Getting Started
Security
Best practices for securing your FedaPay integration.
Security is critical for any fintech integration. Follow these guidelines to keep your users and your app safe.
API Key storage
Never hardcode your API key directly in your Dart source code. It can be extracted from your compiled app.
Recommended: environment variables via --dart-define
Pass your key at build time without committing it to your repo:
Terminal
flutter run --dart-define=FEDAPAY_API_KEY=your_key_here
Then read it in Dart:
main.dart
const apiKey = String.fromEnvironment('FEDAPAY_API_KEY');
FedaFlutter.initialize(
apiKey: apiKey,
environment: FedaEnvironment.sandbox,
);
Alternative: backend proxy
For maximum security, never expose your API key to the client at all. Instead:
- Your Flutter app calls your own backend
- Your backend calls FedaPay with the secret key
- Your backend returns only the transaction token to the app
This is the recommended approach for production apps.
Sandbox vs Live
| Sandbox | Live | |
|---|---|---|
| Key prefix | sk_sandbox_... | sk_live_... |
| Real money | ❌ | ✅ |
| Use for | Development & testing | Production |
// Development
FedaFlutter.initialize(
apiKey: 'sk_sandbox_...',
environment: FedaEnvironment.sandbox,
);
// Production
FedaFlutter.initialize(
apiKey: 'sk_live_...',
environment: FedaEnvironment.live,
);
Use Flutter flavors or
--dart-define-from-file to switch environments automatically between debug and release builds.Going live checklist
Before switching to FedaEnvironment.live:
- Tested all payment flows in sandbox
- API key stored securely (not hardcoded)
- Error handling implemented (
onPaymentFailed,onPaymentCanceled) - HTTPS enforced on your backend (if using proxy)
- FedaPay account verified and live mode enabled on your dashboard