Init User Engine is a lightweight, no-bloat user system for modern WordPress sites. It's designed for maximum frontend flexibility and gamified user engagement. All dynamic interfaces are rendered via JavaScript with real-time REST API interaction.
No jQuery. Minimal settings. Smart by default.
What you get:
- Display user avatar and dashboard via shortcode
- Show level, EXP, Coin/Cash, and full user wallet
- Let users check-in daily and receive timed rewards
- Auto-track referral registrations with reward system
- Allow users to buy VIP status using in-site currency
- Built-in inbox for notifications (uses custom DB table)
- Custom avatar support with upload & preview modal
- Send custom notifications to selected users or all members from wp-admin
This plugin is the core user system behind the
Init Plugin Suite – optimized for frontend-first interaction, extensibility, and real-time gamification.
GitHub repository:
https://github.com/brokensmile2103/init-user-engine
1.3.7 – October 29, 2025
- Added Redeem Code Module (Gift Code / Voucher System):
- Admin can create redeem codes with 3 usage modes: single use (auto-disabled after first redemption), multi-use with configurable limit, and user-locked mode
- Supports auto-generation of random codes when left blank
- Added optional validity window (Valid from → Valid to) for time-limited campaigns
- Displays usage count as used/max_uses and status badge (Active/Disabled)
- Added Automatic Reward Distribution:
- Adds Coin/Cash to user balance with full transaction logging via
init_plugin_suite_user_engine_log_transaction()
- Sends inbox notification to redeemer confirming awarded rewards
- Integrated with existing balance and transaction systems
- Enhanced Redemption Security:
- Enforced one-time redemption per user even for multi-use codes
- Uses metadata on code record to store user_id, username, display name, and redemption timestamp
- Added database-level concurrency safety using
START TRANSACTION and SELECT ... FOR UPDATE to prevent race conditions
- Users attempting to redeem same code twice receive "You have already used this code" error
- Added REST Endpoint:
POST /redeem-code for logged-in users
- Returns structured response:
{ success, message, coin, cash }
- Automatically disables code when usage limit reached
- Improved Admin UI:
- Integrated with existing user search UI (same as Inbox Tool & Top-Up Tool)
- Supports selecting specific user for locked-code mode through live search
- Maintains consistent layout and interaction patterns
- Database and Compatibility:
- Metadata now stores redeemed users (JSON format)
- ACID-protected redemption operations (atomic + thread-safe)
- Fully backward compatible with existing Coin/Cash/VIP/Inbox systems
- No breaking changes to existing APIs
1.3.6 – October 27, 2025
- Fixed Critical Display Name Sanitization Bug:
- Resolved issue where
update_profile endpoint removed all whitespace from display names (e.g., "Nguyễn Văn A" → "NguyễnVănA")
- Adjusted sanitization to preserve natural spacing while preventing XSS and invalid characters
- Improved Display Name Fallback Logic:
- Enhanced empty-name handling to ensure proper fallback to nickname or username
- Uses stricter validation for better reliability across multilingual inputs
- No database or schema changes. Backward compatible and safe for immediate deployment. Affected endpoint:
init_plugin_suite_user_engine_api_update_profile()
1.3.5 – October 27, 2025
- Refined Submit Button UI (Login + Register):
- Modern, minimal interaction with no glow or shadows
- Subtle hover/active feedback using transform and filter (crisp, non-flashy)
- Preserves theme colors:
var(--iue-theme-color) → var(--iue-theme-active-color) gradient
- Improved
:focus-visible outline for accessibility with zero layout shift
- Affected selectors:
.iue-login-form input[type="submit"], .iue-login-form .login-submit input[type="submit"], .iue-register-form button.iue-submit
- No markup changes required. CSS-only update and backward compatible
1.3.4 – October 23, 2025
- Enhanced Captcha Security System:
- Expanded captcha question bank with 40+ new math and logic-based variations
- Introduced 4 smart captcha modes: symbolic math (
+, −, ×), text-based math (e.g., "What is 5 plus 3?"), general knowledge numerics (e.g., "How many days in a week?"), and contextual variants (e.g., "Double 4 is?", "Give the next even number after 7")
- Added internal hook
init_user_engine_captcha_bank to allow external extensions to register new captcha questions
- Localized all captcha questions and added full translator context for
% placeholders
- Ensured all captcha answers are numeric-only for maximum bot resistance
- Added Disable Captcha setting:
