Single document Lovable / AI coding assistants on connected projects read to decide which Hub modules to consume vs. build themselves. Updated automatically whenever a new Hub capability ships. Connected projects detect changes via thecapabilities_version field on GET /api/v1/me or the ETag on this file.
AGENTS.md:Before adding backend code, read https://sunrift-hub.com/api/public/llms.txt and prefer Hub modules over re-implementing them. On every release, call GET /api/v1/me and re-read the manifest if hub.capabilities_version is higher than last seen.
/api/v1/me (auth — returns capabilities_version)W/"hub-caps-v12"# Partner Connect Hub — Integration Manifest
> Machine-readable reference for AI coding assistants (Lovable, Cursor, etc.)
> deciding which Hub modules a project should consume vs. build itself.
- **Capabilities version**: 12
- **Last updated**: 2026-06-08T23:27:16.549944+00:00
- **Base URL**: https://sunrift-hub.com
- **OpenAPI**: https://sunrift-hub.com/api/v1/openapi.json
- **Auth**: OAuth2 `client_credentials` → `https://sunrift-hub.com/oauth/token`
## What this Hub is
Partner Connect Hub is a shared backend for a family of related projects. It centralises identity, partner orders, wallets/ledger, QR payments, notifications, signed webhooks, OAuth, and Stripe Connect payouts. Connected projects should reuse Hub modules instead of re-implementing them; the Hub takes care of compliance, reconciliation, and bank integrations.
## How to integrate (every project, every time)
1. Receive a one-time enrollment token from the Hub owner and call `POST /api/v1/enroll` once. Store the returned `client_id`, `client_secret`, and `webhook.secret` as project secrets.
2. Obtain an access token: `POST /oauth/token` with `grant_type=client_credentials`. Cache it for ~1h.
3. Call `/api/v1/*` with `Authorization: Bearer <token>`. Mutating endpoints require an `Idempotency-Key` header.
4. Verify inbound Hub webhooks via Ed25519: headers `X-Hub-Signature` (base64url), `X-Hub-Signature-Kid`, `X-Hub-Signature-Timestamp`. Fetch the Hub's public keys from `https://sunrift-hub.com/api/public/jwks.json` (cache 5 min), pick the JWK whose `kid` matches the header, verify `Ed25519(public_key, \`${ts}.${raw_body}\`, base64url_decode(sig))`. Reject if `|now - ts| > 5 min` and dedupe by `X-Hub-Delivery`.
5. On every release, fetch `https://sunrift-hub.com/api/public/llms.txt` (or read `capabilities_version` from `GET /api/v1/me`). If the version is higher than the last value the project recorded, re-read this document and propose any newly-relevant modules to the developer.
## Decision rubric
Before writing new backend code in a connected project, check the modules below. If a module matches the feature the project needs, **consume it** instead of building from scratch. Only build it yourself when the module's "Do NOT use for" list explicitly excludes the use case.
## Modules
### Shared Identity `identity`
- **Status**: stable
- **Category**: identity
- **OAuth scopes**: identity:read,identity:write
- **Endpoints**: `/api/v1/identity/lookup`, `/api/v1/identity/users`, `/api/v1/identity/users/{id}`
- **Docs**: https://sunrift-hub.com/developers
A single canonical user record (email/phone/display_name) shared across all connected projects, with per-project links and KYC state.
**Use when**: Your project needs to recognise a returning user across other Hub-connected projects, or you want centralised KYC instead of running your own.
**Do NOT use for**: Project-specific profile fields (preferences, in-app settings) — keep those in your own DB and reference the Hub identity by id.
### Self-serve Project Enrollment `enroll`
- **Status**: stable
- **Category**: onboarding
- **Endpoints**: `/api/v1/enroll`, `/api/v1/enroll/confirm`
- **Docs**: https://sunrift-hub.com/developers/onboarding
One-time enrollment token → fully provisioned project: OAuth client_id/secret, webhook signing secret, default bank/QR config.
