Improved
Checkout SDK Updates — Android v1.1.0, iOS v1.4.1
July 9th, 2026
Android SDK — v1.1.0 (2026-06-03)
View on GitHub for full update
Breaking Changes
SPLTextField(hostedfields) CARD and CVV now require a non-nullsdk, and display followsSpreedly.hostedCardDisplayState. Composable parameters that duplicated SDK display state have been removed. Consumers must recompile and passsdkon every CARD/CVV field.- The
SPLTextFieldCompose signature has new parameters (trailingIcon,onFieldStateChange,onFocusChanged,enableAutofill), changing the generated Compose method name — recompile against the newhostedfieldsAAR. PaymentSheetnow requiressdk: Spreedlyand no longer acceptshostedCardDisplayState.PaymentSheetConfiggains two new properties (enableAutofill,cardNumberFormat); Java callers using positional constructors orcopy()must add the two new trailing arguments.- CVV recache results are now delivered only via
recacheResultFlow/ therecachePaymentMethodsuspend return, notpaymentResultFlow.PaymentResult.isRecacheMirrorEvent()andpaymentMethodUpdatedAtonPaymentResult.Completedwere removed in favor ofPaymentMethodResponse.paymentMethodUpdatedAt. PaymentResult.Canceledis now a data class with optionalmessageandpaymentMethodTypefields — Kotlinwhenbranches must useis PaymentResult.Canceled, and emit sites must callPaymentResult.Canceled().BraintreeAPMActivity.Companion.createIntent()was removed; useSpreedlyBraintreeAPMCheckout.present()orBraintreeAPMJavaHelper.presentCheckout()instead.
Added
- Optional core field labels/hints for card number, CVV, and expiration on
PaymentSheetand hosted fields, for iOS parity. - Iframe-style PAN display controls:
CardNumberFormat(pretty/plain/masked),hostedCardDisplayState, andtoggleMask(), giving merchants explicit control over mask/reveal behavior outside the fields themselves. - A lifecycle-aware mask overlay that re-masks a revealed PAN when the screen stops, plus disabled clipboard copy/cut while revealed.
- Typed, merchant-safe field-state snapshots (
onFieldStateChange/HostedFieldState) exposing validity, focus, and IIN — never raw PAN or CVV. - New helpers:
Spreedly.areAllFieldsValid(),Spreedly.getRegisteredFieldCount(), andSpreedly.resetPaymentFormPreservingDisplayConfig(). - An
EmailValidatorfor merchant email fields, and autofill support on hosted fields (enableAutofill). - Expanded Braintree PayPal/Venmo support: vault and checkout-with-vault flows, device-data gating rules,
multi_use/single_useVenmo mapping, and richer cancellation messages (PaymentResult.Canceled.message,paymentMethodType). - Stripe APM PaymentSheet appearance customization, and a new Stripe Radar module for fraud-detection device data collection.
- A legacy-iframe migration guide (
docs/guides/migration/from-legacy.md).
Changed
- PAN/CVV masking now uses
*instead of•for iframe parity;setNumberFormat(PRETTY)unmasks only the PAN, preserving the prior CVV mask state. resetPaymentState()fully resets display config; the newresetPaymentFormPreservingDisplayConfig()clears values only, preserving mask/format after successful tokenization.- Gateway-specific 3DS challenge/redirect polling now times out after 10 minutes (was 15).
- Dark mode now auto-selects
SpreedlyTheme.Darkwhen no global theme is set.
Fixed
- Braintree APM client-token expiry no longer blocks checkout when
created_atis missing from the status payload (HC-1480). - Expiry month field no longer zero-pads while typing, so digit-by-digit entry works correctly (HC-1508).
- Optional-CVV recache (ROUTEX, UATP, Tarjeta D) now correctly accepts empty or short CVV values (HC-1504/1506/1496).
- Various expiry-field autofill and card-scan parsing fixes for split month/year fields (HC-1505).
iOS SDK — v1.4.0 / v1.4.1 (2026-06-03 / 2026-07-09)
v1.4.0 on GitHub · v1.4.1 on GitHub
v1.4.1 is a distribution-only patch — same XCFramework binaries and SDK behavior as 1.4.0, fixing a broken Package.swift manifest on the 1.4.0 tag. Pin 1.4.1 for new Swift Package Manager and CocoaPods integrations; do not use tag 1.4.0 for SPM. All feature content below shipped in 1.4.0.
Note: ACH bank-account support is not included in this release. Bank-account APIs may exist in the repository for internal QA only — merchants must not integrate ACH until it is announced under its own version.
Breaking Changes
- Headless
SPLTextField/SPLTextFieldViewControllerdisplay now followsSpreedly.shared().setNumberFormat(_:)/toggleMask()/hostedCardDisplayState; per-field display overrides were removed. CardFormDropIn/CardFormDropInViewControllerremovedshowPanMaskToggleandshowsAutofillTogglein favor of the same merchant-controlled mask/autofill APIs.resetPaymentSession()was removed.CardFormDropInnow clears secure values on dismiss and refreshes on each open while keeping merchant mask/format settings; useresetPaymentState()/reset()for a full wipe.- CVV recache results now deliver only via
subscribeToRecacheResults/SpreedlyRecacheDelegate. - Stripe APM dismiss and Braintree user-cancel now emit
PaymentResult.canceled()— callers that treated cancellation as failure must switch to checkingresult.isCanceled.
Added
- Express core field copy (
DropInCoreFieldLabels,CardFormDropInDisplayConfig) and iframe-style PAN/CVV display controls (CardNumberFormat,hostedCardDisplayState,setNumberFormat,toggleMask()), mirroring the Android additions above. - Lifecycle mask overlay, typed field-state snapshots (
onFieldStateChange/HostedFieldState),areAllFieldsValid,getRegisteredFieldCount, andresetPaymentFormPreservingDisplayConfig(). EmailValidator, hosted-field autofill, and anallowInternationalZipCodesvalidation parameter.Spreedly.isInitialized, now true only after a fully signedsetup(config:)call.- Braintree PayPal vault/checkout-with-vault flows, device-data gating, Venmo usage mapping, client-token 24-hour validation, and payment-type mismatch checks — matching the Android release.
- Stripe APM PaymentSheet appearance customization and a gateway-specific 3DS completion safety net for apps that skip
finalizeTransaction. - A legacy-iframe migration guide.
Changed
- PAN/CVV masking, display-reset, and post-tokenize display behavior changed to match the Android release (see above).
- Braintree checkout always fetches transaction status before launch and removed the iOS-only 60-second tokenize timeout.
- Worldpay gateway-specific 3DS tightened device-fingerprint completion detection to avoid spurious early completion from unrelated browser messages.
Fixed
- Expiry month field padding, autofill/card-scan parsing, and optional-CVV recache fixes matching the Android release.
- Braintree
client_tokenexpiry, status/cancel handling, and empty-transaction-token edge cases resolved. - Merchant
setNumberFormat/toggleMasknow survives sheet re-open;PAN_MASK_CHANGEDevents match the display format at the time they're emitted.

