Skip to content
Tilt Developer Docs

Changelog

All breaking changes are versioned. The current API version is v1.

v1.2 — 2026-05-12

Outbound webhooks (Workstream B)

  • New webhook event surface: payment.approved, payment.refunded, payment.voided, payment.cancelled, payment.expired, payment.reversal_settled, payment.reversal_failed
  • Register endpoint via admin portal under Partner → Integrations → Webhooks; requires tilt/webhooks:subscribe scope for M2M management
  • HMAC-SHA256 signature on every delivery (X-Tilt-Signature: hmac-sha256=<hex>)
  • Exponential back-off retry (up to 5 attempts); terminal failures land in DLQ visible in admin portal

Hosted payment form (Workstream C)

  • POST /pos/v1/orders now accepts return_url and cancel_url; response includes hosted_checkout_url (nullable) when a payment form URL is generated
  • GET /pos/v1/public/hosted-checkout?token=<jwt> — public Valor Passage page, no auth required; token is minted server-side

SSO launch links (Workstream D1)

  • New endpoint: POST /pos/v1/launch-tokens — requires tilt/pos:launch scope
  • New public endpoint: POST /pos/v1/public/launch-exchange — exchanges token for Cognito session, auto-provisions POS user on first use
  • Token TTL: 10 minutes; single-use
  • Launch token payload now requires location_id; role_slug controls first-provision role (default location_cashier)

Level 3 enhancements (Workstream F)

  • order.external_reference (PO/invoice number) is now forwarded to Valor as customer_reference in Level 3 card-present requests

v1.1 — 2026-05-10

M2M API authentication (Workstream A)

  • POST /pos/v1/orders now accepts M2M client_credentials tokens in addition to user JWTs
  • New well-known endpoints: GET /pos/v1/.well-known/openapi.json, GET /pos/v1/.well-known/asyncapi.json
  • Added opened_by_m2m_client_id to order records (null for human-created orders)
  • external_reference, external_source, external_id fields now accepted on POST /pos/v1/orders
  • Level 3 data (level3) now accepted on POST /pos/v1/orders

v1.0 — 2026-04-29

Initial partner API surface:

  • GET /pos/v1/locations — list locations in partner scope
  • GET /pos/v1/locations/{id} — get location detail
  • POST /pos/v1/orders — create order (human auth only in v1.0)
  • GET /pos/v1/orders/{id} — get order
  • POST /pos/v1/orders/{id}/payments — initiate payment
  • POST /pos/v1/orders/{id}/payments/{id}/void — void payment
  • POST /pos/v1/orders/{id}/payments/{id}/refunds — issue refund