From d86b994222a2469b6a8ca30c582b257f957153fb Mon Sep 17 00:00:00 2001
From: ignaciosantise <25931366+ignaciosantise@users.noreply.github.com>
Date: Thu, 26 Feb 2026 16:33:18 -0300
Subject: [PATCH 1/2] fix(pos-app): rename partner API key to customer API key

---
 dapps/pos-app/.env.example                    |   2 +-
 dapps/pos-app/AGENTS.md                       |   6 +-
 .../hooks/use-url-credentials.test.ts         |  20 +--
 .../__tests__/services/payment.test.ts        |  12 +-
 .../__tests__/store/useSettingsStore.test.ts  |  40 ++---
 .../__tests__/utils/secure-storage.test.ts    | 137 +++++++++++++-----
 .../pos-app/__tests__/utils/store-helpers.ts  |  10 +-
 dapps/pos-app/app.json                        |   2 +-
 dapps/pos-app/app/index.tsx                   |   4 +-
 dapps/pos-app/app/settings.tsx                |  60 ++++----
 dapps/pos-app/hooks/use-merchant-flow.ts      |  67 +++++----
 dapps/pos-app/hooks/use-url-credentials.ts    |  20 +--
 dapps/pos-app/services/payment.ts             |  10 +-
 dapps/pos-app/services/payment.web.ts         |   4 +-
 dapps/pos-app/store/useSettingsStore.ts       |  65 +++++----
 dapps/pos-app/utils/merchant-config.ts        |   8 +-
 dapps/pos-app/utils/secure-storage.ts         |  41 ++++--
 dapps/pos-app/utils/secure-storage.web.ts     |  35 +++--
 18 files changed, 320 insertions(+), 223 deletions(-)

diff --git a/dapps/pos-app/.env.example b/dapps/pos-app/.env.example
index 2c0295ae..bb5b4c00 100644
--- a/dapps/pos-app/.env.example
+++ b/dapps/pos-app/.env.example
@@ -4,6 +4,6 @@ SENTRY_AUTH_TOKEN=""
 EXPO_PUBLIC_API_URL=""
 EXPO_PUBLIC_GATEWAY_URL=""
 EXPO_PUBLIC_DEFAULT_MERCHANT_ID=""
-EXPO_PUBLIC_DEFAULT_PARTNER_API_KEY=""
+EXPO_PUBLIC_DEFAULT_CUSTOMER_API_KEY=""
 EXPO_PUBLIC_MERCHANT_API_URL=""
 EXPO_PUBLIC_MERCHANT_PORTAL_API_KEY=""
\ No newline at end of file
diff --git a/dapps/pos-app/AGENTS.md b/dapps/pos-app/AGENTS.md
index 11c9f829..259dd3b1 100644
--- a/dapps/pos-app/AGENTS.md
+++ b/dapps/pos-app/AGENTS.md
@@ -258,7 +258,7 @@ SENTRY_AUTH_TOKEN=""                   # Sentry authentication token
 EXPO_PUBLIC_API_URL=""                 # Payment API base URL
 EXPO_PUBLIC_GATEWAY_URL=""             # WalletConnect gateway URL
 EXPO_PUBLIC_DEFAULT_MERCHANT_ID=""     # Default merchant ID (optional)
-EXPO_PUBLIC_DEFAULT_PARTNER_API_KEY="" # Default partner API key (optional)
+EXPO_PUBLIC_DEFAULT_CUSTOMER_API_KEY="" # Default customer API key (optional)
 EXPO_PUBLIC_MERCHANT_API_URL=""        # Merchant Portal API base URL
 EXPO_PUBLIC_MERCHANT_PORTAL_API_KEY="" # Merchant Portal API key (for Activity screen)
 ```
@@ -678,10 +678,10 @@ const { data, isLoading, error } = usePaymentStatus(paymentId, {
 import { secureStorage, SECURE_STORAGE_KEYS } from "@/utils/secure-storage";
 
 // Store
-await secureStorage.setItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY, apiKey);
+await secureStorage.setItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY, apiKey);
 
 // Retrieve
-const apiKey = await secureStorage.getItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY);
+const apiKey = await secureStorage.getItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY);
 ```
 
 ## Code Quality Guidelines
diff --git a/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts b/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
index f8f8e039..88634721 100644
--- a/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
+++ b/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
@@ -36,11 +36,11 @@ afterEach(() => {
 });
 
 describe("useUrlCredentials", () => {
-  it("applies both merchantId and partnerApiKey from base64-encoded URL params", async () => {
+  it("applies both merchantId and customerApiKey from base64-encoded URL params", async () => {
     const merchantId = "test-merchant-123";
     const apiKey = "test-api-key-456";
     setWindowLocation(
-      `?merchantId=${toBase64(merchantId)}&partnerApiKey=${toBase64(apiKey)}`,
+      `?merchantId=${toBase64(merchantId)}&customerApiKey=${toBase64(apiKey)}`,
     );
 
     useSettingsStore.setState({ _hasHydrated: true });
@@ -50,11 +50,11 @@ describe("useUrlCredentials", () => {
 
     const state = useSettingsStore.getState();
     expect(state.merchantId).toBe(merchantId);
-    expect(state.isPartnerApiKeySet).toBe(true);
+    expect(state.isCustomerApiKeySet).toBe(true);
     expect(router.replace).toHaveBeenCalledWith("/");
   });
 
-  it("applies only merchantId when partnerApiKey is absent", async () => {
+  it("applies only merchantId when customerApiKey is absent", async () => {
     const merchantId = "only-merchant";
     setWindowLocation(`?merchantId=${toBase64(merchantId)}`);
 
@@ -65,12 +65,12 @@ describe("useUrlCredentials", () => {
 
     const state = useSettingsStore.getState();
     expect(state.merchantId).toBe(merchantId);
-    expect(state.isPartnerApiKeySet).toBe(false);
+    expect(state.isCustomerApiKeySet).toBe(false);
   });
 
-  it("applies only partnerApiKey when merchantId is absent", async () => {
+  it("applies only customerApiKey when merchantId is absent", async () => {
     const apiKey = "only-api-key";
-    setWindowLocation(`?partnerApiKey=${toBase64(apiKey)}`);
+    setWindowLocation(`?customerApiKey=${toBase64(apiKey)}`);
 
     useSettingsStore.setState({ _hasHydrated: true, merchantId: null });
 
@@ -79,7 +79,7 @@ describe("useUrlCredentials", () => {
 
     const state = useSettingsStore.getState();
     expect(state.merchantId).toBeNull();
-    expect(state.isPartnerApiKeySet).toBe(true);
+    expect(state.isCustomerApiKeySet).toBe(true);
   });
 
   it("does nothing when no URL params are present", async () => {
@@ -132,7 +132,7 @@ describe("useUrlCredentials", () => {
 
   it("logs actions when credentials are applied", async () => {
     setWindowLocation(
-      `?merchantId=${toBase64("log-test")}&partnerApiKey=${toBase64("log-key")}`,
+      `?merchantId=${toBase64("log-test")}&customerApiKey=${toBase64("log-key")}`,
     );
 
     useSettingsStore.setState({ _hasHydrated: true });
@@ -144,6 +144,6 @@ describe("useUrlCredentials", () => {
     const infoLogs = logs.filter((l) => l.level === "info");
     expect(infoLogs).toHaveLength(2);
     expect(infoLogs[0].message).toContain("Merchant ID set from URL");
-    expect(infoLogs[1].message).toContain("Partner API key set from URL");
+    expect(infoLogs[1].message).toContain("Customer API key set from URL");
   });
 });
diff --git a/dapps/pos-app/__tests__/services/payment.test.ts b/dapps/pos-app/__tests__/services/payment.test.ts
index a3506101..ec55523b 100644
--- a/dapps/pos-app/__tests__/services/payment.test.ts
+++ b/dapps/pos-app/__tests__/services/payment.test.ts
@@ -42,10 +42,10 @@ describe("Payment Service", () => {
   describe("getApiHeaders (via startPayment/getPaymentStatus)", () => {
     it("should throw error when merchant ID is not configured", async () => {
       // Set API key but not merchant ID
-      await SecureStore.setItemAsync("partner_api_key", "test-api-key");
+      await SecureStore.setItemAsync("customer_api_key", "test-api-key");
       useSettingsStore.setState({
         merchantId: null,
-        isPartnerApiKeySet: true,
+        isCustomerApiKeySet: true,
       });
 
       await expect(
@@ -57,10 +57,10 @@ describe("Payment Service", () => {
     });
 
     it("should throw error when merchant ID is empty string", async () => {
-      await SecureStore.setItemAsync("partner_api_key", "test-api-key");
+      await SecureStore.setItemAsync("customer_api_key", "test-api-key");
       useSettingsStore.setState({
         merchantId: "   ", // whitespace only
-        isPartnerApiKeySet: true,
+        isCustomerApiKeySet: true,
       });
 
       await expect(
@@ -74,7 +74,7 @@ describe("Payment Service", () => {
     it("should throw error when API key is not configured", async () => {
       useSettingsStore.setState({
         merchantId: "merchant-123",
-        isPartnerApiKeySet: false,
+        isCustomerApiKeySet: false,
       });
       // Don't set the API key in secure storage
 
