chip | Stripe Developers | Page 1

magic saddleBOT Mar 28, 2023, 7:02 PM

#

rocky willow Mar 28, 2023, 7:03 PM

#

Hello 👋
I don't think we have any docs for recommendations as such but safest way is to only disclose/expose the information that is necessary for your client-side code to work.

arctic sleet Mar 28, 2023, 7:06 PM

#

Yeah, that's a good point 😄

The flow I am looking at right now is to go from the cart page -> create intent > get clientSecret > redirect to the checkout page with the clientSecret as a url param or saving the clientSecret in the database with an expiry date, and then use the ID of that column to fetch the clientSecret.

Something feels off about having the clientSecret as url param, as it suddenly doesn't become "that client's" secret anymore 😄

rocky willow Mar 28, 2023, 7:07 PM

#

clientSecret is safe to share to your client-side code as it can only be confirmed using your own Secret API key

#

OR your publishable key on client-side

arctic sleet Mar 28, 2023, 7:09 PM

#

Alright, then we'll try urlParam first and see how that works out. Thanks.

Would be nice to have some do's and don't for custom flows. I feel like there's always a chance of doing some mistakes, but I can make a suggestion on the docs if I see fit 🙂

#chip