> ## Documentation Index > Fetch the complete documentation index at: https://help-loyalife.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # v7.25.0 — June 2026 > Loyalife v7.25.0 ships realtime V2 earn API improvements, SAML SSO, push notifications in campaigns, segment redesign, AG Grid custom reports, rule engine operators, and security hardening. # v7.25.0 — June 2026 **Released:** June 2026 ## Realtime Earn API (V2) ### Per-Transaction Identifiers in Response The V2 batch transaction API now returns a `request_id` for every transaction submitted in a batch. This server-assigned identifier can be used for support tracing and cross-referencing with the polling API. ### Polling API — Status Breakdown The polling API now returns a full status breakdown for a submitted batch: | Status | Meaning | | ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | **Success** | Transaction processed and points awarded | | **Pending** | Transaction queued, awaiting rule engine evaluation | | **Failed** | Transaction rejected — duplicate idempotency key or processing error | | **On Hold** | Transaction flagged by fraud prevention — awaiting admin review | | **Partial On Hold** | One or more rule groups are on hold (time-bound rule or fraud detection on a specific group); remaining groups processed normally | The polling response also includes the **total points awarded** for each transaction across all applicable rule groups. *** ## Authentication & Security ### SAML 2.0 SSO Enterprise programs can now enable **SAML 2.0 Single Sign-On** as an alternative to password-based login: * Supported identity providers: **Okta** and **Microsoft Azure AD** * Users are redirected to the IdP for authentication; Loyalife issues a session token after successful SAML verification * Disabling the SAML SSO toggle immediately reverts all logins to standard username/password * **LDAP** authentication continues to work when SAML is concurrently enabled * MFA is compatible with both SAML and LDAP flows ### Custom Subdomain Hosting Each program can be hosted on a dedicated custom subdomain instead of the shared default domain: * Custom subdomains are provisioned through **Program Settings → Program Details** * The subdomain URL is preserved across Login, Forgot/Reset/Setup Password flows, and all system-generated emails * Programs with SSO enabled cannot change their subdomain after configuration * Linked programs inherit the primary program's subdomain and logo ### API Credential Management Multiple Client ID and Client Secret pairs can now be generated per program: * **Module-level API keys** support Read or Write access scopes * Default credential expiry: **90 days**; custom expiry can be set up to a maximum of **2 years** * The credential listing shows **Expiring Soon** and **Expired** status badges * Automated email notifications are sent at: credential generation, revocation, 7 days before expiry, 1 day before expiry, and on the expiry day ### VAPT 2026 Security Hardening All vulnerabilities from the 2026 security audit have been resolved: * **SQL Injection (High):** Member search now uses parameterised queries; free-text input is rejected for all search parameters * **IDOR — Profile Disclosure (Medium):** Profile endpoint enforces server-side authorisation; cross-user access returns HTTP 403 * **Session Hijacking (Medium):** All active sessions and refresh tokens are invalidated on successful password reset * **CAPTCHA Misconfiguration (Medium):** Password reset endpoint now validates CAPTCHA server-side with per-IP and per-email rate limiting; expired tokens are rejected; abuse returns HTTP 429 * **PII Masking (Low):** Phone numbers and email addresses in member API responses are now masked at the serialiser layer * **Secure Media Access:** Media files are now served via encrypted proxy URLs instead of raw storage URLs; direct storage access is blocked *** ## Campaigns ### Push Notifications in Campaigns **Push Notification** is now a first-class delivery channel in the Campaign module alongside Email, SMS, and WhatsApp: * Supported campaign types: Promotional, Occasion Reward, and Reward to Members * Campaigns link to a push notification template from the Communication module * Campaign performance metrics show: Total Sent, Success, and Failed counts per notification * Notifications are delivered after the campaign cron executes ### Rule-Based Campaigns A new **Campaigns (Rule Based)** module is available, controlled by a program-level feature flag: * When enabled, rule-based campaigns appear in the Campaign module * The toggle is independent of the standard Campaigns module and defaults to OFF * Maker-Checker support for rule-based campaigns will be added in a future release *** ## Communications ### Push Notifications as a Channel Push Notification is now a 4th delivery channel in the Communication module: * **Title:** up to 50 characters * **Body:** up to 120 characters, supports `{{variables}}` for personalisation * **Redirect to screen:** optional deep-link target for the in-app screen that opens on tap * A live iPhone lock screen preview is shown in real time while composing * Test notifications can be sent to a registered member's device by phone number ### Notification Event Name Updates Legacy