Rakuten Rewards this month published a zero-dependency TypeScript software development kit on GitHub designed to let browser extensions automatically detect prior affiliate referrals and stand down - halting any attempt to claim commission - when another publisher already owns a given shopping session. The release, named @rakuten-rewards/standdown-sdk, follows months of industry turmoil triggered by allegations against PayPal's Honey extension. It also coincides with a notable development: Honey has implemented the SDK and is now back live with Rakuten Advertising, according to James Little, Group Commercial Director at TopCashback.

The announcement and its context

Little's LinkedIn post described the release as "a really excellent news for the industry," noting that Honey had implemented the tool and resumed its relationship with Rakuten Advertising. The post drew immediate and pointed commentary. Ben Edelman - economist, attorney, and co-author of the affiliate software Code of Conduct that shaped much of this debate - replied that if he were Rakuten, he would "be expecting Honey to pay a substantial monetary penalty for the trouble they caused, the expense and distraction of investigation, and the overall loss of confidence in affiliate marketing." Edelman questioned whether Honey should simply "get to implement the SDK and then be back to normal as if they had not committed a massive violation of applicable rules."

That tension - between a technical fix and accountability for past conduct - runs through the entire episode. The SDK is real, open-source, and technically detailed. Whether it closes the chapter on Honey's conduct remains contested.

The wider backstory matters here. A December 2024 investigation revealed that Honey had systematically diverted affiliate commissions from content creators, replacing their tracking cookies with PayPal's own affiliate identifiers even when the extension provided no discount codes. Rakuten Advertising terminated Honey from its network on January 12, 2026, cutting access to approximately 2,000 retail merchants. Impact.com followed with a suspension on January 16, 2026, citing stand-down violations and concealment from testers. Awin Group confirmed on January 21, 2026 that its own investigation had found Honey breached publisher policies, suspending payments and blocking access to new advertiser programs. By July 2025, Honey had already fallen from over 20 million Chrome users to 14 million, a figure that represented a substantial loss of consumer reach even before the network terminations.

What the SDK does

The GitHub repository, available at https://github.com/rakutenrewards/PublisherStandown-SDK, carries an MIT license and was published by contributor Travis Coulter under the rakutenrewards organisation. At the time of this writing the repository had a single commit labelled "Initial commit," recorded as last week, and carried 1 star, 0 forks, and 0 published releases.

According to the repository documentation, the SDK is a zero-dependency TypeScript package targeting Manifest V3 browser extensions - the extension architecture now required by Chrome and by Microsoft Edge. The bundle weighs approximately 6 kilobytes gzipped and around 21 kilobytes in estimated uncompressed code size. It ships as a dual ESM and CommonJS bundle with TypeScript declarations and carries no runtime dependencies. Installation is via npm or pnpm:

npm install @rakuten-rewards/standdown-sdk

The core function is checkForAffiliatePatterns(tabId). According to the documentation, this method inspects the full redirect chain observed for a specific browser tab and returns a typed DetectionResult object indicating whether an affiliate pattern was found. The design targets what the documentation calls "the classical affiliate activation model": a user clicks an affiliate link, passes through a network's redirect hop, and arrives at a merchant page with the session already attributed to a prior publisher.

The method is intended to be called from a webNavigation.onCompleted or onErrorOccurred listener so it runs as soon as navigation settles, at which point the full redirect chain is available for inspection.

Manifest V3 permissions required

Three manifest permissions are required for the SDK to function: webNavigationwebRequest with host_permissions: ["<all_urls>"], and tabs. According to the documentation, webNavigation is necessary to observe redirect chains and committed navigations; webRequest is required to observe intermediate redirect hops via the onBeforeRequest event; and tabs is required for tab lifecycle cleanup, clearing state when a tab closes. A fourth permission - storage - is optional but required if the extension enables the audit log feature.

The SDK supports Chrome as its primary target, Microsoft Edge without additional configuration (since both use the same chrome.* APIs), Firefox (where the SDK automatically resolves the browser namespace at runtime), and Safari under conditions: Safari 16.4 or later on macOS Ventura 13.3 or later is required for Manifest V3 service worker support. The documentation notes that automated end-to-end testing on Safari is not available because Playwright does not support Safari extension loading.

Policies: no defaults supplied

A significant design choice concerns how the SDK handles affiliate network patterns. According to the documentation, the SDK does not bundle any default affiliate network policies. Each extension developer is responsible for supplying the policies relevant to their integration at construction time via config.policies. This puts the burden of maintaining accurate detection rules on the integrating developer rather than on Rakuten.

