#stickyou69

Hi there 👋 I'm not quite sure I'm understanding, you're saying the return URL that you're being redirected to after a payment has been completed contains the client secret in that URL?

Or is it passing the client secret to the front end that you're hesitant to do? That's safe to do, and a lot of functions in our client-side library need a client secret to use. You should avoid logging that secret though.

yes it is contained in the url

it adds to the return url

?payment_intent=xxx&payment_intent_client_secret=xxx&redirect_status=succeeded

this exposes to the url

also last time I asked this you guys said it was not an issue

but now I see in the docs it is not good to expose secret

It's not good to log that secret, and you should try to keep it as secure as possible, but at the end of the day it's a secret that is designed to be sent to client-side code so it's not possible to avoid exposing it altogether.

yes but in the url is a different story

say if they are streaming or making video

or send it to someone for whatever reason

If they're hitting your return_url, then I'm pretty sure the payment has completed at that point and the client secret no longer holds any power

could be processing and then failed

and then still holds power?

I can retrieve the secret using api so its not visible, but the stripe js will still include it in the url... can I configure it to stop

Not that I'm aware of

or can the confirmation / return url use only the payment intent id for checking status

rather than secret & id

No, not that I'm aware of

ok

fk the users

I'll leave it

thanks

unlesss you find a solution

let me know

maybe your teammates know