<!--
Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where include-by-default products were not appearing in
subscription results when other products in the same product line had
only inactive subscriptions.
* **Tests**
* Added test coverage for include-by-default product behavior in
subscription scenarios with inactive subscriptions.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Summary of Changes
Previously, on the Swift SDK, the `signInWithOAuth` function wasn't
working. In this PR, we fix it by having the `getOAuthUrl` function to
actually redirect correctly. Note that to do so, we updated the
`validRedirectUrl` check on the backend to accept app native redirects
(from our new trusted url scheme). Another thing to note is that we
added functionality to the `TokenStore` abstraction to conditionally
refresh the access token that the user is trying to fetch if it is
expired/close to expiring if possible. `getOAuthUrl` will attempt to get
a valid access token, and thus will rely on our algorithm documented in
`utilities.md`.
The specs serve as the source of truth.
We go further and implement Apple Native sign in. To do so, we have it
hit a new route on the backend and verify the `jwtToken` retrieved by
the sdk against an Apple-provided set of `jwks`. We use jose to do so,
in line with the rest of the codebase.
We take this opportunity to refactor the oauth provider route owing to
the amount of duplicated logic. Additionally, to enable the apple sign
in, users will have to update the Apple authentication method modal on
the dashboard and add accepted bundle ids. These are identifiers for
projects, and we will check the `JWT` on the backend to make sure the
audience is set to an accepted bundleId.
We also update the Apple modal to be more informative.
### Using the new Features
To use the Apple native sign in, users will have to 1) sign up with an
apple developer account, 2) set up their bundleids for their projects by
connecting them to the apple developer account, 3) update the Stack-Auth
Authentication Methods dashboard apple modal with the relevant fields.
Then, trying to sign in with apple with our Swift SDK will use the apple
native sign in.
### UI Changes
Renamed the fields in the apple modal. Added a new field for bundle ids.
See below.
https://github.com/user-attachments/assets/0e760c0e-3198-4818-ac7f-4900d7a125bb
Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>
<!--
Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a comprehensive payments data-integrity verifier, Stripe payout
reconciliation, API validation helpers, and a throttled progress utility
for long-running checks.
* **Bug Fixes**
* Improved subscription/product filtering to correctly respect customer
type during verification.
* **Chores**
* Reorganized verification scripts and updated the verification
entrypoint invocation.
* **Tests**
* Enhanced test fixtures to include full product data for subscriptions.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!--
Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security**
* Added client-side access checks on payments endpoints and expanded
customer-type handling (including a new "custom" type).
* **SDK / Client**
* Client interface methods now accept explicit request types
(client/server/admin) to route requests appropriately.
* **Server**
* New server-side product listing to support server requests and
caching.
* **Tests**
* E2E tests updated to use a fast sign-up flow and pass authentication
tokens for authorized requests.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!--
Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Removed Features**
* Dashboard embed functionality has been removed from the platform.
* Python template documentation and guides have been removed.
* **Documentation**
* Documentation structure has been significantly reorganized and
simplified.
* Extensive template content and component guides have been removed.
* Apple OAuth integration guide updated with streamlined secret
generation flow.
* **Refactor**
* Button component styling and variant system updated.
* Routing configuration updated with simplified path handling.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="553" height="471" alt="Screenshot 2026-01-14 at 12 16 36 PM"
src="https://github.com/user-attachments/assets/9f32473d-5294-4cf7-b527-0668fb04ae47"
/>
<img width="630" height="514" alt="Screenshot 2026-01-14 at 12 17 06 PM"
src="https://github.com/user-attachments/assets/b17f57f7-148d-4438-b337-df7516d1793e"
/>
<!--
Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Expanded Stripe webhooks: handles invoice and one‑time/subscription
events, sends templated payment receipt and failure emails, posts
chargeback alerts to Telegram.
* Customer invoices API plus client and UI support for listing invoices;
backend stores invoice status, total, and hosted URL.