- Allows disabling all captcha validations (including Turnstile) for testing environments
- Includes strong "DANGER" warning and contextual description to prevent misuse
- Automatically bypasses both frontend and backend captcha logic when enabled
- Added Disable New Registrations feature:
- Completely blocks new user registrations across both REST API and WordPress forms
- Integrates with registration endpoint for immediate early return
- Prevents rendering of registration form on login/register templates when active
- Designed for maintenance or private-access environments
- Improved Multi-Layer Bot Protection with combined honeypot, custom captcha, and Cloudflare Turnstile verification. Added global registration lockout switch and enhanced IP-based rate limiting
1.3.3 – October 23, 2025
- Enhanced Admin Notification Tool:
- Fully synchronized recipient selection UI and backend logic with the Top-up Tool
- Added unified recipient options: selected users (manual input with live search), active VIPs (fetched via
init_plugin_suite_user_engine_get_active_vip_users( 'ids' )), and all members (retrieved using get_users( [ 'fields' => 'ID' ] ))
- Replaced old "Send to all" checkbox with radio-based recipient selection for consistency
- Integrated automatic user resolution for VIP group using same helper function as Top-up
- Added bulk message delivery with chunked sending through
init_user_engine_inbox_bulk_chunk_size filter (default: 500)
- Retains full compatibility with existing inbox delivery logic, meta, and hooks
- Improved Admin UI Consistency:
- Recipient selection block now mirrors the Top-up Tool layout and markup
- "Select Users" interface unified for both tools (search, display, hidden ID handling)
- Maintains identical sanitization, nonce verification, and capability checks
- No functional or database schema changes. Fully backward compatible with all prior notification and VIP systems
1.3.2 – October 18, 2025
- Added Avatar Upload Permission System:
- Introduced new helper function
init_plugin_suite_user_engine_can_upload_avatar( $user_id ) for unified permission checking
- Supports multi-layer policy: global disable (
disable_all), VIP-only mode (vip_only) using init_plugin_suite_user_engine_is_vip(), and per-user ban via iue_avatar_ban user meta
- Fully integrated into REST endpoints
upload_avatar and remove_avatar for backend-level enforcement
- Automatically blocks upload and deletion attempts from banned or non-VIP users according to policy
- Enhanced Admin User Metabox:
- Added "Ban Avatar Upload" / "Unban Avatar Upload" button next to "Remove VIP"
- Toggles the
iue_avatar_ban meta instantly via secure admin-post action
- Includes full nonce verification, capability checks, redirect notices, and audit hook
init_plugin_suite_user_engine_avatar_ban_toggled
- Displays current avatar permission state ("Allowed" / "BANNED") beside the button
- Improved Security and Consistency:
- Backend guards prevent unauthorized file handling even if frontend modified
- Added HTTP 403 and 423 codes for forbidden or locked states to ensure clear API responses
- Unified
wp_die() and WP_Error patterns across user-related endpoints
1.3.1 – October 17, 2025
- Enhanced Admin Top-up Tool:
- Replaced old checkboxes with radio buttons for selecting recipients (Selected users / Active VIPs / All members)
- Added automatic log display under the form showing up to 100 recent top-up entries
- Logs include amount, type, recipient info (linked to user profile when applicable), and timestamp
- Improved layout spacing and usability for cleaner admin experience
- Added Persistent Top-up Log System:
- Introduced helper functions
init_plugin_suite_user_engine_add_topup_log() and init_plugin_suite_user_engine_get_topup_logs()
- Standardized log entry format:
quantity|type(coin|cash)|target(VIP|ALL|uid:{id}|user:{count})|time
- Automatically trims to the latest 100 entries
- Stored via
update_option() with autoload disabled
- Improved User Display in Logs:
- User targets now show as clickable links to admin profile pages
- Fallback added for deleted or invalid users
- VIP, ALL, and multi-user targets show readable labels
- Backward Compatibility:
- Compatible with legacy
iue_send_all and iue_send_vip fields
- No database or API changes
- Existing balance, inbox, and transaction logic remain unchanged
1.3.0 – October 12, 2025
- Added Coin Exchange system:
- Users can now convert Cash → Coin with a configurable rate
- Added real-time conversion preview, validation, and rate display
- Includes optional min/max limits via filters for full customization
- Fully integrated with transaction log and dark mode UI
- Improved profile update reliability:
- Added smart fallback for empty or invalid display names → automatically uses nickname or username
