#Micha - client secets

Can you tell me a bit more about what you are storing them for? Also are you using one of our server side confirmation flows or one where the payment is confirmed on the client?

Micha - client secets

Hey thanks. We are using server side confirmation flow. Essentially we have a central payment processing app that notifies our other client apps of any outstanding payment actions required. The idea here is that we want to pass the client_secret along via webhook notification to our client apps in order to notify the customer that SCA is required. In order to do this, we may need to at least temporarily store the client_secret.

I've noted that the Stripe docs indicate the client_secret shouldn't be logged or shown to other customers but its not quite clear to me if that means we shouldn't be storing it on our end either.

Gotcha, thank you for clarifying. I think that that makes sense to me as a use case. In our docs we are mostly trying to recommend ways to keep safe against card testing: where a bad actor takes a client secret and public key and tries to confirm the payment with many different card numbers to see which ones are legitimate.

The other thing I can think that you can do here would be to pass just the payment intent ID along and look up the client secret on the other side of the webhook but I'm not sure if that is really more secure here.