jup.sh 0.1.0-alpha.16 Draft Release Notes

Status: draft.

v0.1.0-alpha.16 is planned as a transaction request token gate checkpoint. It adds a local opaque request token to transaction request URLs so the wallet boundary is not only keyed by intent id.

This draft still does not authenticate users, sign, submit, confirm, or settle a transaction.

What This Draft Adds

• New intents include a local transactionRequest.requestToken.
• Transaction request preflight includes the request token in the endpoint and Solana Pay URL.
• Transaction request metadata and POST paths require the token when an intent has one:
  • GET /api/transaction-requests/:intentId?request=<token>;
  • POST /api/transaction-requests/:intentId?request=<token>.
• Missing or incorrect tokens return 403 invalid_request_token.
• Server smoke coverage for missing-token metadata and transaction requests.
• Alpha CLI smoke coverage for generated request tokens and tokenized preflight URLs.

Safety Boundary

This is a replay-control scaffold, not authentication. The token is local, stored with the intent, and intended to make transaction request URLs less guessable before a real backend, auth layer, and request-token lifecycle exist.

The token does not authorize payment. Policy, review state, expiry, wallet account validation, transaction construction, signing, submission, and confirmation remain separate gates.

Current Boundary

The npm alpha package remains jup-sh@0.1.0-alpha.7 until a runtime release is prepared and published.

Verification

Run:

npm run release:check