#Ninja man
cedar lantern
green peak
Hello! We have an API where you can list Subscriptions here: https://stripe.com/docs/api/subscriptions/list
There's also an API for searching Subscriptions: https://stripe.com/docs/api/subscriptions/search
tribal pine
Oh no i mean the subscription products i have in the dashboard
like the one i sell
to be able to display them on the website
green peak
Oh, so Products and Prices?
We have similar APIs for those: https://stripe.com/docs/api/products/list
tribal pine
Okay nice thanks.
New question:
How to make sure no hacker could use my Next JS api endpoint to create a checkout session?
halcyon plover
You will need to make sure you have appropriate authentication on your sensitive endpoints, using whatever technique is appropriate for your applicaiton
tribal pine
but i dont have any auth on the web app
also checkout session is prob not very sensitve right?
halcyon plover
You asked about preventing abuse of your endpoint, you'd need auth of some kind for that, or other abuse mitigations.
tribal pine
well yeah, but, for instance the stripe webhook endpoint uses the stripe-signature to check it. And for this endpoint, it's very sentsitive as here orders are saved in the DB. But for the checkout session endpoint, it only calls stripe to create a new checkout session and returns the url for the checkout session. Would you consider that as something that needs to be behind a authentication?
halcyon plover
Not necessarily, no, since we do the equivalent of this automatically with eg Payment Links. but it could depend on perhaps whether you use existing customers or not, where you wouldn't want to expose that other users.