Release Version 4.37.0 (June 12, 2025)

12. 06. 2025

Pre-deployment steps

To be done before deployment
Check configuration changes and apply them in the `application.yaml` if the default configuration has been overridden there
Check if the release contains migrations. Migrations can affect deployment and downtime.
Use `GET /i18n/export/{fileName}` to download files with the current i18n properties. Check if the downloaded file is correct.

Post-deployment steps

To be done after deployment
Verify permission changes and assign or remove required permissions if they have been overridden
Add new properties from the I18n properties changes to the downloaded i18n properties file, and add translation for them if needed. Use `POST /i18n/import` to upload and apply a previously downloaded i18n file with added new properties.

To be done after deployment

Verify permission changes and assign or remove required permissions if they have been overridden

Add new properties from the I18n properties changes to the downloaded i18n properties file, and add translation for them if needed.

Use POST /i18n/import to upload and apply a previously downloaded i18n file with added new properties.

Release migrations

–

Changes to notice

Changes to notice
`SecurityDTO` is expanded, which affected some endpoints (check API changes). It is recommended to use a new request parameter `twoFactorAuthStatus` instead of `twoFactorsAuthEnabled`. Parameter `twoFactorsAuthEnabled` will be removed from requests and responses with `SecurityDTO` in version 4.38.0. New`twoFactorAuthStatus` parameter is an enum (`ENABLED`, `DISABLED`, `SETUP_INITIATED`) Also, a new property has been introduced to the SecurityDTO – the `twoFactorAuthType` with OTP and TOTP values. These are optional parameters. If `twoFactorAuthType` is not present in the request, it will be replaced with OTP by default.
New mandatory field `serial` was added to the API `POST /v1/merchant-payments` – merchant wallet to which the payment will be received

Changes to notice

SecurityDTO is expanded, which affected some endpoints (check API changes).

It is recommended to use a new request parameter twoFactorAuthStatus instead of twoFactorsAuthEnabled.

Parameter twoFactorsAuthEnabled will be removed from requests and responses with SecurityDTO in version 4.38.0.

NewtwoFactorAuthStatus parameter is an enum (ENABLED, DISABLED, SETUP_INITIATED)

Also, a new property has been introduced to the SecurityDTO – the twoFactorAuthType with OTP and TOTP values.

These are optional parameters. If twoFactorAuthType is not present in the request, it will be replaced with OTP by default.

New mandatory field serial was added to the API POST /v1/merchant-payments – merchant wallet to which the payment will be received

New functionality

Feature	Description	Benefits
Ability to use TOTP (Time-based One-time Password) to confirm login.	Implemented APIs for ability to use enable TOTP and use it to confirm login.	Add an extra layer of protection to user authentication.
Ability for business users to see the current contract with the monthly fee and selling points.	Current contract information is returned in the APIs to get the user profile: `GET /profiles/my` `GET /profiles/{userId}`	Improve user experience.
Ability for merchants to create merchant payment without specifying a payment instrument and specify to which wallet payment should be received.	Changed API `POST /merchant-payments` to create merchant payment.	Provide greater flexibility for both merchants and payers.
Ability to specify a payment instrument while paying for the merchant payment.	Changed API `POST /merchant-payments/{identifier}/execute` to pay for merchant payment.
Payment link and QR are generated for merchant payment when it is created.	Payment link and QR are generated for merchant payment when it is created and returned in the API `POST /merchant-payments/view` to view merchant payments list.
Ability to validate card number.	Implemented API to validate card number using the Cybersource integration.	Enable card number validation without initiating a payment.
When `AUTHENTICATION_SUCCESSFUL` status is returned in `POST /risk/v1/authentications`, payment is processed without 3DS authentication.	Implemented additional Cybersource flow to process payment without 3DS.	Support Cybersource flow when 3DS is not required.
Ability for user to specify the billing address for payment processing.	The following optional parameters were added to the API `POST /gate/transactions/{tx}/submit`. These parameters should be passed in the section `fields:` `firstName` `lastName` `email` `phoneNumber` `country` `locality` `address1` `postalCode` These parameters are then passed to the following Cybersource APIs: `POST /risk/v1/authentications` `POST /pts/v2/payments`	Support Cybersource payment processing requirements by allowing users to fill in mandatory billing address fields.

Improvements

Feature	Description
Values for KYC status in the Clients list and in the filter drop-down have been aligned.	KYC status can have one of the following values: Waiting for documents Need approval Approved Declined Compliance review required (Review required) Closed
Implement the ability to switch on test mode for Cybersource integration.	Enabling this ability allows testing end-to-end flow for all possible authentication statuses. When test mode is enabled, hardcoded device data is passed by the back-end, and with this data Cybersource response is aligned with the expected test data result.
`returnUrl` for Cybersource integration is generated on the back-end.	`returnUrl` is generated on the back-end, and when a callback from Cybersource to this URL is received, the back-end responds with HTML, so that the front-end can show the user that the 3DS challenge is complete.

Fixes

No errorMessage in transaction details in case when the transaction was rejected due to the limit exceeded for transfer.

Filter by gateProviderId doesn’t work properly in the POST /transactions/view.