- Prevented saving blank or whitespace-only display names after sanitization
- Ensured consistent and safe user display names across all update scenarios
- No database or API changes. Fully backward compatible
1.2.9 – October 10, 2025
- Upgraded multi-user inbox sender to use bulk insert for massive scalability
- Converts thousands of single inserts into optimized batched queries
- Handles large user arrays efficiently with automatic chunking for stability
- Simplified inbox table creation for new installations (no index changes applied)
- Significantly improved performance when sending inbox messages to large user bases (e.g., 10,000+ users)
- Refactored Admin Tools:
- Notification Tool now uses the new bulk inbox sender for instant multi-user delivery
- Top-up Tool updated to integrate with the new inbox system while keeping balance and log logic fully intact
- Fully backward compatible, no database schema or API changes
1.2.8 – October 10, 2025
- Added
autocomplete="off" to all password fields in the settings page to prevent browsers from auto-saving or suggesting stored passwords
- Minor UI consistency adjustments in settings forms
- No functional or database changes
1.2.7 – October 8, 2025
- Added Inbox Cleanup Tool directly in the Inbox Statistics admin page:
- Introduced new “Cleanup Inbox by Type” block under the Refresh Data section
- Allows administrators to permanently delete all inbox messages of a selected
type
- Automatically lists all existing message types for quick selection
- Includes nonce verification, capability checks, and confirmation prompt for safety
- Displays success or error notice with deleted message count after operation
- Enhanced date range filter security:
- Added nonce field and verification for the “Date Range” dropdown form
- Removed WPCS
NonceVerification.Recommended warnings on GET processing
- Improved overall PHPCS compliance for the statistics module:
- Explicitly documented safe cases for display-only notices
- Limited PHPCS ignores to justified database queries only
- Fully backward compatible with existing inbox data and analytics logic
- No database schema changes or new dependencies introduced
1.2.6 – October 5, 2025
- Enhanced Admin User Metabox for better visibility of user activity and communication:
- Added Recent Transactions section under VIP Details showing up to 100 latest Coin/Cash logs with type, amount, source, and timestamp
- Added Recent Inbox section under Inbox (User) listing up to 100 latest messages with type, status, title, and time
- Both sections feature compact scrollable layouts with limited height for clean, admin-friendly viewing
- Fully backward compatible:
- No database or meta structure changes
- Automatically uses existing transaction and inbox data
- Lightweight rendering ensures stable performance even with large user histories
1.2.5 – October 4, 2025
- Refined dashboard menu CSS for better scalability with multiple grouped items:
- Added
.multi-menu style to support grouped links (e.g., Sticker Store, Frame Store, Effects)
- Adjusted padding, spacing, and hover states to keep grouped items compact but consistent with main menu
- Improved dark mode support for multi-menu background/hover states
- Optimized avatar frame overlay CSS:
- Prevented hover scaling on frame elements while keeping core avatar hover intact
- Ensured frame overlay maintains alignment across various container contexts
- Minor visual polish:
- Standardized border-radius and spacing for consistency across badges, dots, and menu links
- Unified hover background opacity values in both light and dark modes
1.2.4 – October 4, 2025
- Added full integration with Cloudflare Turnstile for spam-proof registration:
- Admin settings now support entering Turnstile Site Key and Secret Key
- If both keys are set, registration form automatically shows Turnstile widget instead of legacy math captcha
- Fallback to legacy captcha only when Turnstile keys are missing
- If CAPTCHA is disabled entirely, registration form shows no challenge at all
- Updated registration endpoint (
/register) to:
- Verify Turnstile tokens server-side with Cloudflare API
- Gracefully fallback to math captcha validation if Turnstile is not configured
- Return structured WP_Error codes:
turnstile_required, turnstile_invalid, captcha_wrong, etc.
- Retain honeypot detection and IP-based rate limiting (max 5 attempts/hour)
- Enhanced
guest.js:
- Unified client-side flow for both Turnstile and legacy captcha
- Implemented late initialization (Turnstile widget loads only when Register tab is shown) to reduce page weight
- Reset Turnstile widget after each failed or successful attempt to avoid stale tokens
- Clear, translated error messages for Turnstile failures (expired, timeout, missing token, etc.)