Each NetworkPolicy object contains an id, a schemaVersion (currently 2), a policyVersion as a positive integer, a network block with an optional sessionDuration in milliseconds, and an array of PolicyRule objects. Rules can match on domainpathsparams, or a pattern string compiled to a regular expression. The documentation includes a worked example for Commission Junction (CJ), whose policy includes three domain rules - dpbolvw.netanrdoezrs.net, and jdoqocy.com - plus a parameter rule for cjevent, with a sessionDuration of 1,800,000 milliseconds, equal to 30 minutes.

If no valid policies are loaded, checkForAffiliatePatterns will always return no-match, and the SDK emits a console.warn to alert developers.

The DetectionResult structure

The SDK returns a discriminated union type. When a pattern is found, DetectionResult carries hasAffiliatePattern: true, a non-empty matchedPatterns array containing at least one entry, the full redirectChain as an array of URL strings, a Unix millisecond timestamp detectedAt, an expiry timestamp expiresAt derived from the longest matched sessionDuration, and a boolean isOwnAffiliateLink. When no pattern is found, hasAffiliatePattern is false and both detectedAt and expiresAt are null.

The documentation flags a privacy obligation: redirectChain and matchedPatterns constitute sensitive user navigation history. According to the repository, extension developers must not log or transmit this data without explicit user consent and must keep access scoped to the background service worker, avoiding exposure to content scripts or web page contexts via chrome.runtime.onMessage.

Security risks in policy patterns

The repository includes a specific warning about regular expression patterns in policies. According to the documentation, patterns with nested quantifiers - for example (a+)+ or (x+x+)+y - can cause catastrophic backtracking that hangs the service worker indefinitely. Developers are instructed to use bounded quantifiers and avoid nested repetition. This is a meaningful risk: a policy author who supplies a poorly written pattern could disable the extension's background thread.

The documentation also prohibits server-side stand-down decisions. This mirrors a requirement in the affiliate Code of Conduct authored by James Little and Ben Edelman - a draft document published for public comment - which states explicitly that the entirety of stand-down logic must be implemented within the browser extension, client-side. Server-side calls for stand-down determination are "strictly prohibited" under the Code.

The Code of Conduct backstory

The SDK's publication is directly connected to broader standard-setting activity in the affiliate marketing industry. Little and Edelman published a draft Code of Conduct for Affiliates Using Browser Extensions and Other Client Software - described as Draft v0.1 - open for public comment. According to the Code's preamble, its key objectives include protecting genuine user intent, preventing unfair interference with tracking and payment, standardising rules across networks, and improving transparency, auditability, and trust.

The Code sets out detailed stand-down requirements. According to the draft, when another affiliate has referred a user to a given advertiser within the same session, participating software "must stand down for that advertiser." During stand-down, software must not present affiliate links, refresh cookies, perform background tracking, or display marketing prompts. It must "appear and behave identically to its behavior on sites where no affiliate benefits are available."

The Code also specifies session duration rules. Stand-down under the preferred method ends after 60 consecutive minutes of no foreground user interaction within the browser profile. If inactivity detection is not implemented, the fallback is 90 minutes from the most recent affiliate referral. The session survives browser restarts, sleep, standby, and tab discard.

One of the most consequential provisions concerns server-side logic. The Code states: "It is a violation for a client to obtain a stand-down decision by checking with a server." This directly addresses behaviour documented in the Honey investigation, where researchers found that Honey's stand-down rules were stored on cloud servers accessible through a specific URL that refreshed every hour, allowing developers to modify behaviour across millions of users without extension updates.

The Code also addresses testing transparency: "Participating software must not take any action designed to conceal its behavior from testers." This, again, maps precisely onto what investigators documented about Honey's selective stand-down system, which allegedly analysed user signals - including affiliate network login cookies, account age, and email addresses containing the word "test" - to determine whether a given user was likely a compliance tester and modify behaviour accordingly.

The audit log feature

The SDK includes an optional audit log that records affiliate detections to chrome.storage.local. According to the documentation, entries survive service worker restarts and expire per each network's configured sessionDuration. The log is enabled by passing enableAuditLog: true at SDK construction. Because the async factory method StanddownSDK.create()hydrates in-memory state from storage before returning, queries are accurate immediately after a restart without a cold-start gap. Two query methods are available: getEventLog() returns all active (non-expired) detections across every domain, and getEventsByDomain(input) returns active entries for a given URL or bare hostname, normalised to root domain.