notification event names have been updated to clean, Loyalife-branded names. The `lbms_` prefix has been removed from all event names, and the Giift brand name has been replaced with Loyalife throughout. Existing client-customised templates are not affected by this change. *** ## Segments ### Smart Segment and Manual Segment Creation Paths The segment creation flow now offers two distinct paths: * **Smart Segment** — filter-based, with support for Select All Members (static) or attribute-based filters. Segment name auto-populates; duplicate names are blocked; 100-character name limit applies * **Manual Segment** — CSV upload with append or replace mode; 100-character name limit applies ### Segment Listing Enhancements * Search by segment name from the listing page * Segment names are clickable hyperlinks * A **Linked Campaigns** column shows how many campaigns are associated with each segment ### Attribute Visibility Controls A dedicated **Attribute Flags** section is available in Feature Flags for segments: * 15 system attributes (across Member and Transaction categories) can be individually or bulk enabled/disabled * Disabling a system attribute hides it from the segment filter in the creation flow * Custom member and transaction attributes include an **Include in Segment Filter** checkbox, available at creation time and via Edit * Segment creation supports a mix of system and custom attributes without conflict *** ## Rule Engine ### "Is Multiple Of" Operator A new **Is Multiple Of** operator is available in Rule Engine conditions for aggregate attributes: * Applies to aggregate transaction count attributes * Enables milestone-based rules such as "every Nth transaction earns a bonus" * Example: `Monthly Transaction Count is multiple of 10 → award 100 bonus points` ### Attribute-to-Attribute Date Comparison Rule conditions can now compare two date-type attributes against each other: * Example: `Transaction Date [Day of Month] equals Date of Birth [Day of Month]` * Self-comparisons and comparisons between incompatible data types are prevented * Date-type fields are auto-locked in the comparison selector to enforce valid pairings ### Time Input for Transaction Date The Transaction Date attribute in Rule Engine and Campaign Rules now includes a **time picker (HH:MM, 24-hour format)**: * Default time is `00:00` if not set * The combined value is stored as `MM/DD/YYYY HH:MM` * For **Between** operators, each date boundary has its own time selector * Existing date-only rules are backward compatible — treated as `00:00` *** ## Reports ### AG Grid Search & Filter in Custom Reports Custom Reports now use **AG Grid** for real-time client-side search and filtering of CSV data: * Column headers are auto-detected from the CSV — no configuration required * **Filter types** are auto-assigned: text filter for strings, number filter for numerics, date filter for dates * **Global search** operates across all columns; column-level filters apply on top with AND logic * Multi-column filtering and filter reset are supported * Sorting available for string, numeric, and date columns * Pagination: 50, 100, 500, or 1,000 rows per page * **Filtered CSV export** — export only the rows matching your current filter state ### View Links in Custom Reports Custom reports now include clickable **View Segment** and **View Campaign** links that navigate directly to the relevant module detail page. *** ## Approval Workflow ### Summary Counters The Approval Workflow page now displays a **summary section** with real-time request counts: | Counter | Meaning | | -------------------- | -------------------------------------------------------------- | | **Pending Requests** | Requests pending with Checker + pending with Approver | | **Total Verified** | Requests verified by the Checker role | | **Total Approved** | Requests approved by the Approver (including direct approvals) | | **Total Rejected** | Requests rejected by either Checker or Approver | Counters update in real time as requests move through the workflow. Counts are role-level and module-specific. *** ## API ### LocalAttributes in GetTransactionSummary The `getTransactionSummary` API response now includes a `LocalAttributes` object for `transaction_type=1` (accrual) transactions: * All custom transaction attribute data types are returned: Int, String, Selection, Date, Float * For debit transaction types, `LocalAttributes` returns blank — no custom attribute data is populated * All other existing behaviour of the API is unchanged *** ## UI & Navigation * **Sidebar collapsible toggle:** The left navigation sidebar now supports collapsing to icon-only mode. Hovering shows a tooltip label. Collapse state persists across sessions * **Program logo in top header:** The program logo dynamically reflects the currently active program * **Linked program switcher:** Accounts managing multiple programs can switch between them from the top header * **Admin login screen responsive:** The Admin Login screen is now responsive on Android and iOS mobile browsers in both portrait and landscape orientations * **Superset Dashboard on Loyalty Overview:** The Loyalty Overview page now displays the most recently created or updated Superset Dashboard; visibility can be toggled per program