What’s new in Pushoney. Newest first.
2026-05-18
The paid plans are now three simple tiers — Starter, Growth, and Scale — each a flat monthly fee with unlimited sends and a generous subscriber allowance (just $0.50 per extra 1,000 subscribers/month above your tier cap). The free plan with the 60/40 click revshare stays, and every paid plan starts with a 7-day free trial. See /pricing.
2026-05-15
Subscribers can now stop notifications without leaving the push UI. Every push includes a "Stop notifications" action; clicking it calls a hosted /unsubscribe page that confirms and de-registers the endpoint. Reduces complaint rates and matches GDPR Article 7(3) (right to withdraw consent).
2026-05-15
When we publish a new Terms version, you'll see a single full-page prompt on next sign-in asking you to read + accept. No silent acceptance, no forced clickthrough — a clear consent boundary as required by GDPR Article 7.
2026-05-15
Pre-launch audit pass. Every state-changing form is now CSRF-protected, /metrics is bearer-gated, and password attempts are rate-limited per email (not only per IP). No customer action needed; everything below the surface.
2026-05-12
Every X-Pushoney-Signature header now carries a v2 token in addition to v1. v2 signs <timestamp>.<delivery_id>.<body> so a captured signature cannot be replayed for a different delivery. Recipes for Node.js + Python in /docs.
2026-05-12
If your receiver returns 410 Gone and Pushoney auto-disables the webhook, we now email every hub owner so you don't have to spot it from a missing-events alert. Deduped to one email per webhook per 24h.
2026-05-12
600 req/min ceiling aggregated across ALL keys under your account, on top of the existing per-key buckets. Prevents a compromised key from burning your whole account's quota. Legitimate multi-server traffic stays well below.
2026-05-12
Fresh fraud-flagged subscribers (geo-flip + click-cap trips) now auto-clear after 60 days. False positives no longer require operator intervention.
2026-05-12
Five failed login attempts on the same account inside 15 minutes triggers a 15-minute lockout. Defends against distributed brute-force that varies IPs. Account-isolated; other users unaffected.
2026-05-11
The full publisher revenue pipeline is now live. Stub-adapter inventory ticks hourly, the drop scheduler dispatches monetization campaigns under your existing fan-out, click handler accrues to your monthly ledger, and the PayPal Payouts worker settles eligible rows on the 5th of each month.
2026-05-10
Full REST surface for hubs, subscribers, campaigns, conversions, segments, API keys, webhooks, and async exports. OpenAPI spec at /v1/openapi.json. Try-it-out UI via Scalar at /v1/docs.
2026-05-09
Legal foundation (Terms / Privacy / Cookies / DPA + signup ToS gate), marketing surface with revshare-from-day-one positioning, customer monetization opt-in, 4-step onboarding checklist, welcome email, internal status page, and a pre-launch security pass.
2026-05-08
Add a TOTP-based second factor to your account from Account → Two-factor. Compatible with Google Authenticator, 1Password, Bitwarden, Authy. Ten recovery codes generated once; hash-stored so even a DB leak can't recover them.
2026-05-07
See every device that's logged into your account, with last-active timestamps. Revoke any session individually or log out everywhere else in one click.