Rakuten Rewards this month printed a zero-dependency TypeScript software program growth package on GitHub designed to let browser extensions routinely detect prior affiliate referrals and stand down – halting any try to say fee – when one other writer already owns a given purchasing session. The discharge, named @rakuten-rewards/standdown-sdk, follows months of trade turmoil triggered by allegations towards PayPal’s Honey extension. It additionally coincides with a notable growth: Honey has applied the SDK and is now again dwell with Rakuten Promoting, according to James Little, Group Industrial Director at TopCashback.
The announcement and its context
Little’s LinkedIn publish described the discharge as “a very good news for the trade,” noting that Honey had applied the software and resumed its relationship with Rakuten Promoting. The publish drew instant and pointed commentary. Ben Edelman – economist, legal professional, and co-author of the affiliate software program Code of Conduct that formed a lot of this debate – replied that if he have been Rakuten, he would “expect Honey to pay a considerable financial penalty for the difficulty they triggered, the expense and distraction of investigation, and the general lack of confidence in affiliate internet marketing.” Edelman questioned whether or not Honey ought to merely “get to implement the SDK after which be again to regular as if that they had not dedicated an enormous violation of relevant guidelines.”
That rigidity – between a technical repair and accountability for previous conduct – runs via your complete episode. The SDK is actual, open-source, and technically detailed. Whether or not it closes the chapter on Honey’s conduct stays contested.
The broader backstory issues right here. A December 2024 investigation revealed that Honey had systematically diverted affiliate commissions from content material creators, changing their monitoring cookies with PayPal’s personal affiliate identifiers even when the extension offered no low cost codes. Rakuten Promoting terminated Honey from its community on January 12, 2026, slicing entry to roughly 2,000 retail retailers. Affect.com adopted with a suspension on January 16, 2026, citing stand-down violations and concealment from testers. Awin Group confirmed on January 21, 2026 that its personal investigation had discovered Honey breached writer insurance policies, suspending funds and blocking entry to new advertiser applications. By July 2025, Honey had already fallen from over 20 million Chrome customers to 14 million, a determine that represented a considerable lack of shopper attain even earlier than the community terminations.
What the SDK does
The GitHub repository, obtainable at https://github.com/rakutenrewards/PublisherStandown-SDK, carries an MIT license and was printed by contributor Travis Coulter below the rakutenrewards organisation. On the time of this writing the repository had a single commit labelled “Preliminary commit,” recorded as final week, and carried 1 star, 0 forks, and 0 printed releases.
In keeping with the repository documentation, the SDK is a zero-dependency TypeScript bundle concentrating on Manifest V3 browser extensions – the extension structure now required by Chrome and by Microsoft Edge. The bundle weighs roughly 6 kilobytes gzipped and round 21 kilobytes in estimated uncompressed code dimension. It ships as a twin ESM and CommonJS bundle with TypeScript declarations and carries no runtime dependencies. Set up is by way of npm or pnpm:
npm set up @rakuten-rewards/standdown-sdk
The core operate is checkForAffiliatePatterns(tabId). In keeping with the documentation, this technique inspects the complete redirect chain noticed for a selected browser tab and returns a typed DetectionResult object indicating whether or not an affiliate sample was discovered. The design targets what the documentation calls “the classical affiliate activation mannequin”: a person clicks an affiliate hyperlink, passes via a community’s redirect hop, and arrives at a service provider web page with the session already attributed to a previous writer.
The tactic is meant to be referred to as from a webNavigation.onCompleted or onErrorOccurred listener so it runs as quickly as navigation settles, at which level the complete redirect chain is accessible for inspection.
Manifest V3 permissions required
Three manifest permissions are required for the SDK to operate: webNavigation, webRequest with host_permissions: [", and tabs. In keeping with the documentation, webNavigation is critical to watch redirect chains and dedicated navigations; webRequest is required to watch intermediate redirect hops by way of the onBeforeRequest occasion; and tabs is required for tab lifecycle cleanup, clearing state when a tab closes. A fourth permission – storage – is elective however required if the extension permits the audit log function.
The SDK helps Chrome as its main goal, Microsoft Edge with out extra configuration (since each use the identical chrome.* APIs), Firefox (the place the SDK routinely resolves the browser namespace at runtime), and Safari below situations: Safari 16.4 or in a while macOS Ventura 13.3 or later is required for Manifest V3 service employee help. The documentation notes that automated end-to-end testing on Safari shouldn’t be obtainable as a result of Playwright doesn’t help Safari extension loading.
Insurance policies: no defaults provided
A big design alternative issues how the SDK handles affiliate community patterns. In keeping with the documentation, the SDK doesn’t bundle any default affiliate community insurance policies. Every extension developer is chargeable for supplying the insurance policies related to their integration at development time by way of config.insurance policies. This places the burden of sustaining correct detection guidelines on the integrating developer fairly than on Rakuten.
