Implementing Payment Gateway in Flutter Mobile Apps with Stripe or PayPal

In-app payments are the revenue engine for mobile businesses—e-commerce, subscriptions, on-demand services, and digital goods. For Flutter developers, the two dominant payment processors are Stripe (developer-focused, API-first) and PayPal (consumer-trusted, globally recognized). Choosing between them—or implementing both—requires understanding their SDKs, pricing models, supported payment methods (credit cards, Apple Pay, Google Pay, Buy Now Pay Later), and PCI compliance implications. A poorly implemented payment flow leads to abandoned carts; a well-implemented one is invisible to the user.

The official flutter_stripe package (maintained by Stripe) provides native UI components for card input, Apple Pay, and Google Pay. Add `flutter_stripe` to `pubspec.yaml`. Initialize Stripe in `main.dart` with `Stripe.publishableKey = 'pk_live_...'`. On iOS, add the `StripePublishableKey` to `Info.plist`. On Android, set `minSdkVersion` to 21 and add the `INTERNET` permission. The package provides `CardFormField()` for PCI-compliant card input and `PaymentSheet` for Stripe's pre-built, optimized checkout UI that handles card validation, error states, and localization automatically.

Stripe's architecture enforces server-side payment creation for security. Your backend server creates a PaymentIntent using the Stripe API: `stripe.paymentIntents.create({ amount: 2000, currency: 'usd' })`. This returns a `client_secret`. Your Flutter app receives this secret and presents the PaymentSheet: `await Stripe.instance.initPaymentSheet(paymentSheetParameters: SetupPaymentSheetParameters(paymentIntentClientSecret: clientSecret))`. When the user confirms, `await Stripe.instance.presentPaymentSheet()` handles the entire checkout flow—card entry, 3D Secure authentication, and payment confirmation—within Stripe's PCI-compliant native UI.

Stripe's Flutter SDK natively supports Apple Pay and Google Pay, enabling one-tap checkout. For Apple Pay, configure a Merchant ID in your Apple Developer account, add the `ApplePay` capability to your Xcode project, and call `await Stripe.instance.isApplePaySupported()` to check availability. For Google Pay, add `com.google.android.gms:play-services-wallet` to your Android dependencies. Both wallets are presented through the PaymentSheet automatically when available, or can be triggered explicitly. These wallet integrations reduce checkout friction by 40–60% compared to manual card entry, directly improving conversion rates.

PayPal integration in Flutter typically uses PayPal's REST API with a WebView-based checkout flow. Create a PayPal app in the Developer Dashboard to obtain Client ID and Secret. Your backend creates an Order using `POST /v2/checkout/orders` with the amount and currency. The API returns an approval URL. Your Flutter app opens this URL in an `InAppWebView`, where the user logs into PayPal and approves the payment. After approval, PayPal redirects to your return URL with the order ID. Your backend captures the payment with `POST /v2/checkout/orders/{id}/capture`. This approach gives users the familiar PayPal interface with buyer protection.

Never rely solely on client-side payment confirmation. Network failures, app crashes, or user navigation can prevent the client from receiving the success callback. Webhooks provide the authoritative, server-side confirmation. Configure your backend to receive Stripe webhooks (`payment_intent.succeeded`, `payment_intent.payment_failed`) or PayPal webhooks (`PAYMENT.CAPTURE.COMPLETED`). Verify webhook signatures to prevent spoofing. Update your database and trigger fulfillment logic (order creation, subscription activation, receipt email) only upon receiving the verified webhook event—never based on client-side callbacks alone.

PCI DSS compliance is mandatory for any application handling credit card data. Both Stripe and PayPal handle PCI compliance at the SDK level: card data never touches your server when using Stripe's `CardFormField` or PayPal's checkout page. Critical rules: never log or store raw card numbers, CVVs, or expiration dates. Use HTTPS for all API communication. Store API keys in environment variables, never in client-side code. Implement idempotency keys on payment creation requests to prevent duplicate charges if the client retries after a timeout. For subscriptions, use Stripe's `SetupIntent` to securely save payment methods for recurring billing.

Both Stripe and PayPal provide sandbox environments for risk-free testing. Stripe's test mode uses `pk_test_...` keys with test card numbers (4242424242424242 for success, 4000000000000002 for decline). PayPal's sandbox provides test buyer/seller accounts. Test every scenario: successful payments, declined cards, 3D Secure challenges, webhook delivery, refunds, and network timeouts. Before going live, switch to production API keys, verify webhook endpoints are configured for production URLs, enable Stripe Radar for fraud detection, and run a final end-to-end payment test with a real $1.00 charge that you immediately refund.