Skip to main content

v7.25.0 — June 2026

Released: June 2026

Realtime Earn API (V2)

Per-Transaction Identifiers in Response

The V2 batch transaction API now returns a request_id for every transaction submitted in a batch. This server-assigned identifier can be used for support tracing and cross-referencing with the polling API.

Polling API — Status Breakdown

The polling API now returns a full status breakdown for a submitted batch:
StatusMeaning
SuccessTransaction processed and points awarded
PendingTransaction queued, awaiting rule engine evaluation
FailedTransaction rejected — duplicate idempotency key or processing error
On HoldTransaction flagged by fraud prevention — awaiting admin review
Partial On HoldOne or more rule groups are on hold (time-bound rule or fraud detection on a specific group); remaining groups processed normally
The polling response also includes the total points awarded for each transaction across all applicable rule groups.

Authentication & Security

SAML 2.0 SSO

Enterprise programs can now enable SAML 2.0 Single Sign-On as an alternative to password-based login:
  • Supported identity providers: Okta and Microsoft Azure AD
  • Users are redirected to the IdP for authentication; Loyalife issues a session token after successful SAML verification
  • Disabling the SAML SSO toggle immediately reverts all logins to standard username/password
  • LDAP authentication continues to work when SAML is concurrently enabled
  • MFA is compatible with both SAML and LDAP flows

Custom Subdomain Hosting

Each program can be hosted on a dedicated custom subdomain instead of the shared default domain:
  • Custom subdomains are provisioned through Program Settings → Program Details
  • The subdomain URL is preserved across Login, Forgot/Reset/Setup Password flows, and all system-generated emails
  • Programs with SSO enabled cannot change their subdomain after configuration
  • Linked programs inherit the primary program’s subdomain and logo

API Credential Management

Multiple Client ID and Client Secret pairs can now be generated per program:
  • Module-level API keys support Read or Write access scopes
  • Default credential expiry: 90 days; custom expiry can be set up to a maximum of 2 years
  • The credential listing shows Expiring Soon and Expired status badges
  • Automated email notifications are sent at: credential generation, revocation, 7 days before expiry, 1 day before expiry, and on the expiry day

VAPT 2026 Security Hardening

All vulnerabilities from the 2026 security audit have been resolved:
  • SQL Injection (High): Member search now uses parameterised queries; free-text input is rejected for all search parameters
  • IDOR — Profile Disclosure (Medium): Profile endpoint enforces server-side authorisation; cross-user access returns HTTP 403
  • Session Hijacking (Medium): All active sessions and refresh tokens are invalidated on successful password reset
  • CAPTCHA Misconfiguration (Medium): Password reset endpoint now validates CAPTCHA server-side with per-IP and per-email rate limiting; expired tokens are rejected; abuse returns HTTP 429
  • PII Masking (Low): Phone numbers and email addresses in member API responses are now masked at the serialiser layer
  • Secure Media Access: Media files are now served via encrypted proxy URLs instead of raw storage URLs; direct storage access is blocked

Campaigns

Push Notifications in Campaigns

Push Notification is now a first-class delivery channel in the Campaign module alongside Email, SMS, and WhatsApp:
  • Supported campaign types: Promotional, Occasion Reward, and Reward to Members
  • Campaigns link to a push notification template from the Communication module
  • Campaign performance metrics show: Total Sent, Success, and Failed counts per notification
  • Notifications are delivered after the campaign cron executes

Rule-Based Campaigns

A new Campaigns (Rule Based) module is available, controlled by a program-level feature flag:
  • When enabled, rule-based campaigns appear in the Campaign module
  • The toggle is independent of the standard Campaigns module and defaults to OFF
  • Maker-Checker support for rule-based campaigns will be added in a future release

Communications

Push Notifications as a Channel

Push Notification is now a 4th delivery channel in the Communication module:
  • Title: up to 50 characters
  • Body: up to 120 characters, supports {{variables}} for personalisation
  • Redirect to screen: optional deep-link target for the in-app screen that opens on tap
  • A live iPhone lock screen preview is shown in real time while composing
  • Test notifications can be sent to a registered member’s device by phone number

Notification Event Name Updates

Legacy notification event names have been updated to clean, Loyalife-branded names. The lbms_ prefix has been removed from all event names, and the Giift brand name has been replaced with Loyalife throughout. Existing client-customised templates are not affected by this change.