API changes

Updated

POST /authorization

Enum for action property in AuthorizationResp is extended with new value: TOTP_REQUIRED

Response:

{ "action": "TOTP_REQUIRED" }

will be returned if the user has 2FA TOTP enabled, and in this case, API POST /authorization/totp should be used to confirm authorisation.

The following APIs are affected by the SecurityDTO change:

in request

1. Profile management by owner Patch: /v1/profiles/my/security-settings 2. Profile management by service role Patch: /v1/profiles/{userId}/security-settings

in response

1. Profile management by owner get: /v1/profiles/my patch: /v1/profiles/my/additional put: /v1/profiles/my/additional patch: /v1/profiles/my/address put: /v1/profiles/my/address patch: /v1/profiles/my/business post: /v1/profiles/my/contact/confirm patch: /v1/profiles/my/person put: /v1/profiles/my/person patch: /v1/profiles/my/security-settings 2. Profile - customer identification (KYC) post: /v1/profiles/{userId}/approve post: /v1/profiles/{userId}/decline post: /v1/profiles/{userId}/reset patch: /v1/profiles/{userId} 3. Profile management by service role get: /v1/profiles/{userId} patch: /v1/profiles/{userId}/additional put: /v1/profiles/{userId}/additional patch: /v1/profiles/{userId}/address put: /v1/profiles/{userId}/address patch: /v1/profiles/{userId}/integration patch: /v1/profiles/{userId}/business patch: /v1/profiles/{userId}/contact patch: /v1/profiles/{userId}/person patch: /v1/profiles/{userId}/security-settings

New optional parameters added to SecurityDto:

twoFactorAuthStatus– Enum (ENABLED, DISABLED, SETUP_INITIATED)
twoFactorAuthType– Enum (OTP, TOTP)
totpSecret – String which will be present in response if 2FA status is SETUP_INITIATED

Also, twoFactorsAuthEnabled parameter is no longer required as it is recommended to use the new parameters instead.

If twoFactorsAuthEnabled parameter is present in the request, new parameters from the request will be ignored (legacy parameter has higher priority).

For now twoFactorsAuthEnabled will still be present in responses, along with new parameters, but it will show only the state of OTP 2FA (true/false).

twoFactorsAuthEnabled will be removed from the request/response in the next version.

If twoFactorAuthType is not present in the request, it will be replaced with OTP by default.

Below is how the new statuses will be used in the two-factor authentication (OTP or TOTP) process:

Release Version 4.37.0 (June 12, 2025)

GET /profiles/my

GET /profiles/{userId}

Added contract object to memberships to provide contract details

POST /transactions/view
Changed filterType from GateMerchantPaymentTransactionFilterDto to GateTransactionFilterDto

POST /merchant-payments

Section paymentInstrument was removed
New mandatory field serial was added

POST /merchant-payments/{identifier}/calculate

POST /merchant-payments/{identifier}/execute

Section paymentInstrument was added with the following parameters
- instrumentType – possible values – COIN/CASH/SMART_CARD
- value – wallet serial number in case of COIN, smartcard number in case of SMART_CARD
If CASH is passed as paymentInstrument.instrumentType in API POST /merchant-payments/{identifier}/calculate – commission will be calculated as 0.
If CASH is passed as paymentInstrument.instrumentType in API POST /merchant-payments/{identifier}/execute – 400 error is returned (payment by cash will be supported in future versions)
If COIN/SMART_CARD is passed as paymentInstrument.instrumentType in API POST /merchant-payments/{identifier}/execute – payment will be processed
If payer wallet currency is different from the merchant payment currency and/or the exchange rate is not set – 400 error exception.coin.different_currencies will be returned.

POST /merchant-payments

POST /merchant-payments/view

POST /merchant-payments/execute

The following fields added to the response:

qrCodeMediaFileId
qrCodeMediaFileLink
paymentLink

POST /gate/transactions/{tx}/authenticate

returnUrl is returned from the request

Added

POST /authorization/totp

PATCH /authentication/users/{userId}/totp (API will be changed in the 4.38.0 version)

GET /merchant-payments/{identifier}

POST /gate-providers/{gateProviderId}/validate-card-number

Deprecated/Deleted

–

I18n properties changes

Added

–

Changed

UK:

notification.registration_invoice_invite.confirm.email_text=A new invoice has been issued for you. To pay it, please register in our system using either the mobile app or the web version.

EN:

notification.registration_invoice_invite.confirm.email_text=A new invoice has been issued for you. To pay it, please register in our system using either the mobile app or the web version.

AR:

notification.registration_invoice_invite.confirm.email_text=تم إصدار فاتورة جديدة لك. لسدادها، يُرجى التسجيل في نظامنا باستخدام تطبيق الهاتف المحمول أو نسخة الويب.

Configuration changes

The following parameter was added to application-cybersource-integration.yml file:

cybersource: integration: testModeEnabled: false

Added:

cors: allowed-origin-patterns: - "*" x-frame-options: allowed-for-patterns: - "/callback/cybersource-gate"

If allowed-origin-patterns are configured, they take priority over allowed-origins.
To allow X-Frame-Options for some resources, add a URL pattern to x-frame-options.allowed-for-patterns

Database changes

–

Permission changes

–