Changelog

API and platform updates for screenshot.tools.town.

v1.1

latest

2026-04-12

Added Per-key rate limiting: 60 captures/min per API key via Cloudflare KV.
Added Structured capture_request logs with key ID prefix, duration, outcome, viewport.
Improved Redirect chain validation — each hop is re-checked against the URL blocklist (max 5 redirects).
Improved IPv4 and IPv6 private/reserved range blocking expanded to cover CGNAT (100.64/10) and link-local (169.254/16, fe80::/10).
Fixed Service binding (Cloudflare error 1042) in keys, credits, billing, and media Workers — eliminated workers.dev Worker-to-Worker call failures.
Fixed Razorpay webhook event ID was read from body instead of X-Razorpay-Event-Id header — credits are now correctly granted after payment.
Fixed CORS multi-origin support — ALLOWED_ORIGIN now accepts comma-separated values, enabling both dashboard.tools.town and .workers.dev origins.

launch

2026-04-01

Added POST /v1/capture — headless PNG screenshot via Cloudflare Browser Rendering.
Added GET /v1/meta — returns limits, defaults, and SKU name.
Added X-API-Key authentication with scope screenshot:capture via keys.surror service binding.
Added Credit debit (1 credit = 1 render, debit-after-success) via credits.surror.
Added Media upload to Cloudflare R2 via media.surror — signed image_url in every response.
Added SSRF protection: private IP blocklist, scheme enforcement (HTTPS only), redirect validation.
Added Idempotency-Key header support — retries with the same key do not double-charge.
Added balance_after field in response — know your remaining credits without hitting the dashboard.

Get notified of new releases — follow tools.town.