#coltbg

Hi there

What is "stripe page" here?

You are seeing a card pre-filled in a Checkout Session?

yes

I saw last CC, filled in redirected page

Gotcha, if you don't want that to occur then you need to detach the PaymentMethod from the Customer

Otherwise it will be pre-filled as we indicate here: https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-customer

is there any option to disable CC details on customer record or I need to create a new customer id on every donation which is subscription no matter that email address provided is the same ?

Like disable the credit card being saved to the Customer after the Checkout Session is completed?

yes

No for Subscription Checkout Sessions that isn't possible.

I'm confused.

Why do you want to do this?

on my donation site, which not required user-login user can subscribe for donation

but later if someone from other computer trying to make a donation, with same email address ( my server match email with customer id and pass it to checkout create session), on redirected page user will be able to make a payment with card which is not owned by him

Gotcha

So really what you want here is a better authentication mechanism on your end than just email.

Like you need an email/pw combo

And you only allow for one Customer per email

Otherwise they should use a different email and then you create a new Customer

Hypothetically if some hacker in the future or even a malicious employee obtains my stripe sk. They can make a request to stripe to get all my subscribers's customerIds. Then all they need to do is use my **sk **+ **customerIds **to open a stripe page with prefilled data.

I was hoping stripe doesn't provide such an easy access to my subscriber's details.

I mean it is on you to safeguard your secret key. That isn't a realistic concern to be putting on our product behavior.

As I noted above, if you don't want the credit card to be pre-filled, then you detach it from the Customer.