The main branch receives security fixes until versioned releases begin.

Email security reports to info@makepay.io.

Please include affected APIs, reproduction steps, expected impact, and any request or response examples with secrets removed.

• Never put MakePay partner API keys or webhook secrets into Android apps.
• Create payment links on your own backend and return only checkout-safe data to mobile clients.
• Validate mobile cart/order details on the backend before creating MakePay resources.
• Treat deep-link return parameters as untrusted hints and reconcile payment status server-side.