Skip to main content

Changelog

2026-05-15
Self-serve user keys from the dashboard
Added — One-click mk_user_* issuance for verified users.Verified users can now mint and list their own mk_user_* keys directly from the dashboard at mareaalcalina.com/developers/keys — no partner bootstrap required. Keys issued this way start with the full post-verify scope set (catalog read/write, storefront publish), so you can drive the API against your own storefronts in a single click.What this means for you:
  • No more “you must be bootstrapped by a partner” path for solo builders. Sign up, verify, then issue a key.
  • Multiple keys per user. Mint one per environment or per integration; list and revoke them from the same page.
  • The raw key is shown once. Copy it on issuance — only the SHA-256 hash is stored server-side.
See Concepts → Keys for the full key model, and the quickstart to wire your first request.
2026-05-12
PRD-14 — Stripe-style webhook endpoints (model unification)
Added — Webhook endpoints as first-class objects.Stripe-style endpoint model: each endpoint owns its URL, its subscribedEvents[] list, and its own 64-char-hex signingSecret. Up to 16 endpoints per account.
  • REST CRUD: POST /v1/webhook_endpoints, GET /v1/webhook_endpoints, GET /v1/webhook_endpoints/:id, POST /v1/webhook_endpoints/:id (update), DELETE /v1/webhook_endpoints/:id. Required scope: developer:webhooks (new keys) or developer:bootstrap (existing keys continue to work via any-of).
  • Order events on developer endpoints: a single developer endpoint receives order.* events from every storefront your key bootstrapped — no per-merchant endpoint registration needed.
  • Signing: HMAC-SHA256 with the endpoint’s raw 64-char-hex signingSecret for every event type.
  • Envelope carries eventId (UUID v4 — receiver dedup key) + apiVersion: 2026-05-12. Headers: X-Marea-Endpoint-Id, X-Marea-Signing-Version.
  • Dashboard at /developers/webhooks manages endpoints (create / edit / pause / rotate / delete / test fire / view recent deliveries).
  • Phase B (deferred): the same multi-endpoint model will roll out for merchant-configured page webhooks in a follow-up release.
2026-05-10
Docs site accuracy + DX overhaul
Improved — comprehensive docs audit + Stripe-style cleanup.Following the first public publish, a senior-engineer pass cross-checked every claim in the docs against the cloud-functions Zod contracts as ground truth.
  • API Reference now covers all 13 v1 operations (previously a Phase-1 stub with /v1/me only). openapi.json is script-generated from the cloud-functions Zod schemas via @asteasolutions/zod-to-openapi (zero drift): tags, operationIds, both security schemes (Bearer + X-API-Key), rate-limit response headers, idempotency headers, and full $ref to ApiErrorResponse on every 4xx/5xx.
  • Stripe-style URL slugs. API reference pages now ship at clean URLs like /api/storefronts/create-storefront and /api/identity/get-current-identity (previously they were verbose auto-slugified sentences).
  • Plan limits corrected. plan.limits shape is {storefronts, products, publishable} (not the docs’ previous {maxStorefronts, maxProducts, canPublish} invention). Free plan has two variants (FREE_NEW 1 storefront, FREE_OLD legacy 3 storefronts). Pre-paywall accounts have a 2,000 draft-product cap. Single-product POST returns plan_max_products_reached, not products_over_limit (the latter is the 207-batch path).
  • Scopes corrected. Eight real scopes: developer:bootstrap, developer:read, developer:issueUserKey, catalog:read, catalog:write, storefront:publish, me:verify, me:resendVerification. Earlier docs referenced a non-existent users:bootstrap — now removed everywhere.
  • Error codes: ~40 real error.code values cross-checked against grep ApiError across src/api/. Removed fabricated codes (validation_failed, product_not_found, invalid_request_body, rpd_exceeded-as-code) that the docs invented; replaced with the real ones (invalid_request, storefront_not_found, rate_limit_exceeded). rpd_exceeded/rpm_exceeded continue to surface inside error.message only.
  • MCP quickstart: install path now uses the mcp-remote bridge (verified package). Tool count corrected to 7 (verify + resend are REST-only by design).
  • Four concept pages that were placeholders are now real content: verification-flow, tos-jurisdiction, arco-procedures, versioning. Each is sourced from cloud-functions handlers, with TTLs, lockouts, cancel reasons, and breaking-change rules from code.
  • Homepage: removed redundant H1 + intro paragraph that duplicated frontmatter title/description (Mintlify renders both automatically). Added a “Webhook surfaces” CardGroup so first-time readers see both surfaces.
  • Receiver helpers: concepts/webhooks now ships full JS + Python verifiers in api/webhooks/*.mdx, with the X-Marea-Source (developer vs merchant) header disambiguating event sources.
19 files changed; Mintlify validate + broken-links both green.