~ Mohan Sankaran.
From app to platform
When wallets went global, SDKs stopped being utility jars and became the product. One artifact now had to serve banks, processors, and markets with different regulations and brand rules-without fragmenting into forks. The job of the SDK is simple to say and hard to do: adapt everywhere, stay dependable anywhere.
From flexibility to guarantees
A multi-tenant SDK is a promise that doesn’t break. Once teams integrate it, their release cadence and compliance posture depend on your stability. Treat the public surface-APIs, callbacks, models, error semantics-as a contract. Evolve additively. Deprecate loudly, remove rarely, and negotiate new behavior with explicit capability flags so hosts opt in on their schedule, not yours.
From policy to configuration
Keep what changes out of code. Payment logic, cryptography, and lifecycle belong to the sealed core. Everything tenant-specific-limits, consent copy, UX variations, eligibility rules-lives in signed, schema-checked configuration. Load, verify, validate, then activate. Shipping policy through config lets you move fast without rebuilding the binary or risking regressions across markets.
From subclasses to composition
Modularity that survives reality starts with a small, hardened core and composable flow modules around it. The core handles attestation, cryptograms, secure storage, and network hygiene. Modules assemble onboarding, provisioning, authentication, and instrument selection. Prefer composition over subclassing; composition lets you add or swap modules without leaking assumptions into host apps.
From velocity to backward compatibility
Compatibility isn’t keeping a method around-it’s preserving behavior users rely on. Persisted formats, keystore aliases, and wire envelopes must remain readable for years. When you migrate storage, ship dual-readers and a one-way migrator, then keep the old reader for at least a major cycle. Version endpoints and payloads; make readers tolerant of unknown fields; advertise SDK capabilities so servers don’t guess.
From strings to systems
Localization is where global products quietly fail. Externalize every string, legal clause, and layout hint. Use ICU message syntax for plural and gender rules, test right-to-left and mixed scripts, and treat consent language as signed content that can update without a store release. Layouts should flex to long German nouns and narrow devices before your users do.
From customization to a single trust boundary
Security is the part that never negotiates. Keys stay in platform-backed secure storage. All calls use mutual TLS with pinning and disciplined retries. Device integrity and runtime checks precede sensitive operations. Secrets never hit logs or crash reports. Tenants can change flows and copy, but cryptographic paths remain identical for everyone.
From clever APIs to safe defaults
Developer experience is a security control. Clear, minimal surfaces with strong types and predictable errors make the safe path the easy path. Ship encryption on by default, sanitize logs, and standardize retry semantics. Support older OS versions gracefully and fail soft when features aren’t available. Good docs complete the guardrails: short examples, plain-language threat models, and exact deprecation timelines.
From test cases to test matrices
Multi-tenant means multi-state. Build a golden kit of reference configs, canned backend responses, and replayable traces. Run integration suites across OS versions, CPU architectures, locales, script directions, and device-integrity states. Test upgrades from multiple historic SDK versions, not just the last one-serial migrations reveal the gremlins you’ll see in the wild.
From launches to rollouts
Staged deployment is your parachute. Tie rollouts to telemetry guardrails, expand exposure as health stays green, and keep an instant kill-switch for risky flags so you can disable features without waiting on app-store review. Practice rollback like a fire drill; calm releases are rehearsed releases.
From noise to signals
Telemetry should help you learn without collecting what you shouldn’t. Track flow steps, error codes, and performance budgets, but hash or tokenize identifiers and keep PII out. Tag events with SDK version, config version, locale, and capability set so you can compare tenants accurately and tune defaults to real completion rates-not lab benchmarks.
From many experiences to one foundation
The quiet success of a multi-tenant SDK is that it disappears. Tenants see their brand, language, and policy reflected back, yet everything rides on the same hardened core. Under the logos, one framework manages trust across markets and devices. That’s the point: one artifact, many personalities, consistent guarantees. When your software can hold all those differences together-securely, gracefully, and invisibly-you haven’t just shipped an SDK. You’ve built infrastructure for trust.
Leave a Reply