X-MAXFI-Event, X-MAXFI-Event-Id, X-MAXFI-Attempt headers on every delivery.
  • ›Per-session webhook_url override on POST /v2/payments/checkout.
  • ›New event payment.requires_action — fires the moment a 3DS challenge URL is available.
Checkout

Checkout reliability fixes

  • ›HTTP timeout to upstream raised to 90s (slow synchronous flows used to time out at 30s).
  • ›Auto-confirm step after the initial create call when the upstream signals confirm.
  • ›Real status polling — getTransactionStatus now hits the live upstream endpoint, falls back to DB.
  • ›Both shapes of upstream redirect (next_action object and customer_interaction.redirect.url) are parsed.
Docs

dev.exezine.az launched — public Developer Hub

  • ›Animated landing, full /docs, /api, /webhooks, multi-language code samples (cURL, Node, Python, PHP, Go).
  • ›Search ⌘K, Ask AI panel, EN/RU/AZ language switch, /apply form (replaces direct portal link), /contact.
  • ›OpenAPI spec at /api/openapi.json · Markdown bundle at /api/openapi.md · printable PDF at /api/openapi.pdf.