@@ -83,7 +83,7 @@ describe("Payment Service", () => {
           referenceId: "ref-123",
           amount: { value: "1000", unit: "cents" },
         }),
-      ).rejects.toThrow("Partner API key is not configured");
+      ).rejects.toThrow("Customer API key is not configured");
     });
 
     it("should include correct headers when merchant is configured", async () => {
diff --git a/dapps/pos-app/__tests__/store/useSettingsStore.test.ts b/dapps/pos-app/__tests__/store/useSettingsStore.test.ts
index 0f1a34c7..ddf39622 100644
--- a/dapps/pos-app/__tests__/store/useSettingsStore.test.ts
+++ b/dapps/pos-app/__tests__/store/useSettingsStore.test.ts
@@ -34,9 +34,9 @@ describe("useSettingsStore", () => {
       expect(merchantId).toBeNull();
     });
 
-    it("should have isPartnerApiKeySet as false", () => {
-      const { isPartnerApiKeySet } = useSettingsStore.getState();
-      expect(isPartnerApiKeySet).toBe(false);
+    it("should have isCustomerApiKeySet as false", () => {
+      const { isCustomerApiKeySet } = useSettingsStore.getState();
+      expect(isCustomerApiKeySet).toBe(false);
     });
 
     it("should have zero failed PIN attempts", () => {
@@ -155,57 +155,57 @@ describe("useSettingsStore", () => {
     });
   });
 
-  describe("setPartnerApiKey / clearPartnerApiKey / getPartnerApiKey", () => {
+  describe("setCustomerApiKey / clearCustomerApiKey / getCustomerApiKey", () => {
     it("should store API key in secure storage", async () => {
-      const { setPartnerApiKey } = useSettingsStore.getState();
+      const { setCustomerApiKey } = useSettingsStore.getState();
 
-      await setPartnerApiKey("api-key-123");
+      await setCustomerApiKey("api-key-123");
 
-      expect(useSettingsStore.getState().isPartnerApiKeySet).toBe(true);
+      expect(useSettingsStore.getState().isCustomerApiKeySet).toBe(true);
       expect(SecureStore.setItemAsync).toHaveBeenCalledWith(
-        "partner_api_key",
+        "customer_api_key",
         "api-key-123",
       );
     });
 
     it("should retrieve API key from secure storage", async () => {
       // First store the key
-      await useSettingsStore.getState().setPartnerApiKey("api-key-456");
+      await useSettingsStore.getState().setCustomerApiKey("api-key-456");
 
       // Then retrieve it
-      const apiKey = await useSettingsStore.getState().getPartnerApiKey();
+      const apiKey = await useSettingsStore.getState().getCustomerApiKey();
 
       expect(apiKey).toBe("api-key-456");
     });
 
     it("should clear API key from secure storage", async () => {
       // First store a key
-      await useSettingsStore.getState().setPartnerApiKey("api-key-789");
-      expect(useSettingsStore.getState().isPartnerApiKeySet).toBe(true);
+      await useSettingsStore.getState().setCustomerApiKey("api-key-789");
+      expect(useSettingsStore.getState().isCustomerApiKeySet).toBe(true);
 
       // Clear it
-      await useSettingsStore.getState().clearPartnerApiKey();
+      await useSettingsStore.getState().clearCustomerApiKey();
 
-      expect(useSettingsStore.getState().isPartnerApiKeySet).toBe(false);
+      expect(useSettingsStore.getState().isCustomerApiKeySet).toBe(false);
       expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
-        "partner_api_key",
+        "customer_api_key",
       );
     });
 
     it("should remove API key when setting null", async () => {
       // First store a key
-      await useSettingsStore.getState().setPartnerApiKey("api-key-to-remove");
+      await useSettingsStore.getState().setCustomerApiKey("api-key-to-remove");
 
       // Set to null
-      await useSettingsStore.getState().setPartnerApiKey(null);
+      await useSettingsStore.getState().setCustomerApiKey(null);
 
       expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
-        "partner_api_key",
+        "customer_api_key",
       );
     });
 
     it("should return null when no API key is stored", async () => {
-      const apiKey = await useSettingsStore.getState().getPartnerApiKey();
+      const apiKey = await useSettingsStore.getState().getCustomerApiKey();
       expect(apiKey).toBeNull();
     });
   });
@@ -579,7 +579,7 @@ describe("useSettingsStore", () => {
 
       // Check persist name and version are set (for storage key)
       expect(persistOptions?.name).toBe("settings");
-      expect(persistOptions?.version).toBe(12);
+      expect(persistOptions?.version).toBe(13);
 
       // Verify storage is configured (MMKV in production, mock in tests)
       expect(persistOptions?.storage).toBeDefined();
diff --git a/dapps/pos-app/__tests__/utils/secure-storage.test.ts b/dapps/pos-app/__tests__/utils/secure-storage.test.ts
index 8edc6fce..9d5d2b0a 100644
--- a/dapps/pos-app/__tests__/utils/secure-storage.test.ts
+++ b/dapps/pos-app/__tests__/utils/secure-storage.test.ts
@@ -4,31 +4,34 @@
  * Tests for the secure storage migration function.
  */
 
-import { migratePartnerApiKey } from "@/utils/secure-storage";
+import {
+  clearStaleSecureStorage,
+  migrateCustomerApiKey,
+} from "@/utils/secure-storage";
 import { storage } from "@/utils/storage";
 
 // Get the mocked secure store
 const SecureStore = require("expo-secure-store");
 
-describe("migratePartnerApiKey", () => {
+describe("migrateCustomerApiKey", () => {
   beforeEach(() => {
     // Clear secure storage mock between tests
     if (SecureStore.__clearMockStorage) {
       SecureStore.__clearMockStorage();
     }
     // Clear the migration completed flag
-    storage.removeItem("migration_partner_api_key_completed");
+    storage.removeItem("migration_customer_api_key_completed");
+    storage.removeItem("app_has_launched");
   });
 
-  it("should migrate from old key to new key when old key exists", async () => {
-    // Set up old key
+  it("should migrate from old merchant key to new customer key", async () => {
     await SecureStore.setItemAsync("merchant_api_key", "test-api-key-123");
 
-    const migrated = await migratePartnerApiKey();
+    const migrated = await migrateCustomerApiKey();
 
     expect(migrated).toBe(true);
     expect(SecureStore.setItemAsync).toHaveBeenCalledWith(
-      "partner_api_key",
+      "customer_api_key",
       "test-api-key-123",
     );
     expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
@@ -36,76 +39,140 @@ describe("migratePartnerApiKey", () => {
     );
   });
 
-  it("should not overwrite existing new key", async () => {
-    // Set up both old and new keys
-    await SecureStore.setItemAsync("merchant_api_key", "old-api-key");
-    await SecureStore.setItemAsync("partner_api_key", "existing-new-key");
+  it("should migrate from old partner key to new customer key", async () => {
+    await SecureStore.setItemAsync("partner_api_key", "partner-key-456");
+
+    const migrated = await migrateCustomerApiKey();
+
+    expect(migrated).toBe(true);
+    expect(SecureStore.setItemAsync).toHaveBeenCalledWith(
+      "customer_api_key",
+      "partner-key-456",
+    );
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
+      "partner_api_key",
+    );
+  });
+
+  it("should migrate from merchant key when both old keys exist", async () => {
+    await SecureStore.setItemAsync("merchant_api_key", "merchant-value");
+    await SecureStore.setItemAsync("partner_api_key", "partner-value");
 
-    // Clear mock calls from setup
     jest.clearAllMocks();
 
