For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Checklist

A pre-store security checklist for Expo: public env, trusted origins, API trust, and webhook-backed billing.

Use this checklist before submitting to the App Store or Google Play, and again after major auth or billing changes. Pair it with the publishing checklist.

Secrets & configuration

  • No secrets in the mobile app or git (only placeholders in examples)
  • No sensitive values use the EXPO_PUBLIC_ prefix
  • EXPO_PUBLIC_SITE_URL points at the production API / web origin
  • EAS preview and production profiles use the correct public env
  • Billing webhook secrets exist only on the server

Authentication

  • App scheme from app.config.ts is listed in Better Auth trustedOrigins
  • OAuth / native Sign in with Apple & Google use production callbacks and app ids
  • Deep links do not unlock paid or admin features by themselves
  • Session tokens are not logged to analytics or crash reporting

API trust

  • Sensitive actions call protected Hono routes
  • Client RBAC only drives UI; server repeats the checks
  • Organization-scoped features verify membership on the API
  • Feature / plan gates match server entitlement checks

Billing

  • Purchase unlocks wait for webhook-verified state (or a trusted server summary)
  • Provider dashboard restricts client keys to your bundle / package ids
  • Sandbox and production webhook secrets are not mixed

Process

  • Dependencies updated for known React Native / Expo advisories
  • Monitoring scrubbers hide tokens and cookies
  • Auth and billing failures are visible in logs / crash tools

Ship with confidence

You do not need every optional hardening step on day one, but you do need public-only mobile env, correct trusted origins, server-side authz, and webhook-backed entitlements.

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter