#MMunir

Hi there

Can you clarify what you mean by "retrieving the PaymentIntent is risky"?

people in forum says that someone can change js in client side to fetch whole payment intent and things which are not mention they can see all the details was confused thats why i came here

like client side js can fetch server side json details

No

You can only fetch non-sensitive PaymentIntent details from the client

See the list of "RETRIEVABLE WITH PUBLISHABLE KEY" in our API ref: https://stripe.com/docs/api/payment_intents/object

We don't recommend embedding the PaymentIntent object or its client_secret anywhere. But it isn't sensitive to retrieve it if you are storing it in a cookie for instance.

i was trying to create a success page that shows name of person , cause , amount, email and status of payment just like order confirmation page

like i did above so its fine right

$app->get('/order', function (Request $request, Response $response) {
$id = $_GET['sessionId'];
$checkout_session = \Stripe\Checkout\Session::retrieve($id);

echo json_encode($checkout_session);
});

this is the thing which i used to retrive some info

Yep here you are retrieving the Checkout Session and using that data to display a confirmation page.

Yep that looks good

That said, if you want to be extra safe here, you would just echo back the necessary pieces.

Not the entire object

thanks that was such a relive

i can do that ? like how if an example can be shown?

You would just parse out the pieces from your $checkout_session that you want and then send those back

I don't have a specific example to provide

But you can do $amount = $checkout_session => amount_total for instance

And then send back $amount

ah okey thats cool thanks

i get it

thanks for helping out