#guess_code

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• guess_docs, 19 hours ago, 20 messages

👋 Welcome to your new thread!

⏲️ We'll be here soon! We typically respond in a few minutes, but in some cases we might need a bit more time (e.g., server's busy, you've got a complex question, etc.).

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1250704008981643397

📝 Have more to share? Add details, code, screenshots, videos, etc. below.

Webhook integration should be on the server. I'd recommend checking this guide: https://stripe.com/docs/webhooks

Ok, river. Thanks and really sorry for bothering. Be are junior on this matter and a lil' afraid of the whole universe that represents Stripe. However it's so well integrated that keeps us going 🙂

So, mainly your answer means that

independently of using PaymentSheet we could receive the info back on our server through the webhook, right?

Yes, that's right!

Thank you, for the info. We will keep going 💪

No problem! Happy to help 😄

(I didn't want to implement it all to discover we couldn't)

Hi again, regarding the same matter... we are testing through stripe CLI the webhook on our server

it runs fine. However we have a 403 ERR because ... we haven't granted Stripe an auth token to the server. Is there any way to do it or... we must unprotect that endpoint? I find it scary because I understand it should be safe since it works with Stripe webhook secret. Still, we found it a bit scary. Could you shed some light, please?

Unprotecting just the /webhook endpoint works but I still need your expertise to keep my soul in peace assuring it's safe 😄

Stripe CLI simply forwards the event to your local or specified endpoint. If your server doesn't allow Stripe CLI to forward the event, I'm afriad there is no other workaround

Yes

But I wanted to ask, in a production server

should we allow our endpoint /webhook to be unprotected?

and yet safe through stripe webhook secret?

(because I don't want anybody to be sending petitions of confirmations or cancellend operations to our endpoint)

In production server, you shouldn't need to use Stripe CLI. You will create an endpoint and use webhook secret to authenticate the request

Webhook secret should be secured safely in your own system and shouldn't be shared with anyone else

Alternatively, you can configure your server to only allow the IP addresses from Stripe: https://docs.stripe.com/ips#webhook-notifications

Ok, yes. My bad about the communication. Sorry for my English. Yes I meant in production, and yes not using CLI, but the secret should be enough. Ok. It was still a bit scary since maybe there were any other measure to guarantee the safety of the communications Stripe servers - our own server /webhook

I understand. Thank you so much

No problem! Happy to help 😄

(really, thank you for your job)