Every NetworkPolicy object comprises an id, a schemaVersion (at the moment 2), a policyVersion as a constructive integer, a community block with an elective sessionDuration in milliseconds, and an array of PolicyRule objects. Guidelines can match on area, paths, params, or a sample string compiled to a daily expression. The documentation features a labored instance for Fee Junction (CJ), whose coverage consists of three area guidelines – dpbolvw.web, anrdoezrs.web, and jdoqocy.com – plus a parameter rule for cjevent, with a sessionDuration of 1,800,000 milliseconds, equal to half-hour.
If no legitimate insurance policies are loaded, checkForAffiliatePatterns will at all times return no-match, and the SDK emits a console.warn to alert builders.
The DetectionResult construction
The SDK returns a discriminated union sort. When a sample is discovered, DetectionResult carries hasAffiliatePattern: true, a non-empty matchedPatterns array containing at the least one entry, the complete redirectChain as an array of URL strings, a Unix millisecond timestamp detectedAt, an expiry timestamp expiresAt derived from the longest matched sessionDuration, and a boolean isOwnAffiliateLink. When no sample is discovered, hasAffiliatePattern is false and each detectedAt and expiresAt are null.
The documentation flags a privateness obligation: redirectChain and matchedPatterns represent delicate person navigation historical past. In keeping with the repository, extension builders should not log or transmit this information with out specific person consent and should hold entry scoped to the background service employee, avoiding publicity to content material scripts or internet web page contexts by way of chrome.runtime.onMessage.
Safety dangers in coverage patterns
The repository features a particular warning about common expression patterns in insurance policies. In keeping with the documentation, patterns with nested quantifiers – for instance (a+)+ or (x+x+)+y – could cause catastrophic backtracking that hangs the service employee indefinitely. Builders are instructed to make use of bounded quantifiers and keep away from nested repetition. This can be a significant danger: a coverage creator who provides a poorly written sample may disable the extension’s background thread.
The documentation additionally prohibits server-side stand-down choices. This mirrors a requirement within the affiliate Code of Conduct authored by James Little and Ben Edelman – a draft doc printed for public remark – which states explicitly that everything of stand-down logic have to be applied throughout the browser extension, client-side. Server-side requires stand-down dedication are “strictly prohibited” below the Code.
The Code of Conduct backstory
The SDK’s publication is immediately linked to broader standard-setting exercise within the affiliate internet marketing trade. Little and Edelman printed a draft Code of Conduct for Associates Utilizing Browser Extensions and Different Consumer Software program – described as Draft v0.1 – open for public remark. In keeping with the Code’s preamble, its key aims embody defending real person intent, stopping unfair interference with monitoring and fee, standardising guidelines throughout networks, and bettering transparency, auditability, and belief.
The Code units out detailed stand-down necessities. In keeping with the draft, when one other affiliate has referred a person to a given advertiser throughout the similar session, collaborating software program “should stand down for that advertiser.” Throughout stand-down, software program should not current affiliate hyperlinks, refresh cookies, carry out background monitoring, or show advertising prompts. It should “seem and behave identically to its habits on websites the place no affiliate advantages can be found.”
The Code additionally specifies session period guidelines. Stand-down below the popular technique ends after 60 consecutive minutes of no foreground person interplay throughout the browser profile. If inactivity detection shouldn’t be applied, the fallback is 90 minutes from the latest affiliate referral. The session survives browser restarts, sleep, standby, and tab discard.
One of the crucial consequential provisions issues server-side logic. The Code states: “It’s a violation for a shopper to acquire a stand-down choice by checking with a server.” This immediately addresses behaviour documented within the Honey investigation, the place researchers discovered that Honey’s stand-down guidelines have been saved on cloud servers accessible via a selected URL that refreshed each hour, permitting builders to switch behaviour throughout hundreds of thousands of customers with out extension updates.
The Code additionally addresses testing transparency: “Collaborating software program should not take any motion designed to hide its habits from testers.” This, once more, maps exactly onto what investigators documented about Honey’s selective stand-down system, which allegedly analysed person alerts – together with affiliate community login cookies, account age, and electronic mail addresses containing the phrase “take a look at” – to find out whether or not a given person was possible a compliance tester and modify behaviour accordingly.
The audit log function
The SDK consists of an elective audit log that data affiliate detections to chrome.storage.native. In keeping with the documentation, entries survive service employee restarts and expire per every community’s configured sessionDuration. The log is enabled by passing enableAuditLog: true at SDK development. As a result of the async manufacturing facility technique StanddownSDK.create()hydrates in-memory state from storage earlier than returning, queries are correct instantly after a restart and not using a cold-start hole. Two question strategies can be found: getEventLog() returns all lively (non-expired) detections throughout each area, and getEventsByDomain(enter) returns lively entries for a given URL or naked hostname, normalised to root area.