-    const migrated = await migratePartnerApiKey();
+    const migrated = await migrateCustomerApiKey();
 
-    // Should still delete old key but not set new key (existing value preserved)
-    expect(migrated).toBe(false);
-    expect(SecureStore.setItemAsync).not.toHaveBeenCalledWith(
-      "partner_api_key",
-      expect.anything(),
+    expect(migrated).toBe(true);
+    expect(SecureStore.setItemAsync).toHaveBeenCalledWith(
+      "customer_api_key",
+      "merchant-value",
     );
     expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
       "merchant_api_key",
     );
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
+      "partner_api_key",
+    );
   });
 
-  it("should do nothing when old key does not exist", async () => {
-    // No keys set up
+  it("should not overwrite existing customer key", async () => {
+    await SecureStore.setItemAsync("partner_api_key", "old-value");
+    await SecureStore.setItemAsync("customer_api_key", "existing-value");
+
+    jest.clearAllMocks();
 
-    const migrated = await migratePartnerApiKey();
+    const migrated = await migrateCustomerApiKey();
 
     expect(migrated).toBe(false);
     expect(SecureStore.setItemAsync).not.toHaveBeenCalledWith(
+      "customer_api_key",
+      expect.anything(),
+    );
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith(
       "partner_api_key",
+    );
+  });
+
+  it("should do nothing when no old keys exist", async () => {
+    const migrated = await migrateCustomerApiKey();
+
+    expect(migrated).toBe(false);
+    expect(SecureStore.setItemAsync).not.toHaveBeenCalledWith(
+      "customer_api_key",
       expect.anything(),
     );
     expect(SecureStore.deleteItemAsync).not.toHaveBeenCalled();
   });
 
   it("should track migration completion and skip on subsequent calls", async () => {
-    // Set up old key
     await SecureStore.setItemAsync("merchant_api_key", "test-api-key");
 
-    // First call should perform migration
-    const firstResult = await migratePartnerApiKey();
+    const firstResult = await migrateCustomerApiKey();
     expect(firstResult).toBe(true);
 
-    // Clear mocks but keep storage state
     jest.clearAllMocks();
 
-    // Set up old key again to simulate what would happen if migration ran again
     await SecureStore.setItemAsync("merchant_api_key", "another-key");
 
-    // Second call should skip due to completion flag
-    const secondResult = await migratePartnerApiKey();
+    const secondResult = await migrateCustomerApiKey();
     expect(secondResult).toBe(false);
 
-    // Should not have attempted to read/write secure storage for migration
-    // (only the setup call above)
     expect(SecureStore.getItemAsync).not.toHaveBeenCalledWith(
       "merchant_api_key",
     );
   });
 
-  it("should properly clean up old key after migration", async () => {
+  it("should properly clean up old keys after migration", async () => {
     await SecureStore.setItemAsync("merchant_api_key", "api-key-to-migrate");
 
-    await migratePartnerApiKey();
+    await migrateCustomerApiKey();
 
-    // Verify old key was deleted
     const oldValue = await SecureStore.getItemAsync("merchant_api_key");
     expect(oldValue).toBeNull();
 
-    // Verify new key has the value
-    const newValue = await SecureStore.getItemAsync("partner_api_key");
+    const newValue = await SecureStore.getItemAsync("customer_api_key");
     expect(newValue).toBe("api-key-to-migrate");
   });
 });
+
+describe("clearStaleSecureStorage", () => {
+  beforeEach(() => {
+    if (SecureStore.__clearMockStorage) {
+      SecureStore.__clearMockStorage();
+    }
+    storage.removeItem("app_has_launched");
+  });
+
+  it("should clear current and legacy API keys on fresh install", async () => {
+    await SecureStore.setItemAsync("customer_api_key", "new-key");
+    await SecureStore.setItemAsync("merchant_api_key", "merchant-key");
+    await SecureStore.setItemAsync("partner_api_key", "partner-key");
+    await SecureStore.setItemAsync("pin_hash", "pin-hash");
+
+    jest.clearAllMocks();
+
+    await clearStaleSecureStorage();
+
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith("customer_api_key");
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith("merchant_api_key");
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith("partner_api_key");
+    expect(SecureStore.deleteItemAsync).toHaveBeenCalledWith("pin_hash");
+    expect(await SecureStore.getItemAsync("customer_api_key")).toBeNull();
+    expect(await SecureStore.getItemAsync("merchant_api_key")).toBeNull();
+    expect(await SecureStore.getItemAsync("partner_api_key")).toBeNull();
+    expect(await SecureStore.getItemAsync("pin_hash")).toBeNull();
+    expect(storage.getItem("app_has_launched")).toBe(true);
+  });
+
+  it("should not clear keys after first launch", async () => {
+    storage.setItem("app_has_launched", true);
+    await SecureStore.setItemAsync("partner_api_key", "partner-key");
+
+    jest.clearAllMocks();
+
+    await clearStaleSecureStorage();
+
+    expect(SecureStore.deleteItemAsync).not.toHaveBeenCalled();
+    expect(await SecureStore.getItemAsync("partner_api_key")).toBe("partner-key");
+  });
+});
diff --git a/dapps/pos-app/__tests__/utils/store-helpers.ts b/dapps/pos-app/__tests__/utils/store-helpers.ts
index e4d5f0f1..df3496bd 100644
--- a/dapps/pos-app/__tests__/utils/store-helpers.ts
+++ b/dapps/pos-app/__tests__/utils/store-helpers.ts
@@ -16,7 +16,7 @@ export function resetSettingsStore() {
     variant: "default",
     _hasHydrated: false,
     merchantId: null,
-    isPartnerApiKeySet: false,
+    isCustomerApiKeySet: false,
     pinFailedAttempts: 0,
     pinLockoutUntil: null,
     biometricEnabled: false,
@@ -51,11 +51,11 @@ export async function setupTestMerchant(
 ): Promise<() => Promise<void>> {
   // eslint-disable-next-line @typescript-eslint/no-require-imports
   const SecureStore = require("expo-secure-store");
-  await SecureStore.setItemAsync("partner_api_key", apiKey);
+  await SecureStore.setItemAsync("customer_api_key", apiKey);
 
   useSettingsStore.setState({
     merchantId,
-    isPartnerApiKeySet: true,
+    isCustomerApiKeySet: true,
   });
 
   // Return cleanup function for use in afterEach or manual cleanup
@@ -68,10 +68,10 @@ export async function setupTestMerchant(
 export async function clearTestMerchant() {
   // eslint-disable-next-line @typescript-eslint/no-require-imports
   const SecureStore = require("expo-secure-store");
-  await SecureStore.deleteItemAsync("partner_api_key");
+  await SecureStore.deleteItemAsync("customer_api_key");
 
   useSettingsStore.setState({
     merchantId: null,
-    isPartnerApiKeySet: false,
+    isCustomerApiKeySet: false,
   });
 }
diff --git a/dapps/pos-app/app.json b/dapps/pos-app/app.json
index 5dad4fdf..284f3e26 100644
--- a/dapps/pos-app/app.json
+++ b/dapps/pos-app/app.json
@@ -43,7 +43,7 @@
         "android.permission.BLUETOOTH_ADVERTISE",
         "android.permission.USB_PERMISSION"
       ],
-      "versionCode": 17
+      "versionCode": 18
     },
     "web": {
       "output": "static",
diff --git a/dapps/pos-app/app/index.tsx b/dapps/pos-app/app/index.tsx
index 33677607..ea3895e6 100644
--- a/dapps/pos-app/app/index.tsx
+++ b/dapps/pos-app/app/index.tsx
@@ -17,10 +17,10 @@ export default function HomeScreen() {
   ]);
 
   const Theme = useTheme();
-  const { merchantId, isPartnerApiKeySet } = useSettingsStore();
+  const { merchantId, isCustomerApiKeySet } = useSettingsStore();
 
   const handleStartPayment = () => {
-    if (!merchantId || !isPartnerApiKeySet) {
+    if (!merchantId || !isCustomerApiKeySet) {
       router.push("/settings");
       showErrorToast("Merchant information not configured");
       return;
diff --git a/dapps/pos-app/app/settings.tsx b/dapps/pos-app/app/settings.tsx
index 302b843d..e3d29e70 100644
--- a/dapps/pos-app/app/settings.tsx
+++ b/dapps/pos-app/app/settings.tsx
@@ -37,7 +37,7 @@ type ActiveSheet =
   | "walletTheme"
   | "currency"
   | "merchantId"
-  | "partnerApiKey"
+  | "customerApiKey"
   | null;
 
 const THEME_OPTIONS: RadioOption<ThemeMode>[] = [
@@ -78,7 +78,7 @@ export default function SettingsScreen() {
   const theme = useTheme();
 
   const [activeSheet, setActiveSheet] = useState<ActiveSheet>(null);
-  const [isEditingPartnerKey, setIsEditingPartnerKey] = useState(false);
+  const [isEditingCustomerKey, setIsEditingCustomerKey] = useState(false);
 
