API Changelog

Public-API changes since v1.0. Breaking changes (red) are announced at least 90 days in advance via the developer-portal banner. Bug fixes (green) and performance work (yellow) ship continuously. Deprecations (purple) keep the old endpoint alive for at least one release after the new one lands. See the full reference for endpoint details.

v1.14 — trust system + cross-device + buy now 2026-05-07 feature

Trust system part 1 (verification). Public lookup at GET /api/verify/{code} + HTML pages GET /verify, GET /verify/{code}, plus GET /help/verify-photo. Each protected listing carries a 6–8 char watermark code; anyone can verify the code's origin without logging in.
Cross-device scan sessions. New router under /api/scan-sessions/*: POST / (create), GET /{id}, GET /{id}/sse, POST /{id}/claim, POST /{id}/upload-photo, POST /{id}/results, POST /{id}/complete, GET /{id}/qr.png. Bridges desktop browser ↔ phone camera with a QR + claim-token, no phone login needed. Uploaded photos are auto-rotated +90° CW and stripped of EXIF.
Buy now. POST /api/listings/{id}/buy-now — instant purchase without bidding. Returns {transaction_id, redirect_url, amount, buyer_total, handling_fee}. Errors out cleanly on self-buy, sold/expired, or buy-now-disabled listings.
Listing renewal. POST /api/listings/{id}/renew (auth, owner) extends expiry by 30 days. Token-based one-click landing at GET /listing-renewal/{token} for renewal-reminder emails.
Fee preview. GET /api/listings/fee-preview?price=…&image_protection=… — public, real-time payout calculator for the listing-create form.
Privacy toggle. POST /me/privacy with {is_collection_public} — controls whether a user's collection grid + portfolio value are visible on their public profile.
Reputation alias. GET /api/reputation/{username} — short public path; same payload as /api/users/{username}/reputation.
Recognition rotation-fallback. POST /api/cards/recognize now retries with -90° / 180° / +90° rotations when the first pass returns low or conflict; the chosen rotation is reported back as candidates[0].rotation_used.
Scan PWA. GET /scan-pwa + GET /scan-pwa/review — installable PWA wrapping getUserMedia + the recognise endpoint, with a bulk review screen.
Developer docs gating. /docs now hides admin-only endpoints from non-admin visitors entirely (no markup leak); admin sections render only when the session belongs to jeffreyplv or is_admin=true.

API audit + bug-fix sweep 2026-05-07 fix perf

GET /api/market-movers — replaced 600 k-row nested-aggregate SQL with a price_analysis-backed query and 10 min cache. ~1500x faster (60 s → 40 ms).
GET /api/market/trending-predictions — fixed 500 when card_prices.market_price was NULL (added IS NOT NULL filter on the regression input).
GET /api/messages/threads — fixed 500 from a missing sqlalchemy.text import.
GET /dl/{token}/{filename} and PATCH /admin/api-keys/{key_id} — fixed 500 caused by HTTPException not being imported at module scope in app/main.py.
New: GET /dev on the main site now 301-redirects to the developer portal. The lang-redirect middleware no longer rewrites /dev to /{lang}/dev.
Documentation rewrite — /docs now covers every routed endpoint, with three runnable examples per endpoint (curl, JS fetch, Python requests).

Status page + push notifications 2026-05-06 feature

New router app/routers/status_page.py: GET /api/status/checks and GET /api/status/incidents. Driven by the new status_checks table populated every 60 s by cardvault-status-probe.
SSE feed GET /admin/status/stream for the in-house ops dashboard.
FCM push: POST /api/devices/register + DELETE /api/devices/register. Push fan-out wired into the alert / bid / message notify path.
Mobile app version manifest at GET /api/app/latest; admin-only POST /api/admin/app/version publishes new releases.
Account-deletion now uses a 24 h soft cooldown (POST /auth/account/delete-request) before DELETE /auth/account.

Card recognition GA 2026-05-05 feature

POST /api/cards/recognize — full pipeline (Canny → perspective correct → 1,728-dim FAISS embedding lookup over 80 k cards → Tesseract OCR → weighted scoring).
POST /api/cards/recognize/confirm — confirmed scans are appended to static/confirmed_scans/{tcg}/{card_id}/ for self-learning.
POST /api/cards/detect-edges — edge-only pre-flight for the mobile camera UI.
Tier gating: session cookie ⇒ unlimited; API keys need Starter+ with daily quotas (10 / 100 / 500 / ∞ for Starter / Pro / Business / Unlimited).
Image-quality module: every recognise response now includes capture_quality with verdict ∈ likely_real | suspicious | likely_fake | needs_manual_review.

