Honey Is Back on Rakuten the Same Day Rakuten Shipped an SDK to Police It
Rakuten Rewards published an open-source TypeScript SDK on GitHub in May 2026 that lets browser extensions detect prior affiliate referrals and stand down before claiming commission. The same day, PayPal's Honey was confirmed back live on Rakuten Advertising's network, four months after a January 12 termination over alleged stand-down violations. The technical fix is real. The accountability question, per economist Ben Edelman, is not.
What the SDK is, in concrete terms
The package is called @rakuten-rewards/standdown-sdk. It is open-source under MIT, lives at github.com/rakutenrewards/PublisherStandown-SDK, and weighs roughly 6 kilobytes gzipped. The build is dual ESM and CommonJS with zero runtime dependencies and ships TypeScript declarations. It targets Manifest V3, which means Chrome and Edge primarily, with Firefox and Safari 16.4+ also supported.
The single function that matters is checkForAffiliatePatterns(tabId). You wire it into a webNavigation.onCompleted listener, and when the navigation settles, the SDK inspects the full redirect chain for the tab. If a prior publisher's affiliate hop is in that chain, it returns hasAffiliatePattern: true with the matched patterns, the redirect chain itself, and an expiry timestamp derived from the network's session duration. Your extension reads that and stands down. No commission claim. No cookie refresh. No buttons highlighted.
The required Manifest V3 permissions are webNavigation, webRequest with host permissions across all URLs, and tabs. Storage is optional but required if you want the audit log feature, which writes detection events to chrome.storage.local and survives service worker restarts. The async StanddownSDK.create() factory hydrates from storage before returning, so you don't get a cold-start gap after a browser restart, which matters if your stand-down policy is enforced from the moment the user opens the browser.
The same-day timing is the real story
James Little, Group Commercial Director at TopCashback, posted to LinkedIn that Honey had implemented the SDK and was back on Rakuten Advertising. Edelman replied on the same thread that if he were Rakuten, he would "be expecting Honey to pay a substantial monetary penalty for the trouble they caused, the expense and distraction of investigation, and the overall loss of confidence in affiliate marketing." He then asked whether Honey "should simply get to implement the SDK and then be back to normal as if they had not committed a massive violation of applicable rules."
The reinstatement is a meaningful business fact. Rakuten's January 12, 2026 termination cut Honey out of approximately 2,000 retail merchants. Impact.com followed on January 16, citing stand-down violations and concealment from testers. Awin confirmed its own investigation and suspended Honey on January 21. By July 2025, Honey's Chrome installs had already dropped from over 20 million to 14 million. Re-entry to Rakuten's network is the first network-level reversal since the December 2024 MegaLag investigation broke the original story, and the larger affiliate-network consolidation we covered when Impact.com absorbed Rakuten's affiliate stack earlier this year is part of why the same SDK pattern can spread quickly across networks now.
What the reinstatement doesn't address is the litigation. Content creators filed in the Northern District of California on December 29, 2024, seeking damages over $5 million. PayPal failed to compel arbitration in November 2025. A second amended complaint, 101 pages with specific merchant contract terms, was filed January 5, 2026. That case is still ongoing. Edelman's point is that the SDK closes the technical chapter and leaves the financial one wide open.
Zero default policies is a deliberate, awkward choice
The most consequential design call in the SDK is the policy model. It ships with no default affiliate network patterns. Every integrator has to supply them at construction time via config.policies. Each NetworkPolicy carries an id, a schema version currently at 2, a policy version integer, and an array of rules that match on domain, paths, params, or a regex pattern.
The docs include a worked example for Commission Junction: three domain rules (dpbolvw.net, anrdoezrs.net, jdoqocy.com), a parameter rule for cjevent, and a 30-minute session duration. That's it. Awin, Impact, ShareASale, none of them have default rules in the repo at the time of writing.
This puts the burden of accuracy on the publisher extension developer rather than on Rakuten. From what I've seen of how affiliate networks behave, that is probably intentional. Rakuten doesn't want to assert what counts as an Awin redirect on Awin's behalf. It also doesn't want liability for the false-negative case where a sloppy pattern lets a stand-down get missed. On paper, that sounds like an upgrade for cross-network governance. In practice it just means the policy file becomes the new place where compliance debt accumulates.
The practical consequence: if you run a publisher extension and you want this to be more than a Rakuten compliance gesture, you need policies for every network you operate against. If networks publish their own policy JSON in the format the SDK expects, cross-network compliance becomes a copy-paste job. If they don't, every extension implements its own. We are not yet at the first state, and there is no public commitment from any network besides Rakuten to get there.
The no-server-side rule is the actual law of the SDK
Buried in the security section of the docs, alongside a warning about catastrophic regex backtracking from nested quantifiers, is a hard prohibition on server-side stand-down decisions. The SDK refuses to hand off the determination to a remote endpoint. All logic must run client-side, inside the extension.
This maps directly onto what investigators documented in Honey's prior architecture, where stand-down rules reportedly lived on cloud servers reachable through a URL refreshed every hour. That made it possible to change behaviour across millions of users without shipping an extension update. It is also exactly what the Edelman/Little Code of Conduct draft v0.1 outlaws explicitly: a client cannot obtain a stand-down decision by checking with a server.
The Code of Conduct is still a draft, open for public comment, with no formal enforcement body. Networks adopt it or they don't. But the SDK, by refusing to make a server call, encodes the rule into shipping software. That is a small but real transition from contract language to engineering constraint, and it is roughly the line where industry self-regulation starts to matter.
What this changes for publisher operators
If you run an affiliate publisher extension, the to-do list is short and concrete. Pull the repo. Build a NetworkPolicy file for every network you operate against, starting with whichever sends the most reversed commissions. Wire checkForAffiliatePatterns into webNavigation.onCompleted. Decide whether to enable the audit log; if you ever need to defend your stand-down behaviour to a network, the honest answer is yes, and the storage cost is trivial.
If you're a merchant, ask the networks you work with whether they intend to publish policy definitions in the SDK's format. If your network can't or won't, that probably tells you something about how seriously they take the auditability standard the Code of Conduct is trying to set. It is worth asking on your next quarterly review and worth getting an answer in writing.
If you're a marketer running affiliate as a channel, the practical change is mostly about trust. The most common publisher complaint of the last decade has been some version of "I drove the click and someone else stole the cookie." That argument is now harder to win without engineering evidence on either side. It is also harder to lose, because the SDK gives you a verifiable way to show you stood down when you should have.
The unresolved part, and Edelman is right to keep asking it, is whether technical compliance forward is the price of forgiveness backward. Rakuten clearly decided it was. The class action plaintiffs are not on that timeline, and PayPal's checkbook is the only thing that closes the gap. From what I've seen, most of the industry quietly hopes the litigation resolves before another extension takes the same shortcut. Hope isn't a roadmap. On the roadmap side, an MIT-licensed 6KB SDK is more than the affiliate space had a week ago.
By Notice Me Senpai Editorial