   // Custom hooks for biometrics and merchant flow
   const {
@@ -93,17 +93,17 @@ export default function SettingsScreen() {
 
   const {
     merchantIdInput,
-    partnerApiKeyInput,
+    customerApiKeyInput,
     activeModal,
     pinError,
     isMerchantIdConfirmDisabled,
-    isPartnerApiKeyConfirmDisabled,
-    hasStoredPartnerApiKey,
+    isCustomerApiKeyConfirmDisabled,
+    hasStoredCustomerApiKey,
     handleMerchantIdInputChange,
-    handlePartnerApiKeyInputChange,
-    resetPartnerApiKeyInput,
+    handleCustomerApiKeyInputChange,
+    resetCustomerApiKeyInput,
     handleMerchantIdConfirm,
-    handlePartnerApiKeyConfirm,
+    handleCustomerApiKeyConfirm,
     handlePinVerifyComplete,
     handleBiometricAuthSuccess,
     handleBiometricAuthFailure,
@@ -141,11 +141,11 @@ export default function SettingsScreen() {
   const currentCurrency = getCurrency(currency);
 
   const closeSheet = () => {
-    if (activeSheet === "partnerApiKey") {
-      resetPartnerApiKeyInput();
+    if (activeSheet === "customerApiKey") {
+      resetCustomerApiKeyInput();
     }
     setActiveSheet(null);
-    setIsEditingPartnerKey(false);
+    setIsEditingCustomerKey(false);
   };
 
   const handleThemeModeChange = (value: ThemeMode) => {
@@ -168,16 +168,16 @@ export default function SettingsScreen() {
     closeSheet();
   };
 
-  const handlePartnerApiKeySave = async () => {
-    await handlePartnerApiKeyConfirm();
+  const handleCustomerApiKeySave = async () => {
+    await handleCustomerApiKeyConfirm();
     closeSheet();
   };
 
-  const handlePartnerKeyChange = (value: string) => {
-    if (!isEditingPartnerKey) {
-      setIsEditingPartnerKey(true);
+  const handleCustomerKeyChange = (value: string) => {
+    if (!isEditingCustomerKey) {
+      setIsEditingCustomerKey(true);
     }
-    handlePartnerApiKeyInputChange(value);
+    handleCustomerApiKeyInputChange(value);
   };
 
   const handleTestPrinterPress = async () => {
@@ -267,9 +267,9 @@ export default function SettingsScreen() {
         />
 
         <SettingsItem
-          title="Partner API KEY"
+          title="Customer API KEY"
           value="**********"
-          onPress={() => setActiveSheet("partnerApiKey")}
+          onPress={() => setActiveSheet("customerApiKey")}
         />
 
         {/* Biometric toggle - only show if PIN is set and biometrics available */}
@@ -406,23 +406,23 @@ export default function SettingsScreen() {
         </View>
       </SettingsBottomSheet>
 
-      {/* Partner API Key Bottom Sheet */}
+      {/* Customer API Key Bottom Sheet */}
       <SettingsBottomSheet
-        visible={activeSheet === "partnerApiKey"}
-        title="Partner API KEY"
+        visible={activeSheet === "customerApiKey"}
+        title="Customer API KEY"
         onClose={closeSheet}
       >
         <View style={styles.inputContent}>
           <TextInput
             value={
-              isEditingPartnerKey
-                ? partnerApiKeyInput
-                : hasStoredPartnerApiKey
+              isEditingCustomerKey
+                ? customerApiKeyInput
+                : hasStoredCustomerApiKey
                   ? "********"
                   : ""
             }
-            onChangeText={handlePartnerKeyChange}
-            placeholder="Enter partner API key"
+            onChangeText={handleCustomerKeyChange}
+            placeholder="Enter customer API key"
             placeholderTextColor={theme["text-tertiary"]}
             autoCapitalize="none"
             autoCorrect={false}
@@ -437,12 +437,12 @@ export default function SettingsScreen() {
             ]}
           />
           <Button
-            onPress={handlePartnerApiKeySave}
-            disabled={isPartnerApiKeyConfirmDisabled}
+            onPress={handleCustomerApiKeySave}
+            disabled={isCustomerApiKeyConfirmDisabled}
             style={[
               styles.saveButton,
               {
-                backgroundColor: isPartnerApiKeyConfirmDisabled
+                backgroundColor: isCustomerApiKeyConfirmDisabled
                   ? theme["foreground-accent-primary-60"]
                   : theme["bg-accent-primary"],
               },
diff --git a/dapps/pos-app/hooks/use-merchant-flow.ts b/dapps/pos-app/hooks/use-merchant-flow.ts
index affd9a99..73b3f820 100644
--- a/dapps/pos-app/hooks/use-merchant-flow.ts
+++ b/dapps/pos-app/hooks/use-merchant-flow.ts
@@ -4,11 +4,11 @@ import { showErrorToast, showSuccessToast } from "@/utils/toast";
 import { useCallback, useEffect, useState } from "react";
 
 type ModalType = "none" | "pin-verify" | "pin-setup";
-type PendingAction = "merchant-id" | "partner-api-key" | null;
+type PendingAction = "merchant-id" | "customer-api-key" | null;
 
 interface MerchantFlowState {
   merchantIdInput: string;
-  partnerApiKeyInput: string;
+  customerApiKeyInput: string;
   activeModal: ModalType;
   pinError: string | null;
   pendingValue: string | null;
@@ -17,7 +17,7 @@ interface MerchantFlowState {
 
 const initialState: MerchantFlowState = {
   merchantIdInput: "",
-  partnerApiKeyInput: "",
+  customerApiKeyInput: "",
   activeModal: "none",
   pinError: null,
   pendingValue: null,
@@ -28,9 +28,11 @@ export function useMerchantFlow() {
   const storedMerchantId = useSettingsStore((state) => state.merchantId);
   const setMerchantId = useSettingsStore((state) => state.setMerchantId);
   const clearMerchantId = useSettingsStore((state) => state.clearMerchantId);
-  const setPartnerApiKey = useSettingsStore((state) => state.setPartnerApiKey);
-  const isPartnerApiKeySet = useSettingsStore(
-    (state) => state.isPartnerApiKeySet,
+  const setCustomerApiKey = useSettingsStore(
+    (state) => state.setCustomerApiKey,
+  );
+  const isCustomerApiKeySet = useSettingsStore(
+    (state) => state.isCustomerApiKeySet,
   );
   const isPinSet = useSettingsStore((state) => state.isPinSet);
   const verifyPin = useSettingsStore((state) => state.verifyPin);
@@ -71,17 +73,17 @@ export function useMerchantFlow() {
     }));
   }, []);
 
-  const handlePartnerApiKeyInputChange = useCallback((value: string) => {
+  const handleCustomerApiKeyInputChange = useCallback((value: string) => {
     setState((prev) => ({
       ...prev,
-      partnerApiKeyInput: value,
+      customerApiKeyInput: value,
     }));
   }, []);
 
-  const resetPartnerApiKeyInput = useCallback(() => {
+  const resetCustomerApiKeyInput = useCallback(() => {
     setState((prev) => ({
       ...prev,
-      partnerApiKeyInput: "",
+      customerApiKeyInput: "",
     }));
   }, []);
 
@@ -125,14 +127,14 @@ export function useMerchantFlow() {
     await initiateSave(trimmedMerchantId || "", "merchant-id");
   }, [state.merchantIdInput, storedMerchantId, initiateSave]);
 
-  const handlePartnerApiKeyConfirm = useCallback(async () => {
-    const trimmedApiKey = state.partnerApiKeyInput.trim();
+  const handleCustomerApiKeyConfirm = useCallback(async () => {
+    const trimmedApiKey = state.customerApiKeyInput.trim();
     if (!trimmedApiKey) {
       return;
     }
 