Marketplace + transactions + reputation 2026-05-04 feature

New routers: app/routers/transactions.py and app/routers/moderation.py.
Bids: POST /seller/listings/{id}/bid, POST .../bids/{bid_id}/accept, GET .../bids.
Transaction lifecycle endpoints: buys / sales / all, /status, /tracking, /shipping, /rating.
Public seller reputation: GET /api/users/{username}/reputation.
Reports / blocks: POST /api/reports, POST /api/blocks/{user_id}, plus admin-side resolve/dismiss.

Price intelligence v1 2026-05-03 feature

Cross-source correlation engine: combines Cardmarket, CardTrader, TCGPlayer, eBay sold and other sources into a single confidence-weighted price per (card, condition, language, foil).
Endpoints: /api/price-intelligence/card/{id}, .../sources, .../history, .../compare, .../search, .../sources (platform list), .../stats, .../fx/rate.
Admin: POST /api/price-intelligence/correlate and .../correlate/{card_id}; POST .../fx/update.

Market Radar dashboard data 2026-05-02 feature perf

GET /api/market/movers — top gainers / losers / most-volatile from the price_analysis table.
GET /api/market/overview, /api/market/stats, /api/market/best-deals, /api/market/radar-stats, /api/market/active-sellers.
Redis-backed shared cache across all 8 Gunicorn workers; warmed on startup. Median p99 dropped from 1.9-4.4 s to ~4 ms post-warm.

Stash Score + predictions + portfolio analytics 2026-05-01 feature

GET /api/cards/{card_id}/stash-score — composite 0-100 collectability signal (price momentum, rarity, liquidity, source agreement).
GET /api/cards/{card_id}/predict — linear-regression forecast 30 d ahead with low/medium/high confidence buckets.
GET /api/market/trending-predictions — top rising cards by slope.
Portfolio analytics: /api/collection/analytics, /api/collection/stats, /api/collection/top10, /api/collection/set-completion, /api/collection/suggested-actions.

Notifications + decks + forum 2026-04-28 feature

Unified notification feed: GET /api/notifications/feed, .../unread-count, .../{id}/read, .../read-all.
Decks router: 13 endpoints covering create/clone/value/legality/import-text.
Forum router: 8 endpoints (categories, threads, replies, announcements, admin delete).
Private messages: GET /api/messages aliases messages ↔ items for backwards compatibility.

API keys, tiers + dev portal 2026-04-20 feature

Standalone developer portal at developer.collectorstashmarket.com (port 8001, separate gunicorn).
Self-service key management: /api/keys/, /api/developer/info, /api/developer/key.
Five tiers: Free, Starter, Pro, Business, Unlimited — with daily / per-minute / key-count limits and a recognition quota.
Bearer / X-API-Key / query-param auth modes.

Wishlists, alerts, digests 2026-04-12 feature

POST /alerts with target price & above/below trigger.
Daily digest email via cardvault-digest.timer; manual fire via POST /alerts/digest-now.
Wishlist with optional max_price for per-card alert composition.

Marketplace launch 2026-04-01 feature

Sellers: POST /seller/become, PUT /seller/profile/extended.
Listings CRUD with photos, condition, accepts-offers flag.
Cardmarket and TCGPlayer CSV import endpoints.

Twelve TCG coverage + collection 2026-03 feature

Card data added for Pokémon, MTG, Yu-Gi-Oh!, One Piece, Lorcana, Flesh and Blood, Digimon, Star Wars Unlimited, Grand Archive, Dragon Ball Super, Riftbound, KeyForge.
Collection endpoints with quantity, condition, variants, grading metadata, CSV import/export.
Cross-TCG search at /api/search with typed filters.

API v1.0 2026-01 launch

Initial release of the catalogue (TCGs, sets, cards), prices, and price-history endpoints.
Auth via session cookie; HTML pages served from the same origin.
Cross-source price comparison: GET /api/cards/{card_id}/prices.
Marketplace URL generation: GET /api/cards/{card_id}/marketplace-urls.
Pokémon evolution chains: GET /api/cards/{card_id}/evolution-chain.