#nickdnk

I can't find the request that allegedly did this, and it was "From Stripe" on the event log:

I believe its the confirmation limit on PaymentIntents

What's that, never heard of that

looking if we have any public docs on this but in order to counter card testing attacks, we've limited confirmation limit on PaymentIntents/SetupIntents to 10 attempts

Alright. Is there a webhook for this or a special error code I can use to handle it?

Aside from payment_intent.canceled which is fairly generic

I don't believe there's a separate webhook endpoint for this. Merchants can track this themselves on each confirmation call (or each payment_intent.payment_failed event)

Alright, I'll just code in with the canceled webhook

NP! I really thought we had a callout about the confirmation limit in our public docs. We'll flag this internally and see if we can get the docs updated

Yes this kind of took me by surprise

I had not at all considered this an option

Not sure on the best strategy for retries though

Obviously the limit is there for a reason, but 10 is pretty low and evident from this problem it's possible to reach for an actual user

Do I just create a new payment intent and replace it?

The links are non-public so it's not like anyone can scrape the endpoints and use them for card testing

You would have to steal an actual payment link from someone and card checking would then only work until the actual customer paid

Yeah you'd just create a new PaymentIntent once the limit has been reached. You might also be able to request a higher limit via support, our team won't know what the exact requirements are but I bet our support team might be able to help
https://support.stripe.com/?contact=true

okay I'll try