Nofert API v1.4 — 73 Endpoints, Messaging, GDPR & Security Audit R12

We're pleased to announce Nofert API v1.4, expanding from 65 to 73 fully documented endpoints. This release focuses on three key areas: in-app messaging, GDPR compliance, and security hardening — all critical for mobile app readiness.

New Endpoints

Account Deletion (GDPR / App Store Compliance)

• DELETE /api/v1/user — Full account deletion flow. Requires password verification, checks for active orders before proceeding, anonymizes all personal data, revokes API tokens, and soft-deletes the account. This satisfies both GDPR right-to-erasure requirements and Apple App Store / Google Play mandatory account deletion policies.

Invoice & Order Tracking

• GET /api/v1/user/orders/{orderNumber}/invoice — Returns complete invoice data as JSON: shipping address, line items with variant details, store information, tax breakdowns, and discount summaries. Perfect for rendering invoices natively in mobile apps or generating PDFs client-side.
• GET /api/v1/user/orders/{orderNumber}/tracking — Order tracking timeline with status steps (placed, processing, shipped, delivered), timestamps for each transition, plus tracking number and carrier information when available.

In-App Messaging

• GET /api/v1/user/messages — List all conversations with the latest message per chat partner, unread counts, and user details.
• GET /api/v1/user/messages/{userId} — Full chat history with a specific user. Supports ?after= parameter for efficient polling of new messages without re-fetching the entire thread.
• POST /api/v1/user/messages/{userId} — Send a message with optional file attachments. Supports buyer-to-vendor and vendor-to-buyer communication.
• POST /api/v1/user/messages/{userId}/typing — Typing indicator with a 30-second TTL. Enables real-time "user is typing..." UI in mobile apps.

Enhanced Order Actions

• POST /api/v1/user/orders/{orderNumber}/cancel and POST /api/v1/user/orders/{orderNumber}/return — These endpoints now trigger vendor notifications, ensuring sellers are immediately informed when a buyer cancels an order or requests a return.

8 New Notification Classes

Alongside the new endpoints, we've added 8 notification classes to keep all parties informed:

• Vendors receive notifications for new reviews, product questions, order cancellations, and return requests
• Admins receive notifications for new support tickets and payout requests
• Users receive security alerts on password changes

This brings the total to 36 notification types across the platform.

Security Audit R12

Our 12th security audit addressed 8 additional issues:

• Timing attack protection — Constant-time comparison for sensitive token and credential checks
• CSV injection prevention — Export data is sanitized to prevent formula injection in spreadsheet applications
• Cryptographically secure order numbers — Order numbers now use a CSPRNG-based generation to prevent enumeration
• Plus 5 additional hardening fixes across authentication, input validation, and data handling

By the Numbers

• 73 API endpoints (up from 65)
• 12 completed security audits
• 36 notification types
• 141+ total security fixes applied

Documentation

Full API documentation with curl examples for all 73 endpoints is available at /api/docs. The OpenAPI 3.0 specification can be found at /api/docs.json for importing into Postman, Insomnia, or Swagger UI.

What's Next

With messaging, GDPR compliance, and invoice/tracking support now in place, the API is fully ready for native iOS and Android app development. We continue to iterate based on developer feedback — reach out through our support system with any questions or suggestions.