What the reinstatement means

The return of Honey to Rakuten Advertising, enabled by implementation of this SDK, raises questions that go beyond technical compliance. Edelman's public comment drew attention to an accountability gap: the SDK enforces rules going forward, but it does not address commissions already diverted, investigations already conducted at industry expense, or the erosion of trust in affiliate marketing as a channel.

The affiliate marketing industry spent months absorbing the consequences of Honey's alleged practices. Content creators filed a class action lawsuit on December 29, 2024, seeking damages exceeding $5 million. PayPal failed in November 2025 to compel arbitration, and a second amended complaint filed on January 5, 2026 included specific merchant contract terms and 101 pages of detailed evidence. That litigation remains ongoing.

For marketers and affiliate managers, the SDK's existence does represent a concrete change. For the first time, a major affiliate network has published a machine-readable, open-source tool that any browser extension developer can integrate to automate stand-down decisions. If other networks publish comparable policy definitions in the format the SDK expects, the infrastructure for cross-network stand-down compliance begins to exist at a technical rather than merely contractual level.

Whether networks and publishers adopt the standard in practice, and how quickly, remains to be seen. The Code of Conduct itself remains a draft, open for public comment. The SDK carries no default policies. And the governance question Edelman raised on LinkedIn - what happens to publishers who violated rules and then simply implement the fix - is not answered by the technical release alone.

Timeline

  • December 22, 2024 - MegaLag publishes investigation into Honey's alleged affiliate commission diversion practices. PPC Land coverage
  • December 29, 2024 - Content creators file class action lawsuit in the Northern District of California seeking damages exceeding $5 million. PPC Land coverage
  • July 2025 - Honey's Chrome user count falls to 14 million, down from over 20 million before the December 2024 investigation. PPC Land coverage
  • November 7, 2025 - US District Court denies PayPal's motion to compel arbitration, allowing the case to proceed in federal court. PPC Land coverage
  • December 30, 2025 - Researchers publish investigation into Honey's alleged selective stand-down system and tester-detection architecture. PPC Land coverage
  • January 5, 2026 - Content creators file a second amended 101-page complaint including specific merchant contract terms. PPC Land coverage
  • January 12, 2026 - Rakuten Advertising terminates Honey from its network, severing access to approximately 2,000 retail merchants. PPC Land coverage
  • January 16, 2026 - Impact.com suspends Honey, citing stand-down violations and concealment from testers. PPC Land coverage
  • January 21, 2026 - Awin Group confirms Honey violated publisher policies following a formal investigation, suspends payments and access to new advertiser programs. PPC Land coverage
  • Early May 2026 - James Little and Ben Edelman publish Draft v0.1 of the Code of Conduct for Affiliates Using Browser Extensions and Other Client Software, open for public comment.
  • May 6, 2026 - Rakuten Rewards publishes the @rakuten-rewards/standdown-sdk TypeScript package on GitHub. Honey implements the SDK and returns to Rakuten Advertising.

Summary

Who: Rakuten Rewards, with involvement from James Little (Group Commercial Director at TopCashback), Ben Edelman (economist and co-author of the affiliate Code of Conduct), and PayPal's Honey browser extension.

What: Rakuten Rewards published an open-source TypeScript SDK on GitHub that enables browser extensions to detect prior affiliate referrals and stand down automatically. Honey implemented the SDK and was reinstated to Rakuten Advertising. Ben Edelman publicly questioned whether reinstatement without a financial penalty was appropriate given the scale of alleged prior violations.

When: The SDK was published and Honey's reinstatement announced on May 6, 2026, following months of network terminations and legal proceedings that began in December 2024.

Where: The SDK is published on GitHub at https://github.com/rakutenrewards/PublisherStandown-SDK and is available via npm as @rakuten-rewards/standdown-sdk. The affiliated Code of Conduct is published at affiliatesoftware.coc for public comment. Legal proceedings are ongoing in the United States District Court for the Northern District of California.

Why: The Honey controversy exposed systematic failures in how affiliate browser extensions respected stand-down obligations - the industry norm requiring an extension to cease affiliate activity when another publisher already owns the session. The SDK is Rakuten's technical response, giving any extension developer a standardised, auditable, client-side tool to implement stand-down detection without relying on server-side logic that could be modified invisibly.

Share this article
The link has been copied!