Once you've completed development and thoroughly tested your Miniapp, it's time to prepare it for the security review, once you pass the security review, you can go live! The first step in this process is obtaining a UAT/test permanent QR code that will be used for the security test.
The Security Team conducts a thorough review of your Miniapp according to standardized security frameworks. In average cases, the security team will report back to the Miniapps development team multiple security issues that need to be patched.
Before proceeding, ensure you have:
Log in to the Super Qi Console and navigate to your Miniapp. Select the UAT/test version that you want to release to production.

Click on the "Apply Release" button.

This will initiate the process of generating a permanent QR code for your Miniapp.
A confirmation popup will appear. Review the details and click "Apply" to confirm.

After clicking "Apply", wait a few moments and then refresh the page. You should now see your permanent QR code displayed.

This QR code is unique to your Miniapp and will be used for the security review.
Once you have obtained the permanent QR code, follow these steps:
Send an email to hani.salih@qi.iq and CC mouamle.hameed@qi.iq with the following information:
Example email:
To: hani.salih@qi.iq
CC: mouamle.hameed@qi.iq
Subject: Miniapp Security Review Request - [Your Miniapp Name]
Hello team,
Our Miniapp "Example App" (v1.0.0) is ready for production release and security review.
Attached is the permanent QR code.
Miniapp Name: Example App
Miniapp Purpose:
This Miniapp is an e-commerce platform that allows users to browse products, add items to cart, and make payments using QiCard. Users can view their order history and track deliveries.
How it operates:
- Users authenticate using my.getAuthCode and applyToken
- Product browsing and cart management
- Payment processing via cashier payment flow (my.tradePay)
- Order tracking and history
API Documentation:
- Swagger: https://api.example.com/swagger
- Postman Collection: https://api.example.com/postman-collection.json
- Manual API description: Our backend exposes REST APIs for product management (GET /api/products, POST /api/orders), user authentication (POST /api/auth/login), and payment processing (POST /api/payments). All endpoints require Bearer token authentication. Request/response formats follow JSON standards.
Test User Credentials:
We will provide a dedicated test account in our dashboard for your security testing with the following roles:
- Admin Role (full access to dashboard and administrative functions)
- Regular User Role (standard customer access)
Username: securityTestUser
Password: abc123
Please proceed with the security review.
Thank you!
After you submit the email:
After receiving security approval, proceed to Merchant Registration to complete the production release process.