We’ve created a new Stripe plugin, api-plugin-payments-stripe-sca, and we recommend that all users of the existing Stripe plugin migrate to it. api-plugin-payments-stripe is now deprecated and will be supported until October 31, 2021. This release also affects the example-storefront repository, which now includes components to support 3D Secure validation.

Thanks to contributor Janus Reith for his input.

The new plugin is designed to comply with the current Strong Customer Authentication (SCA) regulation, part of PSD2 regulation in Europe, which requires changes to how your European customers authenticate online payments.

We’ve added a new series of Allowlists endpoints that are functionally identical to the Whitelists endpoints, but use new inclusive terminology instead. 

In an effort to move towards using more inclusive terminology in our application, we’ve changed all instances of the terms “blacklist” and “whitelist” to “denylist” and “allowlist,” respectively. There may still be lingering uses of the old terminology in API responses or webhooks; please know that we are working on retiring all instances of those terms.

When deleting an API key or removing an authorized app connection, we will remove the batch webhooks created by that key or connection.

When a batch job completes, we send that response body to all created webhooks. Previously, these batch webhooks weren’t cleaned up when a user disconnected from an authorized app, or removed an API key.

Apple is launching Apple Mail Privacy Protection, which may change campaign reporting data. Check out our Apple Mail Privacy Protection Resources for more.

The Apple Mail Privacy Protection changes coming in iOS 15 will change Mailchimp’s email tracking for iOS users who opt in. Check our FAQ, but you may want to review how you use data and features related to opens and user location. If you surface this data in your integration, we recommend providing context on Apple’s changes.

We’ve added a limit to the number of batch webhooks you can create: going forward, you will not be able to exceed 20 batch webhooks for a given Mailchimp account. If you attempt to create a new batch webhook via the POST /batch-webhooks endpoint and have already exceeded the limit, a 400 status code will be returned. In order to resolve this error, you will have to delete an existing batch webhook via the DELETE /batch-webhooks endpoint.

Most users of the Batch Webhooks endpoint create fewer than 20 webhooks for their account. Allowing an unlimited number of webhooks for each account can have performance implications for the API.

Version 4.0 of Mailchimp Open Commerce removes the Hydra and Identity services from the development platform. The authentication APIs are now part of the GraphQL server.

Store implementers now need to create their own signup and login interfaces using accounts-js. All existing users will be logged out, but their login credentials should carry over and they shouldn’t have to update their passwords.

Implementers who need Hydra should continue using version 3.x.

Identity and Hydra enabled OAuth 2 authentication and created a single authentication service for both the storefront and the admin dashboard. These services were hard to deploy and overkill for developers who wanted to get Open Commerce up and running quickly. 

Reducing the number of default services should make it easier to use and extend Open Commerce. This is part of a broader plan to use libraries for the storefront and admin dashboard user interfaces. Under this plan, the development platform will provide an integration layer, rather than the services themselves.

Removing Hydra and Identity also reduces the footprint of Meteor, bringing us closer to our goal of completely eliminating Meteor from the codebase.

You can now remove the tracking slugs for google_analytics or clicktale when you update Campaign tracking by passing in an empty string.

There was a bug that caused empty strings to be ignored when setting these properties. We’ve fixed updating Campaigns to properly handle these fields: no change if they’re not included in the PATCH body, but removed if they’re passed in as an empty string.