-    await initiateSave(trimmedApiKey, "partner-api-key");
-  }, [state.partnerApiKeyInput, initiateSave]);
+    await initiateSave(trimmedApiKey, "customer-api-key");
+  }, [state.customerApiKeyInput, initiateSave]);
 
   const completeSave = useCallback(async () => {
     if (state.pendingValue === null || !state.pendingAction) {
@@ -166,14 +168,19 @@ export function useMerchantFlow() {
             "completeSave",
           );
         }
-      } else if (state.pendingAction === "partner-api-key") {
-        await setPartnerApiKey(state.pendingValue);
+      } else if (state.pendingAction === "customer-api-key") {
+        await setCustomerApiKey(state.pendingValue);
         setState((prev) => ({
           ...prev,
-          partnerApiKeyInput: "", // Clear input after saving
+          customerApiKeyInput: "", // Clear input after saving
         }));
-        showSuccessToast("Partner API key saved successfully");
-        addLog("info", "Partner API key updated", "settings", "completeSave");
+        showSuccessToast("Customer API key saved successfully");
+        addLog(
+          "info",
+          "Customer API key updated",
+          "settings",
+          "completeSave",
+        );
       }
 
       setState((prev) => ({
@@ -193,7 +200,7 @@ export function useMerchantFlow() {
     state.pendingAction,
     setMerchantId,
     clearMerchantId,
-    setPartnerApiKey,
+    setCustomerApiKey,
     addLog,
   ]);
 
@@ -260,7 +267,7 @@ export function useMerchantFlow() {
       pendingValue: null,
       pendingAction: null,
       merchantIdInput: storedMerchantId ?? "",
-      partnerApiKeyInput: "", // Clear input on cancel
+      customerApiKeyInput: "", // Clear input on cancel
     }));
   }, [storedMerchantId]);
 
@@ -268,28 +275,28 @@ export function useMerchantFlow() {
   const isMerchantIdConfirmDisabled =
     state.merchantIdInput.trim() === (storedMerchantId ?? "");
 
-  const isPartnerApiKeyConfirmDisabled =
-    state.partnerApiKeyInput.trim().length === 0;
+  const isCustomerApiKeyConfirmDisabled =
+    state.customerApiKeyInput.trim().length === 0;
 
-  const hasStoredPartnerApiKey = isPartnerApiKeySet;
+  const hasStoredCustomerApiKey = isCustomerApiKeySet;
 
   return {
     // State
     merchantIdInput: state.merchantIdInput,
-    partnerApiKeyInput: state.partnerApiKeyInput,
+    customerApiKeyInput: state.customerApiKeyInput,
     activeModal: state.activeModal,
     pinError: state.pinError,
     storedMerchantId,
     isMerchantIdConfirmDisabled,
-    isPartnerApiKeyConfirmDisabled,
-    hasStoredPartnerApiKey,
+    isCustomerApiKeyConfirmDisabled,
+    hasStoredCustomerApiKey,
 
     // Handlers
     handleMerchantIdInputChange,
-    handlePartnerApiKeyInputChange,
-    resetPartnerApiKeyInput,
+    handleCustomerApiKeyInputChange,
+    resetCustomerApiKeyInput,
     handleMerchantIdConfirm,
-    handlePartnerApiKeyConfirm,
+    handleCustomerApiKeyConfirm,
     handlePinVerifyComplete,
     handleBiometricAuthSuccess,
     handleBiometricAuthFailure,
diff --git a/dapps/pos-app/hooks/use-url-credentials.ts b/dapps/pos-app/hooks/use-url-credentials.ts
index e5068cdc..9d0c59b0 100644
--- a/dapps/pos-app/hooks/use-url-credentials.ts
+++ b/dapps/pos-app/hooks/use-url-credentials.ts
@@ -6,7 +6,7 @@ import { useEffect, useRef } from "react";
 import { Platform } from "react-native";
 
 /**
- * On web, reads merchantId and partnerApiKey from URL query parameters,
+ * On web, reads merchantId and customerApiKey from URL query parameters,
  * base64-decodes them, saves to the settings store,
  * and cleans the URL. Runs once after store hydration.
  *
@@ -16,7 +16,9 @@ export function useUrlCredentials() {
   const hasProcessed = useRef(false);
   const _hasHydrated = useSettingsStore((state) => state._hasHydrated);
   const setMerchantId = useSettingsStore((state) => state.setMerchantId);
-  const setPartnerApiKey = useSettingsStore((state) => state.setPartnerApiKey);
+  const setCustomerApiKey = useSettingsStore(
+    (state) => state.setCustomerApiKey,
+  );
   const addLog = useLogsStore((state) => state.addLog);
 
   useEffect(() => {
@@ -27,9 +29,9 @@ export function useUrlCredentials() {
 
     const params = new URLSearchParams(window.location.search);
     const rawMerchantId = params.get("merchantId");
-    const rawPartnerApiKey = params.get("partnerApiKey");
+    const rawCustomerApiKey = params.get("customerApiKey");
 
-    if (!rawMerchantId && !rawPartnerApiKey) return;
+    if (!rawMerchantId && !rawCustomerApiKey) return;
 
     async function applyCredentials() {
       try {
@@ -44,12 +46,12 @@ export function useUrlCredentials() {
           );
         }
 
-        if (rawPartnerApiKey) {
-          const partnerApiKey = atob(rawPartnerApiKey);
-          await setPartnerApiKey(partnerApiKey);
+        if (rawCustomerApiKey) {
+          const customerApiKey = atob(rawCustomerApiKey);
+          await setCustomerApiKey(customerApiKey);
           addLog(
             "info",
-            "Partner API key set from URL parameter",
+            "Customer API key set from URL parameter",
             "layout",
             "useUrlCredentials",
           );
@@ -74,5 +76,5 @@ export function useUrlCredentials() {
     }
 
     applyCredentials();
-  }, [_hasHydrated, setMerchantId, setPartnerApiKey, addLog]);
+  }, [_hasHydrated, setMerchantId, setCustomerApiKey, addLog]);
 }
diff --git a/dapps/pos-app/services/payment.ts b/dapps/pos-app/services/payment.ts
index 35f337b4..57b2a262 100644
--- a/dapps/pos-app/services/payment.ts
+++ b/dapps/pos-app/services/payment.ts
@@ -9,22 +9,22 @@ import { apiClient } from "./client";
 /**
  * Get API headers for authenticated requests
  * @returns Headers object with Api-Key, Merchant-Id, and SDK headers
- * @throws Error if partner API key or merchant ID is missing
+ * @throws Error if customer API key or merchant ID is missing
  */
 async function getApiHeaders(): Promise<Record<string, string>> {
   const merchantId = useSettingsStore.getState().merchantId;
-  const partnerApiKey = await useSettingsStore.getState().getPartnerApiKey();
+  const customerApiKey = await useSettingsStore.getState().getCustomerApiKey();
 
   if (!merchantId || merchantId.trim().length === 0) {
     throw new Error("Merchant ID is not configured");
   }
 
-  if (!partnerApiKey || partnerApiKey.trim().length === 0) {
-    throw new Error("Partner API key is not configured");
+  if (!customerApiKey || customerApiKey.trim().length === 0) {
+    throw new Error("Customer API key is not configured");
   }
 
   return {
-    "Api-Key": partnerApiKey,
+    "Api-Key": customerApiKey,
     "Merchant-Id": merchantId,
     "Sdk-Name": "pos-device",
     "Sdk-Version": "1.0.0",
diff --git a/dapps/pos-app/services/payment.web.ts b/dapps/pos-app/services/payment.web.ts
index 63db2056..c989dbcc 100644
--- a/dapps/pos-app/services/payment.web.ts
+++ b/dapps/pos-app/services/payment.web.ts
@@ -16,14 +16,14 @@ async function getMerchantCredentials(): Promise<{
   apiKey: string;
 }> {
   const merchantId = useSettingsStore.getState().merchantId;
-  const apiKey = await useSettingsStore.getState().getPartnerApiKey();
+  const apiKey = await useSettingsStore.getState().getCustomerApiKey();
 
   if (!merchantId || merchantId.trim().length === 0) {
     throw new Error("Merchant ID is not configured");
   }
 
   if (!apiKey || apiKey.trim().length === 0) {
-    throw new Error("Partner API key is not configured");
+    throw new Error("Customer API key is not configured");
   }
 
   return { merchantId, apiKey };
diff --git a/dapps/pos-app/store/useSettingsStore.ts b/dapps/pos-app/store/useSettingsStore.ts
index 046b8c18..fe1c0ff2 100644
--- a/dapps/pos-app/store/useSettingsStore.ts
+++ b/dapps/pos-app/store/useSettingsStore.ts
@@ -4,7 +4,7 @@ import { CurrencyCode } from "@/utils/currency";
 import { MerchantConfig } from "@/utils/merchant-config";
 import {
   clearStaleSecureStorage,
-  migratePartnerApiKey,
+  migrateCustomerApiKey,
   SECURE_STORAGE_KEYS,
   secureStorage,
 } from "@/utils/secure-storage";
@@ -57,7 +57,7 @@ interface SettingsStore {
   currency: CurrencyCode;
   _hasHydrated: boolean;
   merchantId: string | null;
-  isPartnerApiKeySet: boolean;
+  isCustomerApiKeySet: boolean;
 
