#Enguerran | Suiswap

Hi there!

I'm not sure I follow... you see PaymentIntents created on your account that you didn't create yourself?

Yes exactly ...

If so, I would recommend to check that your secret API key wasn't leaked (and if it was, make sure to roll it). And also check https://stripe.com/docs/disputes/prevention/card-testing

Is their a way to know where come from a POST /v1/payment_intents request on your side ?

Just to know if the failure come from my backend or from a leaked of my API key

Can you share a PaymentIntent ID (pi_xxx)?

Yes : pi_3MrhD9H0XDaR4Pyv0haov436

An other one : pi_3MrgvQH0XDaR4Pyv1RsA39pJ

Hi 👋 jumping in as my teammate needs to step away soon. Thank you for sharing that, I'm pulling it up.

The requests to create those Payment Intents can be seen in your Stripe dashboard:
https://dashboard.stripe.com/logs/req_25z99oJM0XWh6M
https://dashboard.stripe.com/logs/req_553F5IUWgy90MH

I believe that view shows you the IP addresses that the requests came from that you can check against your systems. At first glance it does seem a little odd that those requests don't include a user-agent value, but I'm not sure if that is typical for your integration.

MMmhhh really strange, coming from india, germany .. and not from my system

So it's look like to be a API key leaked, but how is it possible, my system is fully sercured 😅

Gotcha, sounds like rolling your API key promptly is the best action here then.

Yes because look, this is a correct payment intent :
pi_3MqHFcH0XDaR4Pyv1tlVnNXa

their is no way to filter the request without USER AGENT data ?

For exemple, if the request not include User agent data, simply the creation of the payment intent ?

I don't believe so.

ok thanks !