Dashboard
System overview
Main Site ──► Bridge ──► CF Worker (shield domain) ──► Airwallex API
│ │
└── iframe ──► Shield HTML ──► Airwallex.js (Drop-in Element)
│
postMessage ──► Main Site
Recent activity
Airwallex credentials
API keys sent to the Cloudflare Worker per-request. Never stored on the Shield.
Shield site
The domain Airwallex sees. Upload the 3 static HTML files (pay.html, return.html, config.js) to this domain's hosting.
Shield URL
Base URL where the static files are hosted
Site key
Shared secret used by the Shield HTML to authenticate with the Bridge when validating payment tokens. Put this in the Shield's
config.js file.Fallback redirect
Where to send visitors who access the Shield directly (not via iframe checkout).
Cloudflare Worker
The Worker runs on the Shield domain and proxies all Airwallex API calls. Airwallex sees the Shield's Cloudflare IP for everything.
Worker API URL
The
/_api route on your Shield domain (e.g. https://pay.shielddomain.com/_api). Set this after deploying the Worker script and adding the route in Cloudflare.Worker key
Shared secret between Bridge and Worker. Set this as the
WORKER_KEY environment variable in the Cloudflare Worker settings.Allowed main sites
Only these domains can call the Bridge API.
Webhook
Airwallex → Bridge → your main site.
Airwallex webhook URL
Set this in Airwallex → Developer → Webhooks. This points to the Shield domain via the CF Worker — Airwallex never sees the Bridge URL.
Loading...
Webhook signing secret
From Airwallex webhook settings. Verifies incoming webhooks are genuine.
Forward URL
Where to forward verified webhooks on your main site.
Bridge API key
Your main site sends this as X-Bridge-Api-Key header with every request.
Logs
Recent events