What the reinstatement means
The return of Honey to Rakuten Promoting, enabled by implementation of this SDK, raises questions that transcend technical compliance. Edelman’s public remark drew consideration to an accountability hole: the SDK enforces guidelines going ahead, nevertheless it doesn’t tackle commissions already diverted, investigations already performed at trade expense, or the erosion of belief in affiliate internet marketing as a channel.
The affiliate internet marketing trade spent months absorbing the results of Honey’s alleged practices. Content material creators filed a category motion lawsuit on December 29, 2024, looking for damages exceeding $5 million. PayPal failed in November 2025 to compel arbitration, and a second amended grievance filed on January 5, 2026 included particular service provider contract phrases and 101 pages of detailed proof. That litigation stays ongoing.
For entrepreneurs and affiliate managers, the SDK’s existence does signify a concrete change. For the primary time, a significant affiliate community has printed a machine-readable, open-source software that any browser extension developer can combine to automate stand-down choices. If different networks publish comparable coverage definitions within the format the SDK expects, the infrastructure for cross-network stand-down compliance begins to exist at a technical fairly than merely contractual degree.
Whether or not networks and publishers undertake the usual in follow, and the way rapidly, stays to be seen. The Code of Conduct itself stays a draft, open for public remark. The SDK carries no default insurance policies. And the governance query Edelman raised on LinkedIn – what occurs to publishers who violated guidelines after which merely implement the repair – shouldn’t be answered by the technical launch alone.
Timeline
- December 22, 2024 – MegaLag publishes investigation into Honey’s alleged affiliate fee diversion practices. PPC Land protection
- December 29, 2024 – Content material creators file class motion lawsuit within the Northern District of California looking for damages exceeding $5 million. PPC Land protection
- July 2025 – Honey’s Chrome person rely falls to 14 million, down from over 20 million earlier than the December 2024 investigation. PPC Land protection
- November 7, 2025 – US District Court docket denies PayPal’s movement to compel arbitration, permitting the case to proceed in federal court docket. PPC Land protection
- December 30, 2025 – Researchers publish investigation into Honey’s alleged selective stand-down system and tester-detection structure. PPC Land protection
- January 5, 2026 – Content material creators file a second amended 101-page grievance together with particular service provider contract phrases. PPC Land protection
- January 12, 2026 – Rakuten Promoting terminates Honey from its community, severing entry to roughly 2,000 retail retailers. PPC Land protection
- January 16, 2026 – Affect.com suspends Honey, citing stand-down violations and concealment from testers. PPC Land protection
- January 21, 2026 – Awin Group confirms Honey violated writer insurance policies following a proper investigation, suspends funds and entry to new advertiser applications. PPC Land protection
- Early Might 2026 – James Little and Ben Edelman publish Draft v0.1 of the Code of Conduct for Associates Utilizing Browser Extensions and Different Consumer Software program, open for public remark.
- Might 6, 2026 – Rakuten Rewards publishes the
@rakuten-rewards/standdown-sdkTypeScript bundle on GitHub. Honey implements the SDK and returns to Rakuten Promoting.
Abstract
Who: Rakuten Rewards, with involvement from James Little (Group Industrial Director at TopCashback), Ben Edelman (economist and co-author of the affiliate Code of Conduct), and PayPal’s Honey browser extension.
What: Rakuten Rewards printed an open-source TypeScript SDK on GitHub that allows browser extensions to detect prior affiliate referrals and stand down routinely. Honey applied the SDK and was reinstated to Rakuten Promoting. Ben Edelman publicly questioned whether or not reinstatement and not using a monetary penalty was applicable given the dimensions of alleged prior violations.
When: The SDK was printed and Honey’s reinstatement introduced on Might 6, 2026, following months of community terminations and authorized proceedings that started in December 2024.
The place: The SDK is printed on GitHub at https://github.com/rakutenrewards/PublisherStandown-SDK and is accessible by way of npm as @rakuten-rewards/standdown-sdk. The affiliated Code of Conduct is printed at affiliatesoftware.coc for public remark. Authorized proceedings are ongoing in the US District Court docket for the Northern District of California.
Why: The Honey controversy uncovered systematic failures in how affiliate browser extensions revered stand-down obligations – the trade norm requiring an extension to stop affiliate exercise when one other writer already owns the session. The SDK is Rakuten’s technical response, giving any extension developer a standardised, auditable, client-side software to implement stand-down detection with out counting on server-side logic that could possibly be modified invisibly.
Share this text