#dennis_de

Payment ID: pi_3MhVMyJZUpJ6fJ990SrBbiXn

We use Stripe Elements to collect the payment method

Hey! Sorry for the delay

Taking a look

Can you clarify the ask here? In the example you shared, 3DS was requested by the bank and we're awaiting that flow to be completed by the user.

Just a moment, I'm on the call right now. I'll be in touch.

So I'm back

The payment method was added although the user cancelled the authentication. How is this possible? Our marketplace works like this: the customer enters their payment method when placing the order, Stripe creates it and then later when we write the invoice we use the payment method and debit it. We don't have the possibility to ask the customer for 3D-Secure at this point (because it's time-delayed). How can we manage that a payment method that requires 3D-Secure is not created until the customer has confirmed it?

Normally when I look at other payments, it has also worked without problems. This seems to be the first case where our processes can be overridden.

The payment method was added although the user cancelled the authentication. How is this possible?
That doesn't seem to be true from what I can see. It doesn't even seem like auth was attempted. But anyway, sure a user can cancel/leave the authentication flow. Maybe they change their mind about the purchase, or think they'll come back to it later.

Sorry, I don't really understand your use case. Are you customers off-session when you initiate the payment?

When adding a payment method via Stripe Elements, we want to make sure that it can eventually be charged.

Yes, but are those payments MIT (merchant initiated), where the customer is not necessarily present to perform auth if requested?

In our tests before, when adding was always redirected to the bank's website even if 3D Secure was required, if he then cancels the process, we also do not create them at all

Correct.

We authorize the means of payment and do not post until later.

Then you're likely going to need to adjust how you integrate with Stripe. You need to flag the payments as off_session: https://stripe.com/docs/api/payment_intents/create#create_payment_intent-off_session

But if the user cancels, no setup_intent.succeeded webhook should be sent. Shouldn't it? Because we pay attention to that.

Yes, both SetupIntent and PaymentIntent are off_session

But you're not passing that parameter when you create the PI: https://dashboard.stripe.com/logs/req_AJ7vMYGSGKqmom

As such, we can't inform the bank that it's a MIT and request SCA exemptions to prevent 3DS

One moment

The docs state "secret key only" for off_session when confirming a payment intent in a separate API call. But we can pass off_session in our case on the backend site, correct?

You'd pass it when creating the PI on the backend with your secret key

But can we pass it after creating the PI with confirm=false and then calling the confirm-Endpoint in a separate call with off_session=true? We cannot pass off_session=true when creating the PI with confirm=false (this results in an API error), but we have to create and confirm the PI in 2 calls in our side

Hey! Taking over for my colleague. Let me catch up.

Why you want to pass confirm=false?

We need to confirm the PI in a second step due to internal actions that require the PI ID before the PI is confirmed and webhooks are fired

Basically we only need to know if creating the PI with confirm=true and off_session=true works the same way as creating the PI with confirm=false and then confirming the PI with off_session=true in a second API call on the backend side. You docs state off_session=true when confirming the PI is "secret key only". We tried in test mode and did not get an error but we want to make sure.

Our lead developer is joining us here now, he may be able to explain it better

^ that would be me, hi

I think I just got lost in your docs for a second and got confused by the "secret key only" as I was switching between JS and API docs ... everything "secret key only" should be writable with our API key on the backend side, right?

everything "secret key only" should be writable with our API key on the backend side, right?
Yes

Okay, so just to be sure here: Creating the PI with confirm=false and then confirming it in a second API call with off_session=true works exactly like passing confirm=true and off_session=true immediately when creating and confirming the PI in a single call?

I just did a test, and you can do that yeah.

Great, thank you a lot. It's been a long week, so please excuse my brief confusion there 😄

No worries, don't hesitate to come back if you have any follow up Questions 🙂

Perfect, have a nice weekend!

Thanks you too.