I have tried different ways to handle payment via no webhook flow, but the only solution is to call stripe API directly from my dart code as follows:
var response = await http.post(
Uri.parse('https://api.stripe.com/v1/payment_intents'),
body: {
'amount': _calculateAmount(amount),
'currency': currency,
'payment_method_types[]': 'card',
'description': description,
'receipt_email': email,
},
headers: {
'Authorization': 'Bearer ${AppConfig.instance.stripeSecretKey}',
'Content-Type': 'application/x-www-form-urlencoded'
},
);
is my code still PCI compliant and properly secured to use in production?
Your code is still PCI compliant, but not secure. Secret key must be stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system). Calling from Dart means you are exposing your credential to the whole world. It's explained in Stripe Doc