*.y.uno origin and calls Yuno services directly. White-labeling lets you serve that same hosted checkout under your own domain (e.g. pay.yourbrand.com) with the Yuno branding removed and every subsequent request — SDK bundle, assets, API, WebSocket, 3DS — routed through your infrastructure.
How it works
Two things make the hosted checkout render under your domain:- A proxy under your domain that forwards checkout, asset, API, and WebSocket traffic to the matching Yuno upstreams — so the browser only ever talks to your origin. See White Label Proxy Server for a reference implementation and local test harness.
- A rewritten redirect URL. Yuno’s API returns the default
checkout.<env>.y.unoURL, so your backend intercepts and rewrites it before serving it to the customer: swap the domain for yours and appendapiUrl/assetUrlquery parameters that tell the SDK where to route requests and load assets.
URL rewrite steps
Perform these on your backend, on the redirect URL returned by the Yuno API:- Intercept the API response. Catch the payload containing the default
checkout.<env>.y.unoredirect URL generated by Yuno. - Replace the base domain. Swap
checkout.<env>.y.unofor your white-labeled domain (e.g.pay.yourbrand.com). - Append the required query parameters. Add
apiUrlandassetUrl. The SDK relies on these overrides to route all subsequent payment requests and to load visual assets through your infrastructure instead of Yuno’s. - Register your domains with Yuno. Send your checkout domain,
apiUrl, andassetUrlto your Yuno account representative so they can be added to the Payment Link security allowlist before you go live (see Security).
Parameter reference
| Parameter | Type | Description |
|---|---|---|
session | String | The session identifier generated by the Payment Link API. Keep it unchanged. |
apiUrl | String | Base URL the SDK uses to route and forward payment requests (REST + WebSocket) and the checkout BFF. |
assetUrl | String | Base URL the SDK fetches its script bundle, images, stylesheets, and other frontend assets from. |
apiUrl and assetUrl support a sub-path (the SDK preserves the prefix on every downstream request), so they can point at a proxy mounted under a path — e.g. https://pay.yourbrand.com/checkout.
Typically
apiUrl and assetUrl are the same origin — the proxy under your domain. The SDK uses the value verbatim — it only appends its own version segment (e.g. …/v1.9/main.js) when assetUrl doesn’t already end with one.Security
TheapiUrl / assetUrl parameters are part of a link that reaches the customer’s browser, so they are attacker-influenceable — and assetUrl drives the origin the SDK script loads from. An unvalidated value would be remote-script execution against the checkout. Yuno gates them accordingly:
- Host allowlist. An override is honored only when its host exactly matches a domain Yuno has approved for your Payment Links. The feature is off by default — unknown hosts are ignored and the checkout falls back to the Yuno origin.
https:only, exact host match (no subdomain wildcards), with WHATWG URL parsing (so tricks likehttps://approved@evil.comresolve toevil.comand are rejected).
What gets de-branded
When a valid white-label override is active, the hosted checkout shell is de-branded:- The browser tab
<title>and meta are neutral (no “Yuno”). - The loader element and its DOM event use the neutral
sdk-payments-*surface (matching the SDK White Label rename). - The “Secure by Yuno” tag is hidden.
- No
*.y.unorequest originates from the page — the SDK bundle, assets, checkout BFF, REST/WebSocket, and 3DS all resolve through yourapiUrl/assetUrlorigin.
Requirements
- A hosted checkout build with white-label support (checkout shell on
@yuno-payments/sdk-web^1.9.1or later — the same release that shipped the SDK White Label rename). - Your checkout domain,
apiUrl, andassetUrlallowlisted by Yuno. - A proxy under your domain forwarding to the Yuno upstreams — see White Label Proxy Server.
Verifying the setup
Load a white-labeled Payment Link and confirm in browser DevTools:- Network tab — no requests to any
*.y.unohost (SDK bundle, checkout BFF, REST, WebSocket, 3DS). All traffic goes to your domain. - The browser tab title and loader are de-branded, and the “Secure by Yuno” tag is absent.
- A payment (including a 3DS challenge, if applicable) completes end-to-end and returns to the checkout under your domain.
See also
- White Label (Web SDK) — the
apiUrl/assetUrloverrides and de-branded SDK surface this builds on. - White Label Proxy Server — reference proxy + local test harness for both white-label surfaces.
- Payment Links — creating the links this applies to.