#pure_docs

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• pure_apple-tokens, 1 hour ago, 16 messages
• pure_ece-callback, 10 hours ago, 27 messages
• pure_elements-ece-stripejs, 3 days ago, 28 messages
• pure_docs, 6 days ago, 24 messages

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1235820095591153756

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hello! can you elaborate on what you're trying to do in slightly more detail?

I'm wanting to integrate with Stripe doing a server-side auth and want to be sure of notifications around payment declines.

So, essentially, in a confirm event, calling stripe.createConfirmationToken and if the server-side auth fails, then use the paymentFailed callback.

I don't know the answer to this off the top of my head unfortunately. You will probably need to test it out yourself to see if it works.

Got it. Also, a follow-up question. the Apple PKToken that is used to generate the Stripe token upon a confirm event - are these one-time uses?(https://developer.apple.com/documentation/passkit_apple_pay_and_wallet/pkpaymenttoken)

It should be reusable, you would create a PaymentMethod and use it in the PaymentIntent with setup_future_usage, or convert the Stripe Token into a Payment Method and attach the PaymentMethod to the customer

Right, but if someone else managed to get the pk_token after I used it, would they be able to create another payment method using it?

I'm asking in the context of the security of the token.

without the corresponding cert, there's no way someone else can use that pk_token to create another Stripe Token

so replaying the request that created the stripe token in the first place would not result in another stripe token?

(assuming the cert is passed in the request to create the stripe token)

To clarify, you need to upload the certificate generated by Apple to your Stripe account so that Stripe can decrypt the PKToken payload

when you say replay request, replay what to where / who? If someone attempts to resend the same payload to another Stripe account, it won't work (i.e. they can't decrypt the PKToken payload) if they don't have the corresponding Apple cert uploaded to their Stripe account too

when you say replay request, replay to where / who?
replay to my Stripe account to generate a Stripe token that corresponds to the same merchant account it was initially created for. So basically, just make the same exact request and create a new Stripe token.

Also, for the certificate requirement, is this only required for App purchases? I didn't see anything related to Web Safari requirements for this.

Hi @jovial urchin I'm taking over this thread, let me know if you have follow-up quetions

👍 Just those listed in my last response

Yes the certifate is a requirement if you are using Apple Pay in a native iOS app

But is it a requirement if not using the iOS app? Such as Safari Web.

Then it's not required

Alright, and if someone gets that PKToken, they wouldn't be able to generate a Stripe token using it on Web Safari given that there's no certificate requirement?

To clarify, are you referring to PKPaymentToken https://developer.apple.com/documentation/passkit_apple_pay_and_wallet/pkpaymenttoken ?

yes

replay to my Stripe account to generate a Stripe token that corresponds to the same merchant account it was initially created for. So basically, just make the same exact request and create a new Stripe token.

If you have already created a Stripe Token, why do you want to make the same exact request and create a new Stripe Token?

I mean in the context of security, could someone else do this?

Can you elaborate about what security concerns you have here specifically?

like how do you expect someone to misuse this flow?

If they have access to one of my customer's PKToken, could they use that to create a Stripe token against another merchant account or my own?

so off the top of my head, I'm not entirely sure if you can reuse the same PKToken. To answer you specific security concern though, there's multiple barriers that a bad actor would have to pass through first : 1) assuming that it's against another merchant account, the bad actor would first need to get access to your Apple cert to upload to their own account such that Stripe can decrypt the PKToken. 2) assuming that it's on your own account, the bad actor would need to have your secret key.

If the bad actor has your secret key, you have many other more serious things to worry about besides them only misusing the PKToken

in short, you should ensure that your secret keys and certs are kept secure

I'm not sure why the secret key would be needed? The PKToken is used to create a Stripe token on the front-end with just the publishable key.

the bad actor would first need to get access to your Apple cert to upload to their own account such that Stripe can decrypt the PKToken.
Does Stripe provide us with a Apple cert on our behalf in the use-case of Web Safari since it's only a requirement on iOS?

The cert setup step for using PKPaymentToken is the same as the one for iOS in https://dashboard.stripe.com/settings/payments/apple_pay (Under iOS certificates section), so that Stripe can decrypt the PKPaymentToken from Apple Pay token

I don't believe there is a cert setup for web, just domain verification

Stripe will generate a certificate signing request (CSR) which contains the key. You will use that CSR to get a certificate from Apple, then they upload that certificate to us. At that point Stripe have both the key (because we made the CSR) and the certificate, and can then validate and decrypt PKPaymentToken values created with it.