* **Tests**
* Added end‑to‑end tests for new webhook scenarios (receipts, failures,
chargebacks) and invoices API with email outbox checks.
* **Chores**
* Centralized Telegram helpers and improved formatting, validation, and
reliability.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Introduces end-to-end invoice visibility and payment notifications.
>
> - **Emails:** Adds default `payment_receipt` and `payment_failed`
templates and sends them from Stripe webhooks for one-time and
subscription payments (skips non‑uncollectible failures); resolves
recipients for users/teams.
> - **Webhooks:** Expands handled events; upserts invoices on
`invoice.*`; stricter unknown-type handling; adds Telegram chargeback
alert; refactors init script Telegram sending.
> - **Data model:** Extends `SubscriptionInvoice` with `status`,
`amountTotal`, `hostedInvoiceUrl` and writes them via
`upsertStripeInvoice`.
> - **API/SDK/UI:** New paginated `GET
/payments/invoices/{customer_type}/{customer_id}`; client interface
(`listInvoices`, hooks) and template Payments panel render an invoices
table.
> - **Tests:** E2E for invoices access, webhook behaviors, and email
delivery.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
edc8fe5651. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
### Summary of Changes
We would like to setup a payment settings page. Here, developers should
be able to toggle test mode, see their stripe connection status, and
adjust the payment method configs.
## Test Mode Toggle
This will exist in concert with the test mode banner.
## Stripe Connection Status
While users cannot see the page unless they create a stripe account,
they can still see it if they've created the stripe connected account
but haven't finished onboarding. This is a handy place for them to
finish their onboarding.
## Payment Methods
We would like developers using our payments feature to be able to set
what payment options should be made available to their users.
Consequently, we create a route and a page on the dashboard which hits
that route to update what payment options are made available. The UI
stores "pending changes" which represent updates to be made to the
payment method configs corresponding to that project's connected stripe
account. These are then sent to the backend, validated with a schema,
and then updated using stripe.
We also note that some payment methods have dependencies on others: for
example, the "apple pay" method cannot be enabled if the "debit/credit
cards" method is not enabled. We note the two cases where it is observed
to happen and raise an alert using `toast` to make it clear to the
developer, and make it extensible in case other dependencies are added
in the future. To ensure synchronization between the frontend dashboard
UI and the backend route handler on the payment method names, we have
both pull from a shared utility file. This ensures only one update will
need to be made.
**NOTE 1:** We chose to build our own component rather than using the
Stripe embedded component as the Stripe component is still in
pre-release mode.
**NOTE 2:** To disable specific payment methods for all our users, we
should update the platform account config in Stripe for stack-auth. This
will prevent said payment method from being made available to them.
**NOTE 3:** We skip the multi-account method config isolation test
because the stripe mock server does not support testing with multiple
accounts. However, the logic of the test has been verified with a real
stripe account.
### UI Demo
For this demo, I had a pre-created checkout link for a one-time purchase
of a product for 100$.
https://github.com/user-attachments/assets/a0139ee8-a9ce-480c-b8b5-9b5fb1e9c15f
### Summary of Changes
We ran into an error on sentry when the vercel fallback and freestyle
improvements were pushed to prod. Spiking into the error handling
revealed that the errors could be more informative to enable easier
debugging.
We improve the error handling and add extra test coverage to cover the
error pathways through the code. Note that we do not test vercel sandbox
itself nor the fallback mechanism-this is because a) these will be
logged and tested in prod with the sanity test code, and b) creating a
mock vercel sandbox instance the way we have a mock freestyle server
would just slow down any tests that pass through the email rendering
pipeline, all for something thats meant to just be a fallback. However,
locally, we tested with scripts and real vercel sandbox test project to
success. Note that we also tried running the existing email-rendering
test suite with fake freestyle credentials and real vercel-sandbox
credentials (to mimic the fallback) and they passed.
