Use browser-safe values
Send only publishable keys, session-scoped client secrets, and display data to the browser or mobile client.
The browser should never create a 0Gate session or hold a server credential. More generally, browser and mobile clients should receive only product-documented, browser-safe values from your backend after the backend creates and stores the 0Bit product object.
Browser-safe does not mean public forever
A publishable key is intended for client code. A client secret is scoped to one hosted session and should still be redacted from logs, analytics, and support screenshots.
Safe handoff
Value classification
| Value | Browser-safe? | Rule |
|---|---|---|
| Publishable key | Yes | Use only for browser bootstrap. |
| Client secret | Yes, session-scoped where the product supports it | Send only after your server creates the session or hosted object. |
| Product object id | Usually yes | Treat as an identifier, not proof of payment. |
| Secret API key | No | Server-side only. |
| Webhook secret | No | Server-side only. |
| Raw webhook payload | No | Keep restricted to backend processing and support tooling. |
| Customer PII | Minimize | Send only fields needed for UX. |
Backend response pattern
async function getCheckoutBootstrap(input: { orderId: string }) {
const session = await createGateSessionForOrder(input.orderId);
return {
orderId: input.orderId,
productObjectId: session.id,
publishableKey: publicConfig.gatePublishableKey,
clientSecret: session.clientSecret,
environment: publicConfig.gateEnvironment,
};
}Browser rules
- Mount or redirect to the hosted 0Gate experience.
- Use callbacks only to update UX.
- Read final status from your own backend.
- Redact client secrets from logs, analytics, and error reporting.
- Never send secret API keys to frontend feature flags or build-time env variables.