Users cannot initiate malicious requests just by having access to the customer id or app token. To complete a pay request for instance, the SDK requires a payment intent id which has to be created via a secure MTLS call.
Can anything harmful be done using the SDK if someone was able to obtain the app_token and customer_id?
