Violation of Security Standards

[AmSmart]

I noticed that this widget requests a secret key to spin up a Paystack form. This violates general web security standards as this API key can be used to perform much more damaging actions. This key should only be stored securely in the backend and never exposed to a client application.

Please implement an alternative approach that allows the same flow via the public API key as provided by Paystack.

[popekabu]

The backend can be created and served to the package by the developer. Its the developers choice to either use a backend to serve the keys or hardcode them. If you have a better way, Share with me please.

Thanks

[AmSmart]

While I understand that the backend can serve the keys to avoid saving the keys in code, any experienced programmer can easily decompile an app, run it through a debugger and get access to organisation-wide keys just by having a user login. This approach is inherently unsafe and can potentially cause big issues.