   // Transaction filter
   transactionFilter: TransactionFilterType;
@@ -75,9 +75,9 @@ interface SettingsStore {
   setCurrency: (currency: CurrencyCode) => void;
   setMerchantId: (merchantId: string | null) => void;
   clearMerchantId: () => Promise<string | null>;
-  setPartnerApiKey: (apiKey: string | null) => Promise<void>;
-  clearPartnerApiKey: () => Promise<void>;
-  getPartnerApiKey: () => Promise<string | null>;
+  setCustomerApiKey: (apiKey: string | null) => Promise<void>;
+  clearCustomerApiKey: () => Promise<void>;
+  getCustomerApiKey: () => Promise<string | null>;
 
   // PIN actions
   setPin: (pin: string) => Promise<void>;
@@ -104,7 +104,7 @@ export const useSettingsStore = create<SettingsStore>()(
       currency: "USD",
       _hasHydrated: false,
       merchantId: null,
-      isPartnerApiKeySet: false,
+      isCustomerApiKeySet: false,
       transactionFilter: "all",
       pinFailedAttempts: 0,
       pinLockoutUntil: null,
@@ -132,41 +132,41 @@ export const useSettingsStore = create<SettingsStore>()(
         // Reset both merchant ID and API key to env defaults
         const defaultMerchantId = MerchantConfig.getDefaultMerchantId();
         set({ merchantId: defaultMerchantId });
-        const defaultApiKey = MerchantConfig.getDefaultPartnerApiKey();
+        const defaultApiKey = MerchantConfig.getDefaultCustomerApiKey();
         if (defaultApiKey) {
           await secureStorage.setItem(
-            SECURE_STORAGE_KEYS.PARTNER_API_KEY,
+            SECURE_STORAGE_KEYS.CUSTOMER_API_KEY,
             defaultApiKey,
           );
-          set({ isPartnerApiKeySet: true });
+          set({ isCustomerApiKeySet: true });
         } else {
-          await secureStorage.removeItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY);
-          set({ isPartnerApiKeySet: false });
+          await secureStorage.removeItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY);
+          set({ isCustomerApiKeySet: false });
         }
         return defaultMerchantId;
       },
-      setPartnerApiKey: async (apiKey: string | null) => {
+      setCustomerApiKey: async (apiKey: string | null) => {
         try {
           if (apiKey) {
             await secureStorage.setItem(
-              SECURE_STORAGE_KEYS.PARTNER_API_KEY,
+              SECURE_STORAGE_KEYS.CUSTOMER_API_KEY,
               apiKey,
             );
-            set({ isPartnerApiKeySet: true });
+            set({ isCustomerApiKeySet: true });
           } else {
-            await secureStorage.removeItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY);
-            set({ isPartnerApiKeySet: false });
+            await secureStorage.removeItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY);
+            set({ isCustomerApiKeySet: false });
           }
         } catch {
           throw new Error("Failed to save credentials securely");
         }
       },
-      clearPartnerApiKey: async () => {
-        await secureStorage.removeItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY);
-        set({ isPartnerApiKeySet: false });
+      clearCustomerApiKey: async () => {
+        await secureStorage.removeItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY);
+        set({ isCustomerApiKeySet: false });
       },
-      getPartnerApiKey: async () => {
-        return await secureStorage.getItem(SECURE_STORAGE_KEYS.PARTNER_API_KEY);
+      getCustomerApiKey: async () => {
+        return await secureStorage.getItem(SECURE_STORAGE_KEYS.CUSTOMER_API_KEY);
       },
 
       // PIN methods
@@ -252,7 +252,7 @@ export const useSettingsStore = create<SettingsStore>()(
     }),
     {
       name: "settings",
-      version: 12,
+      version: 13,
       storage,
       migrate: (persistedState: any, version: number) => {
         if (!persistedState || typeof persistedState !== "object") {
@@ -293,6 +293,13 @@ export const useSettingsStore = create<SettingsStore>()(
         if (version < 11) {
           persistedState.currency = "USD";
         }
+        if (version < 13) {
+          if ("isPartnerApiKeySet" in persistedState) {
+            persistedState.isCustomerApiKeySet =
+              persistedState.isPartnerApiKeySet;
+            delete persistedState.isPartnerApiKeySet;
+          }
+        }
 
         return persistedState;
       },
@@ -320,17 +327,17 @@ export const useSettingsStore = create<SettingsStore>()(
             delete (state as any).__migrationData;
           }
 
-          // Run partner API key migration before applying defaults
+          // Run customer API key migration before applying defaults
           // This ensures existing users keep their API key during the rename
-          const migrated = await migratePartnerApiKey();
+          const migrated = await migrateCustomerApiKey();
           if (migrated) {
             // Migration was performed, sync the flag
-            state.isPartnerApiKeySet = true;
+            state.isCustomerApiKeySet = true;
             useLogsStore
               .getState()
               .addLog(
                 "info",
-                "Partner API key migrated from merchant_api_key",
+                "Customer API key migrated from legacy storage key",
                 "Settings",
                 "onRehydrateStorage",
               );
@@ -338,14 +345,14 @@ export const useSettingsStore = create<SettingsStore>()(
 
           // Initialize merchant defaults from env if not set
           const defaultMerchantId = MerchantConfig.getDefaultMerchantId();
-          const defaultApiKey = MerchantConfig.getDefaultPartnerApiKey();
+          const defaultApiKey = MerchantConfig.getDefaultCustomerApiKey();
 
           if (!state.merchantId && defaultMerchantId) {
             state.setMerchantId(defaultMerchantId);
           }
 
-          if (!state.isPartnerApiKeySet && defaultApiKey) {
-            await state.setPartnerApiKey(defaultApiKey);
+          if (!state.isCustomerApiKeySet && defaultApiKey) {
+            await state.setCustomerApiKey(defaultApiKey);
           }
         }
 
diff --git a/dapps/pos-app/utils/merchant-config.ts b/dapps/pos-app/utils/merchant-config.ts
index e8477597..63ab49de 100644
--- a/dapps/pos-app/utils/merchant-config.ts
+++ b/dapps/pos-app/utils/merchant-config.ts
@@ -1,10 +1,10 @@
 const DEFAULT_MERCHANT_ID = process.env.EXPO_PUBLIC_DEFAULT_MERCHANT_ID ?? null;
-const DEFAULT_PARTNER_API_KEY =
-  process.env.EXPO_PUBLIC_DEFAULT_PARTNER_API_KEY ?? null;
+const DEFAULT_CUSTOMER_API_KEY =
+  process.env.EXPO_PUBLIC_DEFAULT_CUSTOMER_API_KEY ?? null;
 
 export const MerchantConfig = {
   getDefaultMerchantId: (): string | null => DEFAULT_MERCHANT_ID,
-  getDefaultPartnerApiKey: (): string | null => DEFAULT_PARTNER_API_KEY,
+  getDefaultCustomerApiKey: (): string | null => DEFAULT_CUSTOMER_API_KEY,
   hasEnvDefaults: (): boolean =>
-    Boolean(DEFAULT_MERCHANT_ID && DEFAULT_PARTNER_API_KEY),
+    Boolean(DEFAULT_MERCHANT_ID && DEFAULT_CUSTOMER_API_KEY),
 };
diff --git a/dapps/pos-app/utils/secure-storage.ts b/dapps/pos-app/utils/secure-storage.ts
index 87f09606..7cb1c33b 100644
--- a/dapps/pos-app/utils/secure-storage.ts
+++ b/dapps/pos-app/utils/secure-storage.ts
@@ -2,18 +2,23 @@ import * as SecureStore from "expo-secure-store";
 import { storage } from "./storage";
 
