#pl_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1274950920781959189

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• pl_api, 2 days ago, 43 messages
• pl_api, 3 days ago, 9 messages
• pl_api, 3 days ago, 13 messages
• pl_api, 5 days ago, 28 messages

I don't see any expiration for client_secret in any public doc

But why do you want to keep a client_secret long-lived?

We don't want to make it last longer.
If anything, it is because we need to control correctly, for example, if there is no user interaction after the issue.
It is good if we can at least know the actual length of time.

If it is not customisable, we would also like to know whether unused client secrets that have already been issued become unusable when a new client secret is issued.

What do you want to customize?

expiry date, only validate the latest, and so on. This is an example, we are not saying it is necessary.

I still struggle to understand your inquiry, what do you mean by cusotmize "expiry date" ?

expiry of client secret.
For example, a client secret was issued from the server and used on the front end of the app to generate a form for Payment input, ready for PaymentMethod registration.
Suppose this is not submitted and the secret is taken away, e.g. by a browser hijacking.
To squash these risks, temporary keys at the time of authentication often have an expiry date set. We are asking for the expir of the client_secret generated from SetupIntent for the same purpose.

I'm asking about values like this one for client secret in SetupIntent.

https://docs.stripe.com/customer-management#customer-portal-features

Ephemeral sessions Portal sessions are temporary. New portal sessions expire after a 5 minute period. If a customer uses it within that time period, the session expires within 1 hour of the most recent activity.

I believe I've told you that there's no expiration for client_secret

What made you think there's a expiration for client_secret ?

I was told that there is no mention of this in the documentation.
I was not aware that the value itself did not exist.
So the expiry (validity period) for client secret is unlimited?

I don't think it's necessary to repeat the answer for the same question. Feel free to let know if you have any other questions.

The documentation does not say whether the client secret can be used indefinitely.
I ask about this specification. I have not yet heard this answer.
I have heard that "there is no mention of it in the documentation."

You say that you repeat the answer to the same question, which means yes. Understood.

There is only one other point of concern.

expiry date, only validate the latest, and so on. This is an example, we are not saying it is necessary.
If a new client secret is issued, are unused client secrets issued in the past still valid?

Yes, past client_secrets are still valid