SDK Overview & Security
What Is the Inflow SDK?
The @inflow_pay/sdk package provides a drop-in card payment form that you embed in your website. It supports both React and vanilla JavaScript applications.
The SDK uses an iframe-based architecture: card details are entered in a secure iframe hosted by Inflow, so sensitive card data never touches your servers.
How It Works
- Your backend creates a payment using your private API key (
X-Inflow-Api-Key). - Your frontend initializes the SDK with your public API key (
publicKey). - The SDK renders a card input form inside a secure iframe.
- The customer enters their card details and submits.
- The SDK handles tokenization, 3D Secure authentication, and payment completion.
- Your app receives the result via the
onCompletecallback.
Security
| Feature | Description |
|---|---|
| PCI Compliant | Card data is collected and tokenized within a secure iframe. Your servers never handle raw card numbers |
| Iframe Isolation | The payment form runs in a sandboxed iframe, isolated from your page's JavaScript |
| HTTPS Only | All communication between the SDK and Inflow servers is encrypted |
| Public Key Only | The frontend uses your public key, which is safe to expose in browser code |
| Tokenization | Card details are tokenized before any processing |
Never expose your private API key (
X-Inflow-Api-Key) in frontend code. It should only be used in your backend.
Supported Features
- Card payments (Visa, Mastercard)
- 3D Secure (3DS) authentication — handled automatically
- Built-in success UI (customizable or replaceable)
- Custom styling (fonts, colors, dark mode)
- React and vanilla JavaScript integration
- CDN option for vanilla HTML pages
- TypeScript support with full type definitions
- Responsive design, WCAG compliant
- Multiple locale support (en, de, es, fr, it, nl, pl, pt)
The SDK evolves quickly. Always refer to the npm package page for the latest API details and version.
Updated 1 day ago