- Security hardened:
- Prevented bypass when captcha/Turnstile token missing
- Verified tokens are one-time-use per attempt
- Ensured consistent block on invalid, expired, or reused tokens
1.2.3 – October 3, 2025
- Refactored all EXP + Coin award logic to use unified, extensible filters:
init_plugin_suite_user_engine_publish_post_rewards
init_plugin_suite_user_engine_user_register_rewards
init_plugin_suite_user_engine_update_profile_rewards
init_plugin_suite_user_engine_daily_login_rewards
init_plugin_suite_user_engine_woo_order_rewards
- Each filter now returns both
exp and coin values in a single array for easier customization
- Preserved default reward amounts (e.g. 20 EXP + 5 Coin for publish, 50 EXP + 20 Coin for register, etc.)
- Added support for WooCommerce dynamic rewards calculation based on order total, with filter override
- Ensured backward compatibility with existing
init_plugin_suite_user_engine_add_exp and init_plugin_suite_user_engine_add_coin actions
- Updated inbox notification content strings to use filtered values dynamically
- All new filters fully localized and translation-ready with proper
translators: comments
- Synced Daily Tasks REST API with plugin settings:
checkin_coin setting now drives "Check in today" reward
online_coin setting now drives "Stay active today" reward
- Prevented hardcoded reward mismatch between API output and actual check-in/claim logic
1.2.2 – October 3, 2025
- Added new Comment Reward options in plugin settings:
- EXP per comment (default 10)
- Coin per comment (default 2)
- Daily comment cap (default 0 = unlimited, reset anchored to daily check-in)
- Implemented counter reset tied to
iue_checkin_last meta to ensure daily limits reset only after user check-in
- Prevented reward farming by enforcing strict per-day cap logic
- Localized all new strings with msgid/msgstr entries for full translation support
- Preserved backward compatibility with existing EXP and Coin award actions
1.2.1 – September 28, 2025
- Refactored avatar override to hook into
pre_get_avatar_data with very high priority, ensuring IUE avatar takes precedence over third-party filters such as Nextend Social Login
- Retained lightweight
get_avatar_url shim for backward compatibility with direct URL calls
- Added safe fallbacks: defer to WordPress/Nextend when no IUE avatar is present; if Gravatar is disabled, serve bundled SVG as default
- Improved cache behavior so avatar changes propagate more consistently with CDN/page cache purges
- Fixed WPCS issues in
admin_post_iue_remove_vip:
- Properly unslashed and sanitized all
$_GET inputs before verification
- Strengthened nonce handling with a dedicated notice nonce for admin notices
- Escaped all dynamic output at the point of rendering to resolve
OutputNotEscaped errors
- Sanitized query arguments on redirects; left targeted PHPCS ignores only for raw SQL queries with clear justification
- No breaking changes: all actions, filters, and helper functions remain unchanged for seamless drop-in update
1.2.0 – September 28, 2025
- Added ability to revoke VIP membership directly from the Admin User Metabox
- Implemented automatic inbox notification to inform users when their VIP status is removed
- Ensured safe validation to guarantee VIP is removed from the correct user only
- Added new option in plugin settings to completely disable CAPTCHA on registration
- Updated registration form JS to auto-detect and skip CAPTCHA field when disabled
- Enhanced REST API
/register to conditionally bypass CAPTCHA validation based on settings
- Expanded CAPTCHA trivia pool with fresh, unambiguous fact-based questions (e.g., sides of a square, letters in the English alphabet, spider legs, etc.)
