Security

• Keep it Secret: Your API Key is a secret credential. Do not commit it to git, and do not expose it in frontend code.
• Environment Variables: Store keys in environment variables (e.g., PAYMENT_GATEWAY_API_KEY) on your server.
• Rotation: If you suspect a key is compromised, revoke it immediately in the Dashboard and generate a new one.

Do not rely solely on the frontend redirect to fulfill orders. A user could technically navigate to your success URL manually.

Always verify the transaction status by:

• Listening for webhooks (recommended).
• Querying the API for the payment status.
• Checking the transaction hash on-chain (advanced users).