#timraybould_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1228047197933932594

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hi 👋

Do you have examples of the failing requests?

Hi, yes. req_c4qXSeaBc03jfQ

another: req_7bzVm73Fsgj1cn

third (let me know if you need more): req_3rxLavdqsWaUuX

THe error being returned says your Stripe app needs to request more permissions

exactly. But I have verified that my app has read_write for PaymentIntents for this connected account.

Can you share the contents of your app manifest here?

do you just want the permissions array in stripe-app.json? or just want my app id?

apparently I cannot send long messages in Discord

The relevant permissions are:

    {
      "permission": "payment_intent_read",
      "purpose": "To conduct all transactions"
    },
    {
      "permission": "payment_intent_write",
      "purpose": "To conduct all transactions"
    },

The errors I am seeing for this request suggest

1. It did not have the PaymentIntent permissions
2. You need payment_method_read also

I do have that one as well.

    {
      "permission": "payment_method_read",
      "purpose": "To complete checkout"
    },
    {
      "permission": "payment_method_write",
      "purpose": "To complete checkout"
    },

Have you always had these permissions as part of your app?

payment_intent_write I added 2 versions ago (about a month ago), however, I have verified that the user is on the latest version, and, had her check the specific permissions and she confirmed it says "Modify" next to PaymentIntents

I am looking at the key used to make this request. It's just your publishable key

Interesting.

That does not make much sense. The key I'm using is the secret key. starts with sk and the last few characters match what I see in https://dashboard.stripe.com/apikeys

You said this is being created in a Checkout Session. What is creating the Checkout Session?

My backend, in node:
const stripe = require('stripe')(body.livemode === "true" ? process.env.STRIPE_SK_LIVE : process.env.STRIPE_SK_TEST)

and can confirm that STRIPE_SK_LIVE points to my live key

here's the checkout session creation request, from one of those error examples: req_W7zMjXMqqyJFcj

I'm not sure how/why or if it matters, but, the API version on the checkout session post request is 2023-08-16 , while, the api version on the payment_intents/:id/verify_challenge endpoint is 2022-11-15.

And where is this Checkout Session being rendered?

here's the specific event in question: https://tkt.page/z3nnn8LvWOVc6AgBrFyo ... add one to your cart, then click checkout

hey there, taking a look as my colleague needs to step away soon

ok. thank you.

Is this something that you can reproduce in test mode too? I'm not able to test the flow on a live mode session that will result in payment

I haven't been able to reproduce in test mode. It does seem to be related to that pk_ in the POST request

any ideas? trying the test 3DS secure cards but can't trigger this specific error

seems like js.stripe.com is calling /v1/payment_intents/:id/verify_challenge and that call is failing because of a permissions issue.

my backend creates the checkout session and it's rendered on the web, client side. The checkout session is created with my sk_, however, further calls from the client that need to be made by js.stripe are made with pk. Normally everything works fine but in the case where js.stripe needs to call /verify_challenge, it's failing.

All those stripe js calls are handled by checkout, so that bit shouldnt be affected by your integration

might be a stripe bug?

Possibly - still looking, and going to talk to some teammates.

ok. thanks. will be here 🙂

Is this happening on all sessions, or just a subset?

just a subset. small subset

across 2 or 3 of my customers

but it seems to be happening a lot more with one customer, and they are currently frustrated that transactions aren't going through. it's definitely seems related to the card having to go through an extra verification step. fwiw I know one of the recent ones was trying to use a discover card

sorry, not "related" ... it seems exactly connected to the card having to go through an extra verification step

Gotcha, thanks

This does seems like a bug on our side -- we're digging into code

ok

Ok yea this seems like a bug in permissions on our side. Can you please write in to support using https://support.stripe.com/contact/email and include these example failed requests and a short summary?

If you can do that in the next ~30min I can make sure the issue gets to the attention of the team that needs to look at this

ok. will do it now

In short, your existing permissions for checkout_session_write should allow all of this implicitly

ok, email sent. got the canned response, no ticket number

do you have an estimate on when this might be fixed, given it's currently preventing orders from going through?

You should be able to see the case in your Dashboard, i think, but its case 12777342 for your reference

should i update the API version?

For what? But no, i don't think that would be related

I have this option to upgrade my api version

You can that's up to you, but unrelated to this issue

ok. thanks for the help. no guess on the timing question for the bug fix?

No, not specifically, but I found your case and am reporting the bug now

How about non specifically? My customer is selling tickets to an event, and, I could probably get away with telling her it'll be fixed tomorrow, but, if it's going to be several days or longer, I should probably tell her that we need to think of something else.

I would not say you should expect it resolved tomorrow, no

ok. last question. do you know specifically the scenario that is causing a transaction to hit the bug? Maybe we can seek to manually avoid that scenario somehow in her ticket sales. Like prevent Amex or something.

It looks like it might be automatic captcha related, but i can't say specifically

It could also be a card 3ds challenge as you say

automatic captcha... is there more detail on that? is there a way to trigger that in test mode that you know of?

is it stripe that's deciding to show a captcha in some cases? possible to get her account on an allowlist?

is there possibly a fraud detection setting that she could turn off?

ah ha...

Also, on each page where you load Stripe.js, it may load hCaptcha. hCaptcha is a type of CAPTCHA that helps stop fraud and provides additional signals to Stripe while being low friction for legitimate customers. To opt out of use of hCAPTCHA integration, reach out to Stripe Support.

Can you opt her account & mine (?) out of hCAPTCHA?

I can't make that change here unfortunately, but you can request that via Support

You can test using the card 4000000000001208 in test mode to see if that allows for repro in test mode

that's the 3ds one? yeah I've tried that, no luck.

actually, no, that's the captcha one. YES that did it

I can now reproduce in test mode

could you share which stripe doc page that number came from?

don't see it at all here: https://docs.stripe.com/testing

👋 stepping in for my teammate. Thanks for testing with that card! You're right, this is a card number that is not documented. I recommend getting in touch with our support team to request they turn off hcaptcha for your account. They may request more information on your use case for turning it off

ok, thanks. for my account as the platform account or the connected account (or both)? Do you think that would help for Stripe Checkout or only stripe.js?

It should be requested for your platform account (since you're making requests in a Connect context).