Integrate mobile WebViews
Use the hosted 0Gate redirect flow inside mobile WebViews without putting secret credentials or settlement decisions in the app.
Use mobile WebViews when your native app needs to open the hosted 0Gate flow without building a native checkout surface. The mobile app starts from your backend, opens a hosted checkout page, listens for your return or cancel URL, and reads final status from your server.
The mobile app is not the settlement system
Keep secret keys, webhook secrets, session creation, reconciliation, and fulfillment on your backend. The app can display status and route users, but it should never decide that value moved.
Mobile flow
Recommended architecture
| Layer | Responsibility |
|---|---|
| Native app | Starts checkout, opens WebView or system browser, intercepts your own return/cancel URLs, shows status. |
| Your backend | Creates attempts, creates 0Gate sessions, stores session ids, verifies webhooks, exposes status. |
| 0Gate hosted flow | Runs customer-facing KYC, quote, payment, confirmation, and terminal hosted UX. |
| Outcome page | Reads trusted state from your backend and renders processing, success, failure, expired, or cancelled. |
Start from a web handoff page
The safest mobile pattern is to open a page you control, then let that page call the browser SDK redirect. This keeps hosted URL generation and browser behavior consistent with your web integration.
import { GateRamp } from '@0bit/gate/browser';
export function startMobileCheckout(clientSecret: string) {
GateRamp.redirectToCheckout({
publishableKey: import.meta.env.VITE_GATE_PUBLISHABLE_KEY,
clientSecret,
environment: 'sandbox',
theme: 'light',
});
}Your mobile app opens that handoff page in a WebView or system browser after your backend has created the attempt and session.
Intercept only your own URLs
When navigation reaches your return_url or cancel_url, close or replace the WebView and show a status page backed by your API.
func webView(_ webView: WKWebView,
decidePolicyFor navigationAction: WKNavigationAction,
decisionHandler: @escaping (WKNavigationActionPolicy) -> Void) {
guard let url = navigationAction.request.url else {
decisionHandler(.allow)
return
}
if url.host == "app.example.com", url.path.starts(with: "/checkout/") {
showCheckoutStatus(url)
decisionHandler(.cancel)
return
}
decisionHandler(.allow)
}override fun shouldOverrideUrlLoading(view: WebView, request: WebResourceRequest): Boolean {
val uri = request.url
if (uri.host == "app.example.com" && uri.path?.startsWith("/checkout/") == true) {
showCheckoutStatus(uri)
return true
}
return false
}WebView checklist
| Check | Guidance |
|---|---|
| JavaScript | Required for the hosted checkout page and browser handoff page. |
| External browser fallback | Offer it if the WebView blocks payments, wallet links, or required browser capabilities. |
| Allowed origins | Register exact origins used by return and cancel pages. |
| Status refresh | Poll or subscribe to your own attempt status, not 0Gate browser callbacks. |
| Retry | Create a fresh attempt/session for expired sessions. |
| Privacy | Do not log full URLs if they contain browser session values. |
Customer states
| State | Mobile UI |
|---|---|
| requires_action | Open hosted checkout. |
| processing | Close WebView and show “confirming” status. |
| fulfilled | Show receipt or next product step. |
| failed | Show safe failure copy and retry/support. |
| expired | Create a new session before retry. |
| cancelled | Return to the previous screen with a retry option. |
Do not
- Put
sk_*credentials, webhook secrets, or provider credentials in the app. - Scrape hosted iframe DOM or inject code into the 0Gate flow.
- Fulfill, credit, ship, or release value from a WebView navigation event.
- Surface raw provider, compliance, treasury, or internal diagnostic details to customers.
Related pages
Use hosted redirect & WebViews
Understand the redirect contract before wiring native containers.
Configure return URLs and outcome pages
Build status pages that work across web and mobile.
Handle failed or cancelled flows
Design retry and support behavior for interrupted mobile sessions.
Server-side keys
Keep mobile integrations away from server credentials.
Use hosted redirect & WebViews
Send users to the hosted 0Gate checkout when iframe embedding is blocked, then return them to a status page backed by your server.
Theme and co-brand the widget
Use the supported 0Gate theme and co-branding surfaces without styling inside the hosted iframe or exposing branding internals.