v1.2.7 - Session-bound checkout token for the automatic payment button #
FloPayAutomaticPaymentButton now accepts and forwards the session-bound checkout token (nonce) on every continuation call, keeping consumer-supplied sessions and the inline fallback authorized against post-#640 backends. Session product type is now optional, and the payments list sorts by createdAt.
15 Jun 2026
FloPay SDK v1.2.7 extends the session-bound checkout token (nonce) introduced in v1.2.4 to the automatic payment button. FloPayAutomaticPaymentButton now accepts a nonce prop for consumer-supplied sessions and threads the token through the session read, the /process call, the saved-payment flow, and the inline fallback checkout, so every continuation request stays authorized against backends that require x-checkout-session-token. This release also relaxes the product type field on session reads to match the v1.2.6 create-side change.
What changed
FloPayAutomaticPaymentButtongains anonceprop. When you pass your ownsessionId, also pass thenoncereturned when that session was created — the session GET does not echo the token back, so without it the existing-session path 401s with "Missing checkout session token." on post-#640 backends. On the create-session path the SDK still mints and threads the nonce itself, so the prop is ignored there.- The button now resolves an effective nonce (
session.clientSecretfrom the create path, falling back to thenonceprop) and forwards it on the session read, the saved-payment/processcall, and the 3DS recovery refetch. - When auto-processing fails and the button opens its inline
FloPayCheckoutfallback, the nonce is carried over so the fallback's own session GET is authorized. processSavedPaymentForModeaccepts an explicitnonce(defaulting tosession.clientSecret) so callers that resolved a session via GET can keep/processand 3DS recovery authorized.CheckoutSessionProduct.typeis now optional, mirroring the v1.2.6 change toCheckoutProduct.type. Display ordering treats any product that is not explicitly a'subscription'as an'item'.PaymentAPI.getPaymentsByEmailnow sorts bycreatedAtinstead ofoccurredAt.
Why it matters
- The automatic payment button now honours the same per-session token contract as the rest of the checkout surfaces, closing the gap where consumer-supplied sessions and the inline fallback could fail authorization on token-enforcing backends.
- Making product
typeoptional keeps session reads consistent with the simplified create-side payload from v1.2.6, where the backend resolves item-vs-subscription from the catalogcode.
Developer notes
- Upgrade
@flopay/js,@flopay/react,@flopay/node, and@flopay/sharedtogether to1.2.7. - If you render
FloPayAutomaticPaymentButtonwith your ownsessionId, pass thenoncereturned bycreateCheckoutSessionfor that session. No change is required for the create-session path (createSession/ inline draft) — the SDK threads the token for you. - Consumers reading
CheckoutSessionProduct.typeshould treat it as optional; anything not explicitly'subscription'should be rendered as an item. - No other public exports, props, or request/response shapes have changed.