- Fully localized all new CAPTCHA questions with ready-made msgid/msgstr entries
- Improved validation and UI consistency by showing clearer error messages and reset flow
- Ensured no debatable or ambiguous questions remain in the trivia pool for maximum reliability
1.1.9 – September 17, 2025
- Added extensible filter to inject custom KPIs after Cash in the Admin User metabox
- Introduced helper function to normalize extra KPI items and ensure safe output
- Provided theme example to display "Power Stone" metric with i18n and WPCS compliance
1.1.8 – September 17, 2025
- Added admin user metabox on profile/edit screens showing wallet, EXP, VIP, and inbox statistics
- Displayed Coin, Cash, Level, and EXP progress with dynamic progress bar
- Integrated VIP information including total purchases, expiry date, lifetime detection, and Coin spent
- Implemented inbox quick stats with total, unread, last 7 days, and last message timestamp
- Linked inbox statistics directly to full analytics page for quick navigation
- Included helper functions with safe fallbacks for Coin, Cash, VIP, and inbox stats to ensure robustness
- Fixed missing version parameter in
wp_register_style() to comply with WordPress coding standards
- Enhanced inline admin CSS with proper versioning using
INIT_PLUGIN_SUITE_IUE_VERSION
1.1.7 – August 30, 2025
- Refactored Admin Top-up tool to support both addition (positive) and deduction (negative) amounts
- Bypassed VIP/bonus multipliers during manual top-ups to ensure exact applied value
- Implemented raw balance adjustments with automatic clamping to prevent negative wallet values
- Updated inbox notifications to reflect both top-up and deduction actions consistently
- Enhanced transaction logging with accurate applied amounts and proper change type (add/deduct)
- Added
translators: comments for all sprintf() translation strings in Top-up tool to meet WPCS i18n standards
- Improved admin UI with description note: positive values add funds, negative values deduct funds
1.1.6 – August 23, 2025
- Enhanced database initialization system with admin_init hook for improved reliability
- Added administrator privilege verification to ensure secure table creation and maintenance
- Implemented comprehensive table existence checking to prevent database inconsistencies
- Improved multisite compatibility with automatic table creation for new blog instances
- Added PHPCS compliance annotations to suppress unnecessary warnings for database operations
- Strengthened plugin activation process with fail-safe table creation mechanisms
1.1.5 – August 22, 2025
- Fixed timezone consistency issues in transient cleanup cron scheduler
- Corrected inbox statistics queries to properly handle WordPress timezone settings
- Enhanced date range filtering accuracy for inbox analytics and daily activity charts
- Improved scheduled cleanup reliability by using WordPress timezone-aware functions
- Fixed statistical calculations that were affected by UTC vs local time discrepancies
- Updated cron frequency from hourly to twice-daily for optimal performance balance
1.1.4 – August 22, 2025
- Optimized captcha loading system with lazy initialization to reduce unnecessary API calls
- Implemented smart captcha management that only loads when users access the registration form
- Fixed memory leaks in JavaScript interval handlers with proper cleanup on modal close
- Enhanced registration flow by preserving captcha on successful submissions instead of unnecessary reloads
- Improved performance by eliminating background captcha generation for inactive registration forms
- Reduced server load and database transient accumulation through intelligent captcha lifecycle management
1.1.3 – August 22, 2025
- Added automated hourly cleanup system for expired transient data
- Implemented scheduled cron job to remove outdated captcha and rate limiting transients
- Enhanced database performance by preventing transient accumulation and orphaned records
- Improved system stability through regular cleanup of temporary data without manual intervention
- Added proper cleanup on plugin deactivation to maintain database integrity
- Optimized memory usage by eliminating stale transient entries that could impact site performance
1.1.2 – August 19, 2025
- Added automated weekly cleanup system for orphaned inbox messages
- Implemented silent background maintenance to remove inbox entries from deleted user accounts
- Enhanced database integrity by automatically clearing orphaned data without logging or notifications
- Improved system performance through regular cleanup of stale inbox records
1.1.1 – August 18, 2025
- Added full Inbox Statistics admin page with detailed analytics and charts
- Implemented date range filter (7d, 30d, 90d, all-time) for customizable reporting
- Built overview grid showing total, unread, daily, and recipient counts
- Introduced advanced breakdowns: message types, priority levels, and engagement analytics
- Added daily activity chart, top recipients leaderboard, and recent activity summary
- Implemented refresh button with last updated timestamp for real-time insights
- Added simplified dashboard widget showing key inbox metrics with quick action links
1.1.0 – August 14, 2025
- Reorganized and consolidated all CSS files into a single minified stylesheet for improved performance
- Combined all JavaScript files into one unified script file to reduce HTTP requests