 const KEYS = {
-  PARTNER_API_KEY: "partner_api_key",
+  CUSTOMER_API_KEY: "customer_api_key",
   PIN_HASH: "pin_hash",
 } as const;
+const LEGACY_CUSTOMER_API_KEYS = ["merchant_api_key", "partner_api_key"] as const;
 
 const FRESH_INSTALL_KEY = "app_has_launched";
-const PARTNER_API_KEY_MIGRATION_KEY = "migration_partner_api_key_completed";
+const CUSTOMER_API_KEY_MIGRATION_KEY =
+  "migration_customer_api_key_completed";
 
 export async function clearStaleSecureStorage(): Promise<void> {
   const hasLaunchedBefore = storage.getItem<boolean>(FRESH_INSTALL_KEY);
 
   if (!hasLaunchedBefore) {
-    await SecureStore.deleteItemAsync(KEYS.PARTNER_API_KEY);
+    await SecureStore.deleteItemAsync(KEYS.CUSTOMER_API_KEY);
+    for (const legacyKey of LEGACY_CUSTOMER_API_KEYS) {
+      await SecureStore.deleteItemAsync(legacyKey);
+    }
     await SecureStore.deleteItemAsync(KEYS.PIN_HASH);
 
     storage.setItem(FRESH_INSTALL_KEY, true);
@@ -21,31 +26,35 @@ export async function clearStaleSecureStorage(): Promise<void> {
 }
 
 /**
- * Migrates partner API key from old storage key to new one.
+ * Migrates customer API key from old storage keys to new one.
+ * Handles both legacy key names: "merchant_api_key" and "partner_api_key".
  * Tracks completion to avoid running on every app start.
  * @returns true if migration was performed, false if skipped
  */
-export async function migratePartnerApiKey(): Promise<boolean> {
+export async function migrateCustomerApiKey(): Promise<boolean> {
   const migrationCompleted = storage.getItem<boolean>(
-    PARTNER_API_KEY_MIGRATION_KEY,
+    CUSTOMER_API_KEY_MIGRATION_KEY,
   );
   if (migrationCompleted) return false;
 
-  const OLD_KEY = "merchant_api_key";
-  const NEW_KEY = "partner_api_key";
+  const OLD_KEYS = LEGACY_CUSTOMER_API_KEYS;
+  const NEW_KEY = "customer_api_key";
 
   let migrated = false;
-  const oldValue = await SecureStore.getItemAsync(OLD_KEY);
-  if (oldValue) {
-    const newValue = await SecureStore.getItemAsync(NEW_KEY);
-    if (!newValue) {
-      await SecureStore.setItemAsync(NEW_KEY, oldValue);
-      migrated = true;
+  const existingNewValue = await SecureStore.getItemAsync(NEW_KEY);
+
+  for (const oldKey of OLD_KEYS) {
+    const oldValue = await SecureStore.getItemAsync(oldKey);
+    if (oldValue) {
+      if (!existingNewValue && !migrated) {
+        await SecureStore.setItemAsync(NEW_KEY, oldValue);
+        migrated = true;
+      }
+      await SecureStore.deleteItemAsync(oldKey);
     }
-    await SecureStore.deleteItemAsync(OLD_KEY);
   }
 
-  storage.setItem(PARTNER_API_KEY_MIGRATION_KEY, true);
+  storage.setItem(CUSTOMER_API_KEY_MIGRATION_KEY, true);
   return migrated;
 }
 
diff --git a/dapps/pos-app/utils/secure-storage.web.ts b/dapps/pos-app/utils/secure-storage.web.ts
index cdecd3c9..d526ad57 100644
--- a/dapps/pos-app/utils/secure-storage.web.ts
+++ b/dapps/pos-app/utils/secure-storage.web.ts
@@ -78,38 +78,43 @@ export const secureStorage = {
 };
 
 export const SECURE_STORAGE_KEYS = {
-  PARTNER_API_KEY: "partner_api_key",
+  CUSTOMER_API_KEY: "customer_api_key",
   PIN_HASH: "pin_hash",
 } as const;
 
-const PARTNER_API_KEY_MIGRATION_KEY = "migration_partner_api_key_completed";
+const CUSTOMER_API_KEY_MIGRATION_KEY =
+  "migration_customer_api_key_completed";
 
 /**
- * Migrates partner API key from old storage key to new one.
+ * Migrates customer API key from old storage keys to new one.
+ * Handles both legacy key names: "merchant_api_key" and "partner_api_key".
  * Tracks completion to avoid running on every app start.
  * @returns true if migration was performed, false if skipped
  */
-export async function migratePartnerApiKey(): Promise<boolean> {
+export async function migrateCustomerApiKey(): Promise<boolean> {
   const storage = getStorage();
   if (!storage) return false;
 
-  const migrationCompleted = storage.getItem(PARTNER_API_KEY_MIGRATION_KEY);
+  const migrationCompleted = storage.getItem(CUSTOMER_API_KEY_MIGRATION_KEY);
   if (migrationCompleted === "true") return false;
 
-  const OLD_KEY = getKey("merchant_api_key");
-  const NEW_KEY = getKey("partner_api_key");
+  const OLD_KEYS = [getKey("merchant_api_key"), getKey("partner_api_key")];
+  const NEW_KEY = getKey("customer_api_key");
 
   let migrated = false;
-  const oldValue = storage.getItem(OLD_KEY);
-  if (oldValue) {
-    const newValue = storage.getItem(NEW_KEY);
-    if (!newValue) {
-      storage.setItem(NEW_KEY, oldValue);
-      migrated = true;
+  const existingNewValue = storage.getItem(NEW_KEY);
+
+  for (const oldKey of OLD_KEYS) {
+    const oldValue = storage.getItem(oldKey);
+    if (oldValue) {
+      if (!existingNewValue && !migrated) {
+        storage.setItem(NEW_KEY, oldValue);
+        migrated = true;
+      }
+      storage.removeItem(oldKey);
     }
-    storage.removeItem(OLD_KEY);
   }
 
-  storage.setItem(PARTNER_API_KEY_MIGRATION_KEY, "true");
+  storage.setItem(CUSTOMER_API_KEY_MIGRATION_KEY, "true");
   return migrated;
 }

From 5edb11adf0c2684b898f7b44ca821af7d5208b11 Mon Sep 17 00:00:00 2001
From: ignaciosantise <25931366+ignaciosantise@users.noreply.github.com>
Date: Fri, 27 Feb 2026 10:08:51 -0300
Subject: [PATCH 2/2] feat(pos-app): add postMessage support for credential
 injection

Adds window.postMessage as the primary method for receiving merchantId
and customerApiKey on web, keeping URL query params as fallback. postMessage
values are plain text (no base64 needed since data stays in JS memory).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../hooks/use-url-credentials.test.ts         | 182 ++++++++++++++++++
 dapps/pos-app/hooks/use-url-credentials.ts    | 107 ++++++----
 2 files changed, 256 insertions(+), 33 deletions(-)

diff --git a/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts b/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
index 88634721..81850487 100644
--- a/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
+++ b/dapps/pos-app/__tests__/hooks/use-url-credentials.test.ts
@@ -7,15 +7,34 @@ import { useUrlCredentials } from "@/hooks/use-url-credentials";
 import { resetSettingsStore, resetLogsStore } from "../utils/store-helpers";
 import { waitForAsync } from "../utils/test-helpers";
 
+type MessageHandler = (event: { data: unknown }) => void;
+const messageListeners: MessageHandler[] = [];
+
 function setWindowLocation(search: string) {
   const href = `http://localhost${search}`;
   (global as any).window = {
     ...((global as any).window || {}),
     location: { search, href },
+    addEventListener: (type: string, handler: MessageHandler) => {
+      if (type === "message") messageListeners.push(handler);
+    },
+    removeEventListener: (type: string, handler: MessageHandler) => {
+      if (type === "message") {
+        const idx = messageListeners.indexOf(handler);
+        if (idx !== -1) messageListeners.splice(idx, 1);
+      }
+    },
   };
 }
 
+function dispatchPostMessage(data: unknown) {
+  for (const handler of [...messageListeners]) {
+    handler({ data });
+  }
+}
+
 function clearWindow() {
+  messageListeners.length = 0;
   delete (global as any).window;
 }
 
