# Changelog

**15/06/2026**

- **[Breaking-ish]** Middleware destination `timeoutMs` now accepts `1` through `10000`, clamps to 10 seconds, and still defaults to 5 seconds.
- Middleware Config list `status` now explicitly allows an empty query value; empty or `not-deleted` excludes deleted configs.
- **[Breaking]** Middleware routes now use `idRoute` string route keys plus `priority` for evaluation order. The default route is `idRoute: "default"` with `priority: 0`; non-default routes use priorities `1` through `255`.
- **[Breaking]** Middleware funnel connections now use `connectionMiddlewareParams.onRouteId` with string route keys such as `approved`, `review`, or `default`.
- **[Breaking-ish]** Middleware reporting logs now return `matchedRouteID` as the string route key and no longer expose `matchedRouteLabel`. Middleware summary rows include `averageLatencyMs`.
- Added `hasBasicAuthPassword` and `hasHmacSecret` to `MiddlewareDestination` so clients can detect and preserve stored middleware destination secrets. REST read responses now return `********` placeholders instead of real `basicAuth.password` or `hmacSecret` values when those secrets are set.
- Added `nodeMiddlewareRefParams.destinationOverrides` for middleware funnel nodes, supporting node-level `headers`, `basicAuth.username`, `basicAuth.password`, `hmacSecret`, `hasBasicAuthPassword`, and `hasHmacSecret` without overriding destination URL, method, or type.
- Documented `execute_timeout_ms` in outbound Middleware Node POST payloads and added [Middleware Function Templates](/middleware-templates) with copy-ready JavaScript, TypeScript, Python, Go, Cloudflare Workers, and Google Cloud Functions examples.
- Removed `MiddlewareRoute.responseMode` from the Middleware Config contract. Middleware routes now always continue through the selected funnel connection; no `navigate`, `return_success`, or `return_reject` response modes are exposed in the MVP API.
- Tightened middleware condition validation docs: `body_json.<path>` accepts dot segments only, `status_code` values must be integer HTTP codes from `100` to `599`, and `body_text` supports text operators.
- Updated `MiddlewareDestination.url` documentation to clarify that middleware destinations must be HTTPS outside development environments.
- Documented that FunnelFlux token placeholders are plaintext-only for middleware destination URLs and are not expanded inside custom header values.
- Added global page group category endpoints on both `/page/group/*` and `/pagegroup/*` paths using `categoryType=landerGroup` or `categoryType=offerGroup`; only global page groups are category-managed.
- Added reporting attributes `Element: Global Lander Group Category` and `Element: Global Offer Group Category`.

**12/06/2026**

- Added Middleware Config endpoints under the Assets API for listing, finding, creating, updating, deleting, duplicating, archiving, unarchiving, and moving middleware configurations by category.
- Added `POST /reporting/logs/middleware/summary` to return middleware configuration assets merged with middleware execution-log aggregates.
- Added a [Middleware Nodes](/middleware) guide covering synchronous routing behavior, request payloads, delivery headers, route evaluation, timeouts, fallback behavior, and destination restrictions.

**09/06/2026**

- Updated `POST /auth/login` to document the MFA-required response shape with `mfa_required`, `mfa_token`, `factor`, and `mfa_requirements`; internal MFA follow-up endpoints remain hidden from the public API docs.
- Corrected Auth API token and user response field types: `expires_at` and `updated_at` are numeric timestamps, `permissions` is an array of strings, and `email_verified` is a boolean.

**08/06/2026**

- Added Logic Script asset endpoints under the Assets API for listing, finding, creating, updating, deleting, duplicating, archiving, unarchiving, and moving Logic Scripts by category.
- Added Logic Script helper endpoints: `GET /logicscripts/language` for the backend-owned language catalog and `POST /logicscripts/validate` for validating script code, static route keys, and dynamic route detection.
- Added funnel logic-node routing support through `connectionLogicParams.onRouteKeys[]`; connect a `default` route for runtime fallback when validation, compilation, execution, or dynamic route matching cannot produce a connected route.
- Updated funnel delete documentation to clarify that Logic Scripts are global assets and are not deleted by funnel cascade.
- Added a [Logic Scripts](/logicscripts) guide for building route-key scripts, including a copyable AI prompt for generating valid snippets.

**01/06/2026**

- Added Webhook Config endpoints under the Assets API for listing, finding, creating, updating, deleting, duplicating, archiving, unarchiving, and moving webhook configurations by category.
- Added `POST /reporting/logs/webhooks/summary` to return webhook configuration assets merged with webhook delivery-log aggregates.
- Added funnel schema support for webhook nodes and action-triggered webhook dispatch via `nodeWebhookRefParams`, `connectionActionParams.webhookConfigIDs`, and `connectionActionProxyParams.webhookConfigIDs`.
- Added [Webhook Payloads](/webhooks), including the public `webhook_outbound_payload_v1` delivery headers, event types, examples, and downloadable JSON Schema.

**23/05/2026**

- Bulk delete and archive endpoints for offer sources, categories, campaigns (funnel groups V1), and funnel groups V2 now accept a `ParentMutationRequest` body with a `cascadeAction` of `cascade`, `move`, or `orphan`, plus an optional `targetParentID` (required when `cascadeAction` is `move`). Omitting cascade options preserves existing behaviour. Legacy single-ID query parameters (`idOfferSource`, `idCategory`, etc.) remain accepted for backwards compatibility.
- Funnel delete now documents its cascade scope: funnel-scoped (local) assets are soft-deleted alongside the funnel — page groups, conditions and logic scripts whose `restrictToFunnelId` points at it, plus AI node settings belonging to that funnel.
- Added `POST /reporting/update/customevents/` to submit custom event updates.
- Visitor Tag endpoints (`/visitor-tags/...`) are now fully documented: find, list, list-by-status, create, update, duplicate, delete, archive/unarchive, and move-category.

**08/05/2026**

- Conditions now use a route ID and priority key for determining what routes go where, and the route processing priority. This separates ordering from connection logic. Use the new route IDs and priorities. For IDs, use `route_{id}` and generate an ID with our normal ID generator for consistency. Route IDs can also be names of your choosing.
- Consolidated category APIs to one canonical `/category` API rather than endpoints nested under other assets.
- Many other changes not previously added to this changelog.

**19/06/2024**

- **[Breaking Changes]** - The raw events API has been updated to a new approach, allowing more direct data based on our DB columns directly.
- All metrics are now selected through the `restrictToMetrics` attribute
- A maximum of 15 columns of data can be returned per request
- You can now directly access tracking field data with this approach
- Maximum paging length has been increased from 1,000 -> 10,000
- Note that because this accesses raw data, it currently does not resolve names, just IDs. We will extend this later to add mappings for asset IDs

**11/06/2024**

- Added `conversionTime` attributes to conversion uploads
- Added `disablePostback` attributes to conversion uploads
- Updated hit reporting spec, pending changes in the UI

**03/04/2024**

- Added `restrictToMetrics` and `returnUniqueVisitors` information to reporting API.

**15/07/2023**

- Updated API domain to `api.funnelflux.pro`

**03/09/2022**

- Added ID generation article

**22/06/2022**

- Initial release of the v1 API docs, with limitations and some omissions
