lewis_personalize-succes-page-for-ece-with-payment-intent-api | Stripe Developers | Page 1

devout reefBOT Nov 25, 2025, 10:51 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1443011151330939001

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

#

ocean path Nov 25, 2025, 10:53 PM

#

Hi there,
when you say "personalise the confirmation page", what do you mean? What do you want to do?

ionic helm Nov 25, 2025, 10:54 PM

#

Hey! Similar to this example https://docs.stripe.com/payments/checkout/custom-success-page?payment-ui=stripe-hosted#create-the-success-page by having the customer name "Hey [name], thanks for your order..."

ocean path Nov 25, 2025, 10:55 PM

#

Ok got it. You are hosting the success page? Meaning you are creating another page/site in your integration to redirect after the checkout session completes?

ionic helm Nov 25, 2025, 10:56 PM

#

Yes currently I use the express checkout then pass the success page url through the confirmParams 'return_url'

#

its slightly different to the example as there is no session_id, the return_url adds the payment_intent_id and the client_secret to the success page

ocean path Nov 25, 2025, 11:00 PM

#

do you mean the client_secret of the checkout session or the payment intent?

ionic helm Nov 25, 2025, 11:00 PM

#

the payment intent

#

an example url it gives is: [success_page_here]?payment_intent=x&payment_intent_client_secret=x&redirect_status=succeeded

ocean path Nov 25, 2025, 11:04 PM

#

Ok, so you can basically follow this guide https://docs.stripe.com/payments/checkout/custom-success-page?payment-ui=embedded-form#return-url but instead trying to fetch the checkout session using the checkout session client secret and the stripe.checkout.sessions.retrieve endpoint, you can use the List all Checkout Session API with the payment intent's client_secret as paramter https://docs.stripe.com/api/checkout/sessions/list#list_checkout_sessions-payment_intent

#

Oh wait, you are using Express Checkout with the Payment Intent API and not the Checkout Session API, correct?

ionic helm Nov 25, 2025, 11:06 PM

#

so will this mean the client_secret in the url is being used as a secure "token"

ionic helm Nov 25, 2025, 11:07 PM

#

ocean path Oh wait, you are using Express Checkout with the Payment Intent API and not the ...

yes express with the payment intent api

ocean path Nov 25, 2025, 11:16 PM

#

Ok then you should be able to retrieve the Payment Intent using the API [0], and expand[1] the payment_intent.payment_method[2] and there you find billing_details[4]

[0]https://docs.stripe.com/api/payment_intents/retrieve
[1]https://docs.stripe.com/api/expanding_objects
[2]https://docs.stripe.com/api/payment_intents/object#payment_intent_object-payment_method
[4]https://docs.stripe.com/api/payment_methods/object?api-version=2025-11-17.clover#payment_method_object-billing_details

ionic helm Nov 25, 2025, 11:19 PM

#

the only issue I have is, since payment_intent_ids take a while to expire and someone spama urls theres potential for user info to be displayed

#

is there a way to fully secure this?

ocean path Nov 25, 2025, 11:19 PM

#

neither the payment intent id nor the payment intent client secret expire. I am not sure what you are asking?

ionic helm Nov 25, 2025, 11:22 PM

#

ah okay! if a user repeatedly requests urls with different payment intent ids, there’s a small chance they might find a valid one that exposes user info, even if I’m not displaying sensitive info, this would still be a potential risk, right?

ocean path Nov 25, 2025, 11:28 PM

#

I see. generally speaking you can retrieve the payment intent in two ways. Either a server side request using the Payment Intent API [0], which uses the Payment Intent ID. Or a frontend request using StripeJS[1] and the client_Secret. Both approaches are generally safe. But we do generally recommend the server-side implementation because it gives you more control about security measures

[0]https://docs.stripe.com/api/payment_intents/retrieve
[1]https://docs.stripe.com/js/payment_intents/retrieve_payment_intent

#

Regarding your question if a malicious person could try differen Payment Intent ID to receive other peoples data. Theoretically this is possible but given that the ID is up to 32 characters. The likelihood for a malicious person to find a valid Payment Intent ID that also exists on your account is very low

ionic helm Nov 25, 2025, 11:31 PM

#

is there a recommended approach at all for personalising the success page using the payment intents api? I could see only showing the client name for x minutes after the id is created, but its still not fully secure

ocean path Nov 25, 2025, 11:33 PM

#

Well that really depends on the integration you are setting up. You can for example require a login before payment etc. or other saftey mechanism but that is all completely up to you and outside the scope of what we offer.

ionic helm Nov 25, 2025, 11:34 PM

#

ah okay I see

#

thank you for the help! I appreciate it

ocean path Nov 25, 2025, 11:34 PM

#

no worries. we are always happy to help.

#lewis_personalize-succes-page-for-ece-with-payment-intent-api