Changelog
Webhook Secret Isolation
Webhook payloads are now signed with a dedicated per-store secret (nj_wh_ prefix) fully decoupled from the REST API key. Previously the API key was used as the HMAC signing secret, linking the two attack surfaces. Merchants can rotate the webhook secret from the dashboard without affecting API authentication.
Login Exponential Rate Limiting
The login endpoint now enforces 5 attempts per 15-minute window with exponentially doubling penalty windows on repeated failures. Rate limit state is stored in Redis to persist across serverless cold starts.
Server-Side Dashboard Authentication
Unauthenticated requests to /dashboard routes now receive a 307 redirect to /login enforced at Vercel Edge middleware before any page code executes.
Invoice Rate Limiting
The public GET /api/v1/invoices/:id endpoint is now limited to 10 requests per minute per IP. All invoice IDs use UUIDv4.