Improved

Checkout SDK Updates — Android v1.1.0, iOS v1.4.1

Android SDK — v1.1.0 (2026-06-03)

View on GitHub for full update

Breaking Changes

  • SPLTextField (hostedfields) CARD and CVV now require a non-null sdk, and display follows Spreedly.hostedCardDisplayState. Composable parameters that duplicated SDK display state have been removed. Consumers must recompile and pass sdk on every CARD/CVV field.
  • The SPLTextField Compose signature has new parameters (trailingIcon, onFieldStateChange, onFocusChanged, enableAutofill), changing the generated Compose method name — recompile against the new hostedfields AAR.
  • PaymentSheet now requires sdk: Spreedly and no longer accepts hostedCardDisplayState.
  • PaymentSheetConfig gains two new properties (enableAutofill, cardNumberFormat); Java callers using positional constructors or copy() must add the two new trailing arguments.
  • CVV recache results are now delivered only via recacheResultFlow / the recachePaymentMethod suspend return, not paymentResultFlow. PaymentResult.isRecacheMirrorEvent() and paymentMethodUpdatedAt on PaymentResult.Completed were removed in favor of PaymentMethodResponse.paymentMethodUpdatedAt.
  • PaymentResult.Canceled is now a data class with optional message and paymentMethodType fields — Kotlin when branches must use is PaymentResult.Canceled, and emit sites must call PaymentResult.Canceled().
  • BraintreeAPMActivity.Companion.createIntent() was removed; use SpreedlyBraintreeAPMCheckout.present() or BraintreeAPMJavaHelper.presentCheckout() instead.

Added

  • Optional core field labels/hints for card number, CVV, and expiration on PaymentSheet and hosted fields, for iOS parity.
  • Iframe-style PAN display controls: CardNumberFormat (pretty/plain/masked), hostedCardDisplayState, and toggleMask(), giving merchants explicit control over mask/reveal behavior outside the fields themselves.
  • A lifecycle-aware mask overlay that re-masks a revealed PAN when the screen stops, plus disabled clipboard copy/cut while revealed.
  • Typed, merchant-safe field-state snapshots (onFieldStateChange / HostedFieldState) exposing validity, focus, and IIN — never raw PAN or CVV.
  • New helpers: Spreedly.areAllFieldsValid(), Spreedly.getRegisteredFieldCount(), and Spreedly.resetPaymentFormPreservingDisplayConfig().
  • An EmailValidator for merchant email fields, and autofill support on hosted fields (enableAutofill).
  • Expanded Braintree PayPal/Venmo support: vault and checkout-with-vault flows, device-data gating rules, multi_use/single_use Venmo mapping, and richer cancellation messages (PaymentResult.Canceled.message, paymentMethodType).
  • Stripe APM PaymentSheet appearance customization, and a new Stripe Radar module for fraud-detection device data collection.
  • A legacy-iframe migration guide (docs/guides/migration/from-legacy.md).

Changed

  • PAN/CVV masking now uses * instead of for iframe parity; setNumberFormat(PRETTY) unmasks only the PAN, preserving the prior CVV mask state.
  • resetPaymentState() fully resets display config; the new resetPaymentFormPreservingDisplayConfig() clears values only, preserving mask/format after successful tokenization.
  • Gateway-specific 3DS challenge/redirect polling now times out after 10 minutes (was 15).
  • Dark mode now auto-selects SpreedlyTheme.Dark when no global theme is set.

Fixed

  • Braintree APM client-token expiry no longer blocks checkout when created_at is missing from the status payload (HC-1480).
  • Expiry month field no longer zero-pads while typing, so digit-by-digit entry works correctly (HC-1508).
  • Optional-CVV recache (ROUTEX, UATP, Tarjeta D) now correctly accepts empty or short CVV values (HC-1504/1506/1496).
  • Various expiry-field autofill and card-scan parsing fixes for split month/year fields (HC-1505).

iOS SDK — v1.4.0 / v1.4.1 (2026-06-03 / 2026-07-09)

v1.4.0 on GitHub · v1.4.1 on GitHub

v1.4.1 is a distribution-only patch — same XCFramework binaries and SDK behavior as 1.4.0, fixing a broken Package.swift manifest on the 1.4.0 tag. Pin 1.4.1 for new Swift Package Manager and CocoaPods integrations; do not use tag 1.4.0 for SPM. All feature content below shipped in 1.4.0.

Note: ACH bank-account support is not included in this release. Bank-account APIs may exist in the repository for internal QA only — merchants must not integrate ACH until it is announced under its own version.

Breaking Changes

  • Headless SPLTextField/SPLTextFieldViewController display now follows Spreedly.shared().setNumberFormat(_:) / toggleMask() / hostedCardDisplayState; per-field display overrides were removed.
  • CardFormDropIn / CardFormDropInViewController removed showPanMaskToggle and showsAutofillToggle in favor of the same merchant-controlled mask/autofill APIs.
  • resetPaymentSession() was removed. CardFormDropIn now clears secure values on dismiss and refreshes on each open while keeping merchant mask/format settings; use resetPaymentState() / reset() for a full wipe.
  • CVV recache results now deliver only via subscribeToRecacheResults / SpreedlyRecacheDelegate.
  • Stripe APM dismiss and Braintree user-cancel now emit PaymentResult.canceled() — callers that treated cancellation as failure must switch to checking result.isCanceled.

Added

  • Express core field copy (DropInCoreFieldLabels, CardFormDropInDisplayConfig) and iframe-style PAN/CVV display controls (CardNumberFormat, hostedCardDisplayState, setNumberFormat, toggleMask()), mirroring the Android additions above.
  • Lifecycle mask overlay, typed field-state snapshots (onFieldStateChange/HostedFieldState), areAllFieldsValid, getRegisteredFieldCount, and resetPaymentFormPreservingDisplayConfig().
  • EmailValidator, hosted-field autofill, and an allowInternationalZipCodes validation parameter.
  • Spreedly.isInitialized, now true only after a fully signed setup(config:) call.
  • Braintree PayPal vault/checkout-with-vault flows, device-data gating, Venmo usage mapping, client-token 24-hour validation, and payment-type mismatch checks — matching the Android release.
  • Stripe APM PaymentSheet appearance customization and a gateway-specific 3DS completion safety net for apps that skip finalizeTransaction.
  • A legacy-iframe migration guide.

Changed

  • PAN/CVV masking, display-reset, and post-tokenize display behavior changed to match the Android release (see above).
  • Braintree checkout always fetches transaction status before launch and removed the iOS-only 60-second tokenize timeout.
  • Worldpay gateway-specific 3DS tightened device-fingerprint completion detection to avoid spurious early completion from unrelated browser messages.

Fixed

  • Expiry month field padding, autofill/card-scan parsing, and optional-CVV recache fixes matching the Android release.
  • Braintree client_token expiry, status/cancel handling, and empty-transaction-token edge cases resolved.
  • Merchant setNumberFormat/toggleMask now survives sheet re-open; PAN_MASK_CHANGED events match the display format at the time they're emitted.