Segments

Smart Segment and Manual Segment Creation Paths

The segment creation flow now offers two distinct paths:
  • Smart Segment — filter-based, with support for Select All Members (static) or attribute-based filters. Segment name auto-populates; duplicate names are blocked; 100-character name limit applies
  • Manual Segment — CSV upload with append or replace mode; 100-character name limit applies

Segment Listing Enhancements

  • Search by segment name from the listing page
  • Segment names are clickable hyperlinks
  • A Linked Campaigns column shows how many campaigns are associated with each segment

Attribute Visibility Controls

A dedicated Attribute Flags section is available in Feature Flags for segments:
  • 15 system attributes (across Member and Transaction categories) can be individually or bulk enabled/disabled
  • Disabling a system attribute hides it from the segment filter in the creation flow
  • Custom member and transaction attributes include an Include in Segment Filter checkbox, available at creation time and via Edit
  • Segment creation supports a mix of system and custom attributes without conflict

Rule Engine

”Is Multiple Of” Operator

A new Is Multiple Of operator is available in Rule Engine conditions for aggregate attributes:
  • Applies to aggregate transaction count attributes
  • Enables milestone-based rules such as “every Nth transaction earns a bonus”
  • Example: Monthly Transaction Count is multiple of 10 → award 100 bonus points

Attribute-to-Attribute Date Comparison

Rule conditions can now compare two date-type attributes against each other:
  • Example: Transaction Date [Day of Month] equals Date of Birth [Day of Month]
  • Self-comparisons and comparisons between incompatible data types are prevented
  • Date-type fields are auto-locked in the comparison selector to enforce valid pairings

Time Input for Transaction Date

The Transaction Date attribute in Rule Engine and Campaign Rules now includes a time picker (HH:MM, 24-hour format):
  • Default time is 00:00 if not set
  • The combined value is stored as MM/DD/YYYY HH:MM
  • For Between operators, each date boundary has its own time selector
  • Existing date-only rules are backward compatible — treated as 00:00

Reports

AG Grid Search & Filter in Custom Reports

Custom Reports now use AG Grid for real-time client-side search and filtering of CSV data:
  • Column headers are auto-detected from the CSV — no configuration required
  • Filter types are auto-assigned: text filter for strings, number filter for numerics, date filter for dates
  • Global search operates across all columns; column-level filters apply on top with AND logic
  • Multi-column filtering and filter reset are supported
  • Sorting available for string, numeric, and date columns
  • Pagination: 50, 100, 500, or 1,000 rows per page
  • Filtered CSV export — export only the rows matching your current filter state
Custom reports now include clickable View Segment and View Campaign links that navigate directly to the relevant module detail page.

Approval Workflow

Summary Counters

The Approval Workflow page now displays a summary section with real-time request counts:
CounterMeaning
Pending RequestsRequests pending with Checker + pending with Approver
Total VerifiedRequests verified by the Checker role
Total ApprovedRequests approved by the Approver (including direct approvals)
Total RejectedRequests rejected by either Checker or Approver
Counters update in real time as requests move through the workflow. Counts are role-level and module-specific.

API

LocalAttributes in GetTransactionSummary

The getTransactionSummary API response now includes a LocalAttributes object for transaction_type=1 (accrual) transactions:
  • All custom transaction attribute data types are returned: Int, String, Selection, Date, Float
  • For debit transaction types, LocalAttributes returns blank — no custom attribute data is populated
  • All other existing behaviour of the API is unchanged

UI & Navigation

  • Sidebar collapsible toggle: The left navigation sidebar now supports collapsing to icon-only mode. Hovering shows a tooltip label. Collapse state persists across sessions
  • Program logo in top header: The program logo dynamically reflects the currently active program
  • Linked program switcher: Accounts managing multiple programs can switch between them from the top header
  • Admin login screen responsive: The Admin Login screen is now responsive on Android and iOS mobile browsers in both portrait and landscape orientations
  • Superset Dashboard on Loyalty Overview: The Loyalty Overview page now displays the most recently created or updated Superset Dashboard; visibility can be toggled per program