@@ -147,3 +166,166 @@ describe("useUrlCredentials", () => {
     expect(infoLogs[1].message).toContain("Customer API key set from URL");
   });
 });
+
+describe("useUrlCredentials — postMessage", () => {
+  it("applies both merchantId and customerApiKey from postMessage", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        merchantId: "pm-merchant-123",
+        customerApiKey: "pm-key-456",
+      });
+      await waitForAsync();
+    });
+
+    const state = useSettingsStore.getState();
+    expect(state.merchantId).toBe("pm-merchant-123");
+    expect(state.isCustomerApiKeySet).toBe(true);
+  });
+
+  it("applies only merchantId from postMessage", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        merchantId: "pm-only-merchant",
+      });
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBe("pm-only-merchant");
+    expect(useSettingsStore.getState().isCustomerApiKeySet).toBe(false);
+  });
+
+  it("applies only customerApiKey from postMessage", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true, merchantId: null });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        customerApiKey: "pm-only-key",
+      });
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBeNull();
+    expect(useSettingsStore.getState().isCustomerApiKeySet).toBe(true);
+  });
+
+  it("ignores messages with wrong type", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({
+      _hasHydrated: true,
+      merchantId: "existing",
+    });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "some-other-message",
+        merchantId: "should-not-apply",
+      });
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBe("existing");
+  });
+
+  it("ignores non-object messages", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage("just a string");
+      dispatchPostMessage(null);
+      dispatchPostMessage(42);
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBeNull();
+  });
+
+  it("does nothing on native platforms", async () => {
+    (Platform as any).OS = "ios";
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        merchantId: "should-not-apply",
+      });
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBeNull();
+  });
+
+  it("logs source as postMessage", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        merchantId: "log-pm-test",
+        customerApiKey: "log-pm-key",
+      });
+      await waitForAsync();
+    });
+
+    const logs = useLogsStore.getState().logs;
+    const infoLogs = logs.filter((l) => l.level === "info");
+    expect(infoLogs).toHaveLength(2);
+    expect(infoLogs[0].message).toContain("Merchant ID set from postMessage");
+    expect(infoLogs[1].message).toContain(
+      "Customer API key set from postMessage",
+    );
+  });
+
+  it("cleans up listener on unmount", async () => {
+    setWindowLocation("");
+    useSettingsStore.setState({ _hasHydrated: true });
+
+    const { unmount } = renderHook(() => useUrlCredentials());
+    await act(() => waitForAsync());
+
+    unmount();
+
+    await act(async () => {
+      dispatchPostMessage({
+        type: "pos-credentials",
+        merchantId: "after-unmount",
+      });
+      await waitForAsync();
+    });
+
+    expect(useSettingsStore.getState().merchantId).toBeNull();
+  });
+});
diff --git a/dapps/pos-app/hooks/use-url-credentials.ts b/dapps/pos-app/hooks/use-url-credentials.ts
index 9d0c59b0..d2163e37 100644
--- a/dapps/pos-app/hooks/use-url-credentials.ts
+++ b/dapps/pos-app/hooks/use-url-credentials.ts
@@ -2,18 +2,24 @@ import { useLogsStore } from "@/store/useLogsStore";
 import { useSettingsStore } from "@/store/useSettingsStore";
 import { showInfoToast } from "@/utils/toast";
 import { router } from "expo-router";
-import { useEffect, useRef } from "react";
+import { useCallback, useEffect, useRef } from "react";
 import { Platform } from "react-native";
 
 /**
- * On web, reads merchantId and customerApiKey from URL query parameters,
- * base64-decodes them, saves to the settings store,
- * and cleans the URL. Runs once after store hydration.
+ * On web, accepts credentials via two methods (in priority order):
  *
- * Values must be base64-encoded.
+ * 1. **postMessage** — parent/opener sends `{ type: "pos-credentials", merchantId?, customerApiKey? }`
+ *    Values are plain text (no encoding needed).
+ *
+ * 2. **URL query parameters** — `?merchantId=<base64>&customerApiKey=<base64>`
+ *    Values must be base64-encoded. Acts as fallback when postMessage is not used.
+ *
+ * Both methods overwrite any previously stored credentials.
+ * Runs after store hydration; URL params are processed once, postMessage listener
+ * stays active until unmount.
  */
 export function useUrlCredentials() {
-  const hasProcessed = useRef(false);
+  const hasProcessedParams = useRef(false);
   const _hasHydrated = useSettingsStore((state) => state._hasHydrated);
   const setMerchantId = useSettingsStore((state) => state.setMerchantId);
   const setCustomerApiKey = useSettingsStore(
@@ -21,60 +27,95 @@ export function useUrlCredentials() {
   );
   const addLog = useLogsStore((state) => state.addLog);
 
-  useEffect(() => {
-    if (Platform.OS !== "web") return;
-    if (!_hasHydrated) return;
-    if (hasProcessed.current) return;
-    hasProcessed.current = true;
-
-    const params = new URLSearchParams(window.location.search);
-    const rawMerchantId = params.get("merchantId");
-    const rawCustomerApiKey = params.get("customerApiKey");
-
-    if (!rawMerchantId && !rawCustomerApiKey) return;
-
-    async function applyCredentials() {
+  const applyCredentials = useCallback(
+    async (
+      merchantId: string | null,
+      customerApiKey: string | null,
+      source: string,
+    ) => {
       try {
-        if (rawMerchantId) {
-          const merchantId = atob(rawMerchantId);
+        if (merchantId) {
           setMerchantId(merchantId);
           addLog(
             "info",
-            "Merchant ID set from URL parameter",
+            `Merchant ID set from ${source}`,
             "layout",
             "useUrlCredentials",
           );
         }
 
-        if (rawCustomerApiKey) {
-          const customerApiKey = atob(rawCustomerApiKey);
+        if (customerApiKey) {
           await setCustomerApiKey(customerApiKey);
           addLog(
             "info",
-            "Customer API key set from URL parameter",
+            `Customer API key set from ${source}`,
             "layout",
             "useUrlCredentials",
           );
         }
 
-        showInfoToast("Credentials updated from URL");
-
-        // Clean URL by navigating through Expo Router (replaceState alone
-        // doesn't update Expo Router's internal state, so params reappear)
-        router.replace("/");
+        showInfoToast("Credentials updated");
       } catch (error) {
         const errorMessage =
           error instanceof Error ? error.message : String(error);
         addLog(
           "error",
-          `Failed to apply URL credentials: ${errorMessage}`,
+          `Failed to apply credentials from ${source}: ${errorMessage}`,
           "layout",
           "useUrlCredentials",
           { error },
         );
       }
+    },
+    [setMerchantId, setCustomerApiKey, addLog],
+  );
+
+  // URL query parameters (fallback, processed once)
+  useEffect(() => {
+    if (Platform.OS !== "web") return;
+    if (!_hasHydrated) return;
+    if (hasProcessedParams.current) return;
+    hasProcessedParams.current = true;
+
+    const params = new URLSearchParams(window.location.search);
+    const rawMerchantId = params.get("merchantId");
+    const rawCustomerApiKey = params.get("customerApiKey");
+
+    if (!rawMerchantId && !rawCustomerApiKey) return;
+
+    const merchantId = rawMerchantId ? atob(rawMerchantId) : null;
+    const customerApiKey = rawCustomerApiKey ? atob(rawCustomerApiKey) : null;
+
+    applyCredentials(merchantId, customerApiKey, "URL parameter").then(() => {
+      router.replace("/");
+    });
+  }, [_hasHydrated, applyCredentials]);
+
+  // postMessage listener (stays active until unmount)
+  useEffect(() => {
+    if (Platform.OS !== "web") return;
+    if (!_hasHydrated) return;
+
+    function handleMessage(event: MessageEvent) {
+      if (
+        !event.data ||
+        typeof event.data !== "object" ||
+        event.data.type !== "pos-credentials"
+      ) {
+        return;
+      }
+
+      const { merchantId, customerApiKey } = event.data;
+      if (!merchantId && !customerApiKey) return;
+
+      applyCredentials(
+        merchantId ?? null,
+        customerApiKey ?? null,
+        "postMessage",
+      );
     }
 
-    applyCredentials();
-  }, [_hasHydrated, setMerchantId, setCustomerApiKey, addLog]);
+    window.addEventListener("message", handleMessage);
+    return () => window.removeEventListener("message", handleMessage);
+  }, [_hasHydrated, applyCredentials]);
 }