Angular — changelog

This page mirrors @mms/pdirect-pay/CHANGELOG.md. Format follows Keep a Changelog.

Source of truth

The package’s CHANGELOG.md on npm is canonical. This page is refreshed when a new version ships.

[1.3.0] — current published

Auth-v3 cut-over. The SDK now sends Authorization: Bearer <session_token> on every authenticated request — the legacy app-key header is dropped.

Changed

• PdirectHttpClientService switches its auth header from app-key: <merchant_secret> to Authorization: Bearer <token>. The token field on PdirectPayConfig and the setAppKey() helper now carry the per-checkout session_token your backend mints — not a long-lived merchant credential. The field and method names are kept for backwards compatibility; renaming to sessionToken / setSessionToken is scheduled for 2.0.0.
• convertPaymentBodyToRequest no longer includes customer_reference, amount, or currency in the /payments/collect body when the corresponding PdirectPaymentBody fields are unset. The gateway reads those values straight off the session row. Callers that explicitly set them still send them; the gateway soft-checks against the session binding and returns 400 on drift.

Migration

// Old: long-lived merchant app-key
configs: PdirectPayConfig = {
  token: "merchant-app-key",
  ...
};
paymentBody: PdirectPaymentBody = {
  customerReference: "cust_abc123",
  amount: "12.50",
  currency: "usd",
  paymentMethod: "wallet",
  ...
};
// New: per-checkout session_token, body omits the bound fields
configs: PdirectPayConfig = {
  token: sessionTokenFromYourBackend,
  ...
};
paymentBody: PdirectPaymentBody = {
  paymentMethod: "wallet",
  ...
};

Your merchant backend must mint a session via POST /api/v1/internal/sessions/create before mounting the checkout. See Authentication for the full flow.

[1.2.2]

Patch release. See npm for the deltas; substantive features land in the 1.2.x minors.

[1.2.1] — 2026-04-17

Added

• PdirectPaymentBody now supports three additional Flutter-parity fields:
  • transactionalCurrency?: string — overrides default currency resolution for the payment method (sent to the API as transactional_currency).
  • nativePayToken?: string / nativePayTokenType?: string — Google Pay / Apple Pay token payload (sent as native_pay_token / native_pay_token_type).

These fields are optional and backward-compatible.

[1.2.0] — 2026-04-17

Changed

• Default theme is now a clean white payment surface instead of the dark green look. Default brand colours are neutral slate; merchants override per-checkout via the themeConfig input.
• themeConfig is now actually applied: the checkout component sets it as scoped CSS custom properties on its host element in ngOnInit / ngOnChanges, so overrides cannot leak into the host app.
• Modernised <pdirect-result> for a financial UI: white card with subtle shadow, halo’d filled status badge with pop animation, formatted amount focal (currency label + 40 px tabular-numeric value), restrained transaction-detail panel.
• Status colours (success / error / warning) are intentionally not themeable — they always render in semantic green / red / amber.
• Default isDarkTheme is false (was true).

Added

• PdirectPayThemeConfig gains primaryColor, secondaryColor, tertiaryColor, surfaceColor, secondaryTextColor, and borderColor fields:

  themeConfig: PdirectPayThemeConfig = {
    primaryColor: "#2563EB",
    secondaryColor: "#1E40AF",
    tertiaryColor: "#3BFBDA",
  };

  <pdirect-pay-checkout
    [configs]="configs"
    [paymentBody]="paymentBody"
    [themeConfig]="themeConfig"
    (response)="handleSuccess($event)"
    (error)="handleError($event)" />

Deprecated

• PdirectPayThemeConfig.accentColor — use tertiaryColor instead. The old field is still read as a fallback so existing integrations keep working.

Migration

No code changes required — all new theme fields are optional. The default visual will change from dark green to a clean white surface; if you need the legacy dark look, add the pdirect-dark class to the host element or pass themeConfig with backgroundColor: "#0F172A" and matching surface/text values.

Security

Two security bugs were fixed in the 1.2.x range:

• Six console.log calls that printed truncated appKey are removed.
• HTTP errors no longer log full HttpErrorResponse bodies — only status and URL — to prevent PII echoes.
• Redirect URL validation tightened: rejects javascript:, data:, intent:, and unencrypted http:// in production.

[1.1.3] and earlier

See git history.

Roadmap

The next major (2.0.0) finishes the Auth-v3 ergonomics started in 1.3.0:

• Rename PdirectPayConfig.token → PdirectPayConfig.sessionToken, with the legacy token field as a deprecated alias for one minor cycle.
• Rename setAppKey → setSessionToken (deprecated alias for one cycle).
• Auto-attach Idempotency-Key (UUID v4) on every POST request.
• Auto-attach X-Device-Fingerprint on every authenticated request, matching the Flutter SDK.

There’s no published date yet. Watch this page for the release notes.

See also

• API changelog — gateway-side changes
• Flutter SDK changelog — Flutter side