DocumentationHosted Experience

Go-Live Checklist

Hosted Experience is simple to integrate, but it still carries sensitive borrower data and server-side credentials. Use this checklist before sharing the integration with real borrowers.

API Key Safety

  • Store the Aarthik Labs API key only on your back-end.
  • Never expose the API key in front-end JavaScript, mobile app bundles, browser storage, logs, analytics tools, or crash reports.
  • Use the correct key for the correct environment.
  • Rotate the key immediately if it is exposed.
  • Restrict internal access to the key to the services and operators that need it.

Borrower Data

  • Send only data that your application is allowed to share with Aarthik Labs.
  • Treat borrower profile, work, address, and gold-loan details as sensitive data.
  • Avoid logging full request payloads in application logs.
  • If logs are required for debugging, redact contact numbers, PAN, email, address, Account Aggregator IDs, and income values.
  • Keep borrowerProviderID stable across sessions for the same borrower.

Embed URL Handling

  • Return only embedURL to the front-end.
  • Open embedURL immediately after creation.
  • Do not store embedURL as a long-term resume link.
  • Create a fresh URL when the borrower returns later.
  • Avoid sharing the URL through analytics tools or third-party trackers because the URL fragment contains short-lived session material.

Domain And Surface Setup

For iframe integrations:

  • ask Aarthik Labs to allowlist your production domain for the application
  • use HTTPS in production
  • allow the Hosted Experience URL as a frame source in your own Content Security Policy
  • provide iframe permissions for camera, microphone, and clipboard when the borrower journey needs them

Recommended iframe permission string:

1allow="camera; microphone; clipboard-read; clipboard-write"

For mobile webviews or app shells:

  • register the Hosted mobile bridge before opening the Hosted URL
  • handle aarthik-labs:open-external and aarthik-labs:exit
  • make sure the app surface can open the URL immediately
  • allow camera and file permissions when required by the journey
  • create a fresh URL when the borrower re-enters from push notifications, app resume, or a deep link

Product Availability

Before showing product-specific entry points:

  • call GET /api/lab/features
  • show Personal Loan only when personalLoanEnabled is true
  • show Gold Loan only when goldLoanEnabled is true
  • hide or disable unavailable products in your UI

Pre-launch Test Cases

Test each enabled product with:

  • a new borrower using minimal pre-fill
  • a new borrower using extended pre-fill
  • an existing borrower using the same borrowerProviderID
  • a disabled product entry point
  • an expired or old embedURL
  • an iframe load on your production-like domain
  • camera or document capture steps where applicable
  • back-end behavior when the platform returns 400, 401, 404, or 500

Production Readiness Checklist

Before launch, confirm:

  • API key is configured in the back-end environment only
  • product availability flags match the products you show to borrowers
  • domain allowlisting is complete
  • front-end iframe or webview permissions are configured
  • borrower identity mapping is stable
  • back-end does not cache session creation responses
  • back-end returns only embedURL to the front-end
  • support teams know the tenant, application, environment, borrower reference, and timestamp to share during escalation