fix: add sdk authorization support in initpaymentsession, cvc widget flow and add cvc prop validation

[aritro2002]

…flow and add cvc prop validation

Type of Change

• Bugfix
• New feature
• Enhancement
• Refactoring
• Dependency updates
• Documentation
• CI/CD

Description

Added sdkAuthorization support in the initPaymentSession flow, the CVC widget confirm flow, and added CVC prop validation for headless mode.

1. sdkAuthorization in initPaymentSession

Mirrored the existing sdkAuthorization support from the elements() flow into initPaymentSession. When sdkAuthorization (a base64-encoded token containing publishable_key, client_secret, customer_id, and profile_id) is provided in the payment session options:

• It is decoded via Utils.getSdkAuthorizationData and clientSecret is extracted from the token (with fallback to the explicit clientSecret option)
• API calls use the Authorization header instead of api-key
• client_secret is omitted from request bodies
• The token is propagated through PaymentSession -> PaymentSessionMethods -> PaymentHelpers to all payment intent, customer payment method list, and session fetch calls

2. sdkAuthorization in CVC Widget Flow

Fixed a pre-existing gap in CardCVCElement.res where sdkAuthorization from Recoil state (keys.sdkAuthorization) was not being passed to paymentIntentForPaymentSession. This ensures the CVC widget confirm flow also uses the Authorization header when sdkAuthorization is available.

3. CVC Prop Validation

Added validation for the cvc prop passed directly by the user in headless mode (PaymentSessionMethods.res):

• Sanitizes input to digits-only via onlyDigits utility
• Validates the CVC is 3-4 digits in length
• Returns a structured error response via handleFailureResponse with message "The CVC must be a 3 to 4 digit string." and error type cvc_validation if invalid

Changes Summary

Modified Files:

• src/hyper-loader/Hyper.res — Updated initPaymentSession to extract and decode sdkAuthorization from options, set the ref, and pass it to PaymentSession.make
• src/hyper-loader/PaymentSession.res — Added ~sdkAuthorization parameter, forwarded to getCustomerSavedPaymentMethods
• src/hyper-loader/PaymentSessionMethods.res — Added ~sdkAuthorization parameter, converted to option, passed to all paymentIntentForPaymentSession, fetchCustomerPaymentMethodList, and fetchSessions calls; added CVC digit-only sanitization and 3-4 digit length validation
• src/Utilities/PaymentHelpers.res — Added ~sdkAuthorization=None default parameter to paymentIntentForPaymentSession, conditionally uses Authorization header vs api-key, conditionally omits client_secret from body, passes sdkAuthorization to intentCall
• src/CardCVCElement.res — Passed ~sdkAuthorization=keys.sdkAuthorization to paymentIntentForPaymentSession

How did you test it?

case 1: sdkauthorization passed, cvc: "123"
https://github.com/user-attachments/assets/fe1e3c83-7cd5-4832-81fe-7419460ce8c7

case 2: sdkauthorization passed, cvc: 123

case 3: sdkauthorization passed, cvc: ""

case 4: sdkauthentication passed, cvc not passed

Screen.Recording.2026-04-07.at.5.16.52.pm.mov

Checklist

• I ran npm run re:build
• I reviewed submitted code
• I added unit tests for my changes where possible

[semanticdiff-com]

Review changes with  

[github-actions]

🚫 Missing Linked Issue

Hi 👋 This pull request does not appear to be linked to any open issue yet.

Linking your PR to an issue helps keep the project tidy and ensures the issue is closed automatically.

✔️ How to fix this

• Add a keyword like Fixes #123 or Closes #456 to your PR description or a commit message.
• Or link it manually using the "Linked issues" panel in the PR sidebar.

✅ Tip: You can link multiple issues.
🚫 Note: If only one issue is linked, it must be open for this check to pass.

Once linked, this check will pass automatically on your next push or when you re-run the workflow.

Thanks for helping maintainers! 🙌