- Optimized asset loading by eliminating multiple file dependencies
- Improved page load times through streamlined resource management
- Enhanced maintainability with centralized CSS and JS architecture
- Reduced bandwidth usage and improved caching efficiency for better user experience
1.0.9 – August 3, 2025
- Added extensible filter system to
init_plugin_suite_user_engine_format_log_message() function
- Introduced
init_user_engine_format_log_message filter hook for customizing transaction log messages
- Enhanced log message formatting with access to full entry data, source, type, and amount parameters
- Improved code maintainability by allowing themes and plugins to extend log message display
1.0.8 – July 31, 2025
- Completely rewrote check-in countdown logic to only count when tab is active
- Changed from timestamp-based calculation to real-time remaining seconds storage
- Fixed critical bug where countdown continued running in background when tab was hidden
- Added proper tab visibility detection to pause/resume countdown accurately
- Implemented daily reset mechanism that clears old countdown data on new day
- Fixed auto-reward claiming issue that occurred after long periods of inactivity
- Added proper state persistence when switching tabs or closing browser
- Countdown now properly resumes from exact remaining time when returning to tab
- Improved localStorage management with separate keys for remaining time and date tracking
- Enhanced countdown reliability by saving state on every second tick
- Fixed memory leaks by properly clearing intervals and event listeners
1.0.7 – July 31, 2025
- Refactored daily check-in JavaScript: clearer logic, safer countdown handling, and accurate reward claiming
- Removed redundant
localStorage key (REMAINING_KEY), simplified timing logic using only startTime
- Fixed countdown bug when tab visibility changes by pausing updates and preventing memory leaks
- Handled auto-claim reward when returning after countdown has finished
- Prevented duplicate intervals by clearing previous
setInterval before starting new one
- Fixed bug where disabled check-in button never re-enabled on error
- Rewrote
/daily-tasks REST API to prevent fatal errors caused by invalid log entries
- Replaced unsafe closures in task check callbacks with static callbacks (
__return_true)
- Added fallback and error logging in
call_user_func for task completion checks
- Filtered and validated log entries before accessing offsets to avoid runtime crashes
1.0.6 – July 28, 2025
- Added Daily Task modal with REST API support
- Built daily tasks for check-in, online activity, and other actions based on real user logs
- Rewards now dynamically reflect actual amount and type (Coin/Cash) from transaction data
- Tasks only appear if completed, ensuring a clean and relevant UI
- Supported extensible task system via
init_plugin_suite_user_engine_daily_tasks filter
- Added
translators: comments for all sprintf() translation strings in CAPTCHA module
- Minor refinements to i18n strings for better clarity and consistency
1.0.5 – July 23, 2025
- Emergency fix for PHP 7.4 compatibility (replaced match expressions and array unpacking)
- Standardized all translation strings for full i18n compliance
1.0.4 – July 23, 2025
- Upgraded CAPTCHA system with better validation and answer protection
- Introduced three CAPTCHA modes: math symbols, natural language, and mixed trivia
- Added smart attempt tracking with auto-refresh after too many failures
- Improved token generation using user agent, IP, and timestamp for enhanced uniqueness
- Increased CAPTCHA expiration time to 15 minutes
- Fully localized all new CAPTCHA questions and error messages
1.0.3 – July 22, 2025
- Secured the
/register endpoint against spam and abuse
- Added custom CAPTCHA system with randomized math questions (e.g. "6 + 3", "What is 5 times 2?")
- Implemented honeypot hidden field to block bot-based submissions
- Stored CAPTCHA answer via transient using IP + token with 10-minute expiration
- All CAPTCHA questions are fully translatable using standard i18n functions
- Minor code cleanup and improved form reliability
1.0.2 – July 21, 2025
- Added Edit Profile modal with support for display name, bio, password, social links, website, and gender
- Built REST API endpoints for fetching and updating user profile
- Created Admin Top-up tool for Coin and Cash
- Supports selecting specific users or sending to all members
- Logs transaction and sends inbox notification upon top-up
1.0.1 – July 8, 2025
- Added full registration module for guest users
- Toggle login/register forms with animated UI
- Added password visibility toggle using SVG icons
- Built REST API endpoint
/register for user signup
- Implemented client-side validation with i18n support
- Improved i18n messages for all form interactions
- Automatically updates modal header when switching forms
1.0.0 – June 23, 2025
- Initial release
- Shortcode
[init_user_engine] for frontend avatar + dashboard
- EXP system with level-up bonus and milestone logic
- Coin & Cash wallet with transaction log
- Daily check-in with online timer reward
- REST API for EXP, Coin, inbox, VIP, referral
- Inbox system with pagination and actions
- VIP purchase system via Coin
- Referral system using cookie-based signup tracking
- Avatar module with upload/remove and REST API support