Release notes

Changelog

What changed in the NerezPay API and SDKs.

DateChange
2026-05-06Webhook signing v2: the signature is computed over "<timestamp>.<body>"; the X-PSP-Signature header is now t=…,v1=…,v2=…. Replay-attack protection. v1 keeps working for legacy clients; verifyWebhook in all 8 SDKs supports both formats.
2026-05-06nerezpay login + ~/.nerezpay/config.json: multiple profiles, key check on save, nerezpay status / nerezpay use / nerezpay logout.
2026-05-06nerezpay trigger: payment.succeeded/failed/fraud/refunded/cancelled, payout.succeeded/failed — synthetic events in a single command.
2026-05-06Live API Explorer: session memory for dependent endpoints. POST /payments → cancel/refund/get automatically pick up payment.id.
2026-05-06Algolia DocSearch: supported via NEXT_PUBLIC_ALGOLIA_* env. If unset — falls back to local full-text search (no Algolia signup needed).
2026-05-06nerezpay-cli: local helper, tails webhooks via SSE and forwards to localhost. go install github.com/nerezpay/cli/nerezpay@latest.
2026-05-06Live API Explorer: a Run button on every endpoint, fires a request with your test key right from the docs without CORS (via the /api/docs-runner proxy).
2026-05-06SDKs for 8 languages: Node.js, Python, PHP, Ruby, Java, .NET, Go, Flutter/Dart. All with automatic idempotency and webhook signature verification.
2026-05-06Docs search palette (⌘K) with match highlighting.
2026-05-06"Best practices" section: webhook dedup, 429 handling, security checklist, monitoring.
2026-05-06OpenAPI 3.0 spec: interactive Swagger UI at /docs/openapi, downloadable openapi.yaml, ready-made base for SDK generation in 50+ languages.
2026-05-06Multi-language code tabs (curl / Node.js / Python / Go / PHP) on key endpoints; previously curl-only.
2026-05-06Idempotency-Key is now Stripe-style: repeat with the same body returns the existing object (200 OK + idempotent: true), repeat with a different body returns 409 idempotent_conflict.
2026-05-06"Recipes" section: accept a payment, partial refund, polling, realtime SSE.
2026-05-06Starter Node.js SDK @nerezpay/sdk: createPayment / createPayout / verifyWebhook + TypeScript types.
2026-05-06Added sections: "Sandbox (simulator)", "method any (multi-form)", "metadata field", "Customer return", "SBP banks", "Realtime (SSE)", "Failure codes".
2026-05-06Unified failure_code: the merchant sees our dictionary (insufficient_funds, card_declined, …); the raw bank code lives in metadata.bank_failure_code for audit.
2026-05-06A public SSE channel went live: GET /v1/public/events under a Bearer key.
2026-05-06An SBP bank directory went live: GET /v1/public/banks/sbp.
2026-05-06After payment we return the customer to return_url with ?payment_id=…&status=… query parameters.
2026-05-06Enabled HMAC signature checking and IP allow-list on the public API. A "Require signature" option appeared on the shop. Without it requests return 401.
2026-05-06Idempotency-Key now works for real: a repeat request with the same key returns the previously created payment/payout instead of creating a duplicate.
2026-05-06Enabled per-merchant rate limiting on the public API. Limits are configured in the admin panel (the "API limits" section). Default: 20 burst + 1 req/sec.
2026-05-06Payment cancel and refund are now available under a Bearer key (POST /public/payments/{id}/cancel and /refund).
2026-05-06Added payment.cancelled and payment.expired webhook events.
2026-05-06Docs narrowed to the public API surface. Shop settings and webhook endpoint CRUD live only in the dashboard.
2026-05-05Brought the webhook event list in line with the real backend.
2026-05-05Multi-language HMAC signing examples: Node.js, Python, Go, PHP, Ruby, C#, Java.
2026-05-05Every public endpoint got curl samples and response examples.
2026-05-04Added the intermediate processing status with bank TTL.
2026-05-04TTL reconciler: pending over our TTL → expired, processing over the bank TTL → expired.
2026-05-04Payment response now includes the refunds[] list and amount_refunded.