FloPay SDK Changelog

Client-facing updates for FloPay SDK releases.

v1.2.7 - Session-bound checkout token for the automatic payment button #

FloPayAutomaticPaymentButton now accepts and forwards the session-bound checkout token (nonce) on every continuation call, keeping consumer-supplied sessions and the inline fallback authorized against post-#640 backends. Session product type is now optional, and the payments list sorts by createdAt.

15 Jun 2026

Feature
Security
Checkout
React SDK

FloPay SDK v1.2.7 extends the session-bound checkout token (nonce) introduced in v1.2.4 to the automatic payment button. FloPayAutomaticPaymentButton now accepts a nonce prop for consumer-supplied sessions and threads the token through the session read, the /process call, the saved-payment flow, and the inline fallback checkout, so every continuation request stays authorized against backends that require x-checkout-session-token. This release also relaxes the product type field on session reads to match the v1.2.6 create-side change.

What changed

  • FloPayAutomaticPaymentButton gains a nonce prop. When you pass your own sessionId, also pass the nonce returned when that session was created — the session GET does not echo the token back, so without it the existing-session path 401s with "Missing checkout session token." on post-#640 backends. On the create-session path the SDK still mints and threads the nonce itself, so the prop is ignored there.
  • The button now resolves an effective nonce (session.clientSecret from the create path, falling back to the nonce prop) and forwards it on the session read, the saved-payment /process call, and the 3DS recovery refetch.
  • When auto-processing fails and the button opens its inline FloPayCheckout fallback, the nonce is carried over so the fallback's own session GET is authorized.
  • processSavedPaymentForMode accepts an explicit nonce (defaulting to session.clientSecret) so callers that resolved a session via GET can keep /process and 3DS recovery authorized.
  • CheckoutSessionProduct.type is now optional, mirroring the v1.2.6 change to CheckoutProduct.type. Display ordering treats any product that is not explicitly a 'subscription' as an 'item'.
  • PaymentAPI.getPaymentsByEmail now sorts by createdAt instead of occurredAt.

Why it matters

  • The automatic payment button now honours the same per-session token contract as the rest of the checkout surfaces, closing the gap where consumer-supplied sessions and the inline fallback could fail authorization on token-enforcing backends.
  • Making product type optional keeps session reads consistent with the simplified create-side payload from v1.2.6, where the backend resolves item-vs-subscription from the catalog code.

Developer notes

  • Upgrade @flopay/js, @flopay/react, @flopay/node, and @flopay/shared together to 1.2.7.
  • If you render FloPayAutomaticPaymentButton with your own sessionId, pass the nonce returned by createCheckoutSession for that session. No change is required for the create-session path (createSession / inline draft) — the SDK threads the token for you.
  • Consumers reading CheckoutSessionProduct.type should treat it as optional; anything not explicitly 'subscription' should be rendered as an item.
  • No other public exports, props, or request/response shapes have changed.