Security

Security is critical for any fintech integration. Follow these guidelines to keep your users and your app safe.

API Key storage

1. Recommended: Cloud Proxy Mode (applyCloudConfig)

This is the most standard and secure way to use feda_flutter in production. You use a secure intermediary (like ashgateway) to handle requests.

FedaFlutter.applyCloudConfig(
  projectKey: 'your_public_project_key',
  cloudUrl: 'https://ashgateway.com',
);

Your secret key is stored on the server, and the app only knows your public project key.

2. Manual: Token-First Flow

If you want absolute control, your backend can create a transaction and return only the Transaction Token to the mobile app.

PayWidget(
  transactionToken: 'token_from_your_backend',
  onPaymentSuccess: () => print('Success!'),
  onPaymentFailed: () => print('Failed!'),
)

3. Testing: Direct API Mode (applyConfig)

Use this only for prototypes. Secret keys are embedded in the binary and can be extracted.

FedaFlutter.applyConfig(
  apiKey: 'sk_sandbox_...',
  environment: ApiEnvironment.sandbox,
);

Sandbox vs Live

// Development
FedaFlutter.applyConfig(
  apiKey: 'sk_sandbox_...',
  environment: ApiEnvironment.sandbox,
);

// Production
FedaFlutter.applyConfig(
  apiKey: 'sk_live_...',
  environment: ApiEnvironment.live,
);

Going live checklist

Before switching to ApiEnvironment.live:

• Tested all payment flows in sandbox
• API key stored securely (not hardcoded)
• Error handling implemented (onPaymentFailed, onPaymentCanceled)
• HTTPS enforced on your backend (if using proxy)
• FedaPay account verified and live mode enabled on your dashboard