Skip to main content
The unitpayHandler from @unitpay/react/next lets you route SDK calls through your Next.js backend instead of calling the UnitPay API directly. The secret key stays server-side, and requests never leave your domain.

Usage

Add a catch-all route handler:
// app/api/unitpay/[...path]/route.ts
import { unitpayHandler } from '@unitpay/react/next';

const handler = unitpayHandler({
  apiKey: process.env.UNITPAY_SECRET_KEY!,
  apiBaseUrl: 'https://api.useunitpay.com/v1',
  allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL!],
  getCustomerId: async (request) => resolveCustomerFromSession(request),
});

export {
  handler as GET,
  handler as POST,
  handler as PUT,
  handler as PATCH,
  handler as DELETE,
};
Then point the provider at the proxy instead of the API:
import { UnitPayProvider } from '@unitpay/react';

<UnitPayProvider config={{ customerId: 'cus_...', proxyBaseUrl: '/api/unitpay' }}>
  <App />
</UnitPayProvider>

Parameters

apiKey
string
required
Your UnitPay secret key. Read it from a server-only environment variable — never expose it to the browser.
getCustomerId
(request: Request) => Promise<string | null>
required
Resolve the authenticated customer for the incoming request (from your session/auth). Return null for an unauthenticated request — the handler responds 401.
apiBaseUrl
string
UnitPay API base URL. Defaults to https://api.useunitpay.com/v1.
allowedOrigins
string[] | '*'
Origins permitted to call the proxy. Requests with an Origin outside this list are rejected with 403. Pass '*' to disable the check (not recommended in production). When omitted, the Origin check is skipped.
maxBodyBytes
number
Maximum request body size. Defaults to 1 MB; larger bodies are rejected with 413.
Security defaults: disallowed methods → 405; off-allowlist Origin403; oversized bodies → 413. Only GET, POST, PUT, PATCH, and DELETE are forwarded.