For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Overview
Treat the device as untrusted: keep secrets on the API, harden deep links, and never grant access from client-only checks.
The mobile app is a client. It talks to the same Hono API and Better Auth stack as web - it should never become a second source of truth for secrets, entitlements, or tenant access.
This section is a security playbook - what must stay off-device, how auth deep links stay safe, and what to double-check before you ship to the stores.
Be mindful
Security is not a one-time setup. Revisit these practices whenever you add screens, deep links, billing providers, or native modules that touch sensitive data.
Security model
Defense on mobile is client-focused. The API still owns authorization:
| Layer | What it protects | Where it lives |
|---|---|---|
| No secrets on device | API keys and webhook secrets never ship in the binary | Server env / web deployment |
| Public env only | EXPO_PUBLIC_* values are readable by anyone with the app | apps/mobile + EAS |
| Trusted deep links | Auth redirects only from your app scheme | Better Auth trustedOrigins |
| Session + API | Mutations require a valid session on protected routes | Auth client → Hono enforceAuth |
| Entitlements | Purchases are confirmed by provider webhooks, not UI callbacks | @workspace/billing-mobile + API |
Server-side rules (middleware, Zod validation, webhook signatures, package ./server entry points) are documented in Web security. Use that section whenever you change the API.
Each of these topics is covered in more detail in the following guides:
Secrets & environment
EXPO_PUBLIC_ values ship in the app binary. Keep API keys and webhook secrets on the server, and configure EAS for production builds.
Auth & deep links
Register your app scheme in trustedOrigins, configure native OAuth carefully, and treat deep links as untrusted entry points.
API trust
Hide buttons for UX, but enforce every mutation on the Hono API. Never authorize from a client-supplied organization id alone.
Billing
Use RevenueCat or Superwall on device for checkout UX, but grant access only after webhook-verified events on the API.
Checklist
A pre-store security checklist for Expo: public env, trusted origins, API trust, and webhook-backed billing.
How is this guide?
Last updated on