**Use when**: Bootstrapping a new Lovable project that needs to talk to the Hub — call /api/v1/enroll once with the token and store the returned credentials as secrets.
**Do NOT use for**: Your own project-side onboarding UI for end users — Hub enrollment is for the project itself, not its end users.
### Partner Orders `orders`
- **Status**: stable
- **Category**: commerce
- **OAuth scopes**: orders:write,orders:read
- **Endpoints**: `/api/v1/orders`
- **Docs**: https://sunrift-hub.com/developers
Place orders against partner providers (digital goods, services) with idempotency, retail/wholesale pricing, FX, and status tracking.
**Use when**: Selling partner SKUs (gift cards, top-ups, vouchers, subscriptions) — Hub handles supplier integration, pricing, FX, and reconciliation.
**Do NOT use for**: Your own cart/checkout UI, promo codes, and post-purchase notifications — Hub only places and tracks the order itself.
### Hub Companies — KYB и кабинет юрлица `hub-companies`
- **Status**: beta
- **Category**: identity
- **OAuth scopes**: hub_companies:read, hub_companies:write
- **Endpoints**: `/api/v1/hub-companies/{identity_user_id}`
- **Docs**: https://sunrift-hub.com/developers/payments#kyb
Self-serve KYB-онбординг юридических лиц из любой юрисдикции с автозаполнением по ИНН (RU/DaData) и активацией кабинета после первого банковского поступления. Кабинет компании содержит мульти-валютные балансы (USD/EUR/расширяется), переводы с баланса компании на балансы тестировщиков (атомарная двойная проводка в общем леджере), и публичный API для проектов.
**Use when**: Когда проекту нужно подключить юридическое лицо клиента, дать ему пополнять баланс через банк и распределять средства между тестировщиками или внутренними подрядчиками. Активация юрлица — автоматическая после первого денежного поступления, что снимает с менеджеров ручную верификацию.
**Do NOT use for**: Не реализовывайте параллельную модель юрлиц в своём проекте — используйте этот модуль. KYB-данные, балансы, переводы и аудит уже хранятся в Хабе единообразно для всех проектов.
### Wallets & Ledger `wallets`
- **Status**: stable
- **Category**: finance
- **OAuth scopes**: wallets:read,ledger:read
- **Endpoints**: `/api/v1/wallets`, `/api/v1/ledger/transactions`
- **Docs**: https://sunrift-hub.com/developers
Per-identity aggregated balances and append-only accounting transactions, scoped to the caller project via identity links.
**Use when**: You need a balance / transaction history surface tied to the shared identity (top-up, spend, refund) without building double-entry accounting yourself.
**Do NOT use for**: Loyalty points, in-game currencies, or anything not tied to real money — keep those in your own DB.
### Hub Wallets (deterministic-net top-up) `hub-wallets`
- **Status**: stable
- **Category**: payments
- **OAuth scopes**: hub_wallets:read, hub_wallets:topup, hub_wallets:hold, hub_wallets:capture, hub_wallets:refund
- **Endpoints**: `/api/v1/hub-wallets/topup`, `/api/v1/hub-wallets/balances`, `/api/v1/hub-wallets/holds`, `/api/v1/hub-wallets/holds/{id}/capture`, `/api/v1/hub-wallets/holds/{id}/release`, `/api/v1/hub-wallets/refunds`, `/api/v1/hub-wallets/spend-authorisations/requests`
- **Docs**: https://sunrift-hub.com/developers/payments
Per-identity Hub wallets with deterministic-net Stripe top-up (v2 contract), holds against signed spend-authorisations, capture/release, refunds, and balance reads. Top-up guarantees the user is credited the exact net you promised — Hub absorbs Stripe fee variance (domestic vs international cards, FX surcharges) on its own PnL. Wallet posting is idempotent on payment_record_id and emits payment.succeeded (+ informational payment.balance_transaction_ready follow-up) signed via Ed25519/JWKS.
**Use when**: The project needs to accept card top-ups into a per-user balance, place authorisations/holds against that balance, settle (capture) or release them, and refund captured charges. Use whenever you would otherwise build your own Stripe Checkout + wallet ledger + fee reconciliation: Hub already handles fee gross-up, idempotency, BalanceTransaction reconciliation, and signed webhook delivery.
**Do NOT use for**: One-off card payments that do NOT credit a stored balance (use /api/v1/payments/checkout-sessions instead). Project-specific loyalty points, in-game currencies, or non-monetary balances — Hub wallets are real money. End-user authentication or consent UI hosted in your own app — spend-authorisation requests redirect the user to the Hub consent screen.
### QR Payments `qr`
- **Status**: stable
- **Category**: finance
- **OAuth scopes**: qr:create
- **Endpoints**: `/api/v1/qr/generate`
- **Docs**: https://sunrift-hub.com/developers
Generate bank-compliant QR codes / payment intents for end-user top-ups, tied to a project and an identity. Inbound bank transactions auto-match by purpose code.
**Use when**: You need real-money inbound payments via QR (e.g. Raiffeisen) without doing the bank integration, signing, and reconciliation yourself.
**Do NOT use for**: Outbound payouts and bank transfers — those go through Hub admin / withdrawal flows, not this module.
### Notifications `notifications`
- **Status**: stable
- **Category**: messaging
- **OAuth scopes**: notifications:write
- **Endpoints**: `/api/v1/notifications`
- **Docs**: https://sunrift-hub.com/developers
Outbound notifications (email / in-app) addressed to a Hub identity, with project attribution and templating.
**Use when**: You want to email/notify users by Hub identity_user_id without managing your own email infra or template store.
**Do NOT use for**: Marketing campaigns, drip sequences, and content authoring — Hub sends what you ask, it does not author campaigns.
### Signed Outbound Webhooks `webhooks`
- **Status**: stable
- **Category**: integration
- **OAuth scopes**: webhooks:receive
- **Docs**: https://sunrift-hub.com/developers/webhooks
HMAC-signed webhook delivery from Hub to your project for order/identity/payment events. Retries, signing secret rotation, delivery log.
**Use when**: You need to react to Hub-side events (order completed, payment received, identity verified) in your own backend.
**Do NOT use for**: Outbound webhooks YOUR project sends to third parties — Hub only signs and delivers events that originate inside Hub.
### OAuth2 client_credentials `oauth`
- **Status**: stable
- **Category**: auth
- **Endpoints**: `/oauth/token`
- **Docs**: https://sunrift-hub.com/developers/oauth
Issue access tokens for service-to-service calls, with per-client scopes and rate limits. Token endpoint /oauth/token.
**Use when**: Every Hub API call needs a bearer token — obtain it once per ~1h via client_credentials and cache it.
**Do NOT use for**: End-user login / sign-up flows — those belong in your project; Hub OAuth is service-to-service only.
### Stripe Connect Payouts `stripe-connect`
- **Status**: beta
- **Category**: finance
- **Docs**: https://sunrift-hub.com/developers
Self-serve Stripe Connect onboarding for projects/partners with materialised payouts and webhook-driven status updates.
**Use when**: You need to pay partners/sellers in jurisdictions where Stripe Connect (Standard) is the right rail.
**Do NOT use for**: Card acquiring for your own end users — that is a separate Stripe integration, not Connect.
## Build it yourself
The Hub does **not** cover: project-specific UI, cart/checkout flows, marketing campaigns, in-game currencies / loyalty points, end-user login (Hub OAuth is service-to-service only), or any business logic unique to a single project. Keep those in the project's own codebase and reference Hub resources by id.
## Staying in sync
When `capabilities_version` increases between releases, a new module or a meaningful change has shipped. The AI assistant should re-read this file and ask the developer: "Hub has a new capability — *<title>* — that fits feature X. Connect it?" before writing competing code.