For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Checklist
A pre-store security checklist for Expo: public env, trusted origins, API trust, and webhook-backed billing.
Use this checklist before submitting to the App Store or Google Play, and again after major auth or billing changes. Pair it with the publishing checklist.
Secrets & configuration
- No secrets in the mobile app or git (only placeholders in examples)
- No sensitive values use the
EXPO_PUBLIC_prefix -
EXPO_PUBLIC_SITE_URLpoints at the production API / web origin - EAS preview and production profiles use the correct public env
- Billing webhook secrets exist only on the server
Authentication
- App scheme from
app.config.tsis listed in Better AuthtrustedOrigins - OAuth / native Sign in with Apple & Google use production callbacks and app ids
- Deep links do not unlock paid or admin features by themselves
- Session tokens are not logged to analytics or crash reporting
API trust
- Sensitive actions call protected Hono routes
- Client RBAC only drives UI; server repeats the checks
- Organization-scoped features verify membership on the API
- Feature / plan gates match server entitlement checks
Billing
- Purchase unlocks wait for webhook-verified state (or a trusted server summary)
- Provider dashboard restricts client keys to your bundle / package ids
- Sandbox and production webhook secrets are not mixed
Process
- Dependencies updated for known React Native / Expo advisories
- Monitoring scrubbers hide tokens and cookies
- Auth and billing failures are visible in logs / crash tools
Ship with confidence
You do not need every optional hardening step on day one, but you do need public-only mobile env, correct trusted origins, server-side authz, and webhook-backed entitlements.
How is this guide?
Last updated on