#kbjohnson90-checkout-redirect

@frank badger that almost always happens because you are mixing up API keys. You're using the Secret API key of one account to create the session and then you redirect with the Publishable API key of another ccount

If you use Connect it's likely because you don't initialize Stripe.js properly

If you share a bit more details I should be able to help

Does the Account ID substitute for the secret key in this case? I'm not seeing the secret key being used.

\Stripe\Checkout\Session::create(
  $args,
  [
    "stripe_account" => "acct_*********",
  ]
);

I've tried refactoring to use the secret key of the connected account directly, but am getting the same error.

$stripe = new \Stripe\StripeClient(SECRET);
$stripe->checkout
       ->sessions
       ->create($args);

I've confirmed that the secret key is the value that I expect and have confirmed that the session ID created matches the sessions ID used in the Checkout Redirect for the payment page.

Is there some way in my Stripe account that I can check the secret key of the Connect account? I am assuming that the secret that I have is correct, but I also don't see how to confirm that assumption in my account.

Does the Account ID substitute for the secret key in this case? I'm not seeing the secret key being used.
you're setting your secret key (presumably) when you initialize Stripe PHP in your backed

the acct_123 Connect account ID allows you to make API requests on that Connect account, it isn't a substitute for the API key

I've tried refactoring to use the secret key of the connected account directly

please don't do that

that is highly not recommended and will only give you more trouble down the line

I'll roll that change back then 😅

Is there some way in my Stripe account that I can check the secret key of the Connect account?
so yeah you're going down a rabbit hole you should not, your actual issue is somewhere else to fix, let me explain

let's start here

how are you redirecting to Checkout?

Using stripe.redirectToCheckout() method, passing the session ID.

Inspecting the network requests, I was able to confirm that the secret key returned during the Connect process is the same secret key being used in initializing Stripe.

ok so

how are you initializing Stripe.js on your webpage

that is what I think is the problem here

alternatively

you dont' need to use redirectToCheckout

when you create the CheckoutSession, it has a url field

so you can just redirect to it there

Stripe JS is initialized using an inline script, passing the publishable key and the account ID.

stripe = Stripe( '<?php echo $publishable_key; ?>', {
  'stripeAccount': '<?php echo $stripe_account_id; ?>'
} );

and then redirecting

stripe.redirectToCheckout({
  sessionId: '<?php echo $session_id; ?>'
})

is the publishable key of the Platform account?

The publishable key matches the value returned during the Stripe Connect flow (stripe_publishable_key_test)

The https://checkout.stripe.com/pay/ url listed in a dump of the session doesn't match the real URL redirected to. The session ID matches in both versions of the URL, but the value after the # is different.

yeah that is the incorrect part

you're using the Connect acct key

that is wrong

you need the Platform's publishable key

basically, ignore the keys you get in Stripe OAuth flow

also

The https://checkout.stripe.com/pay/ url listed in a dump of the session doesn't match the real URL redirected to. The session ID matches in both versions of the URL, but the value after the # is different.
them being diff is fine

just use the url you get back in the Session object

Hm... Not recognizing a platform publishable key.

I'll mention that this is a distributed codebase (WordPress plugin) and a partner account.

Does that change anything?

ah well.... it does and does not

🙂

what is your plugin approach, you're using OAuth to connect to new Stripe accounts right

Correct.

We have a "Connect to Stripe" button within the admin interface.

so in that case, you use my approach that I recommended, i.e.

Platform secret / publishable key
+
Stripe-Account header

https://stripe.com/docs/connect/authentication

now to your most recent question

Hm... Not recognizing a platform publishable key.
what does that mean? like any errors? what is the issue

and

why won't you go with my easier advice lol

just use the url you get back in the Session object
just saying

Using the url returned by the session, instead of using redirectToCheckout() with the session ID, would be a significant refactor for this codebase.

ok so

DM me how you initialized Stripe.js with full unredacted publishable key and Stripe Account ID

they are public so fine to share but still don't paste here

just DM me

so I can look

ok so can you share a test mode CheckoutSession ID?

looked at the two you sent, those look fine

wondering if you're using the "Connect OAuth" API keys in your CheckoutSession creation

cs_test_a1kAPC0omFgZPyMHedU22FNt2nWsd7FSfyOPRdVnZEjDLMbQD5IWnBaLh9

ok so your server-side code and client-side code seems to be initialized correctly

I'm gonna talk through some stuff to see if there is something I missed

is there a request ID from when you call redirectToCheckout() ?? and what is the error you get?

stripe.redirectToCheckout (JS) returns a promise with a state of pending.

are you await 'ing that promise

or chaining a then() to it

Chaining a then().

I'll be stepping away but a colleague is joining
feel free to ask them qs

Thank you for your time - I very much appreciate it.

Hello! Catching up...

To clarify, this is a solution that we have been using for a while now. We process a lot of transactions through Stripe.

We haven't made any changes in the past couple of months, but are now getting reports that the Checkout Redirect is resulting in an error.

When exactly did this start to happen?

The report came in about 6 hours ago.

Looking at GitHub, I don't think that we have touched this part of the codebase in 4 months.

Is it happening for every Checkout Session or just some?

As far I can tell all Checkout Sessions. We have a customer report and I have been able to reproduce the issue locally, consistently.

Is this happening in test mode only, or also in live mode?

Just tried Live for the first time, which works as expected. Therefor, I would say it has only been using Test keys.

Okay, I found one of the error requests: https://dashboard.stripe.com/test/logs/req_a0NoPaGQmAuyp5

Does that link work for you?

No. No request log found with the specified ID.

Ah, you must be logged in to a different account.

Can you switch to the account with the ID ending in oXI and try the link again?

Looks like the correct account, as far as I can tell.

It does look like you're using the wrong publishable key, which belongs to a completely different account which ends with usL.

Are you able to see an account name on that? Or is there a place in the dashboard that lists the account ID?

Go here and scroll to the bottom: https://dashboard.stripe.com/settings/user

Ah, ok. Thanks.

I'm not seeing an account ending in usL.

Also, I can confirm that I was attempting to view the log using the account ending in oXI.

Can you see this request? https://dashboard.stripe.com/test/logs/req_76h4U8vNwEOONd

Yes, I can see that one.

Hm, I guess we don't show these requests in the Dashboard... probably because they come from Checkout itself I suppose. Hang on...

So the publishable key you're using is the one that ends with xE1i, correct?

Correct. The publishable key that I am using ends with xE1i.

That publishable key belongs to the account ending in usL, which is why it's not working.

Ah, ok. Hm... That is the publishable key returned by the OAuth connection request.

Or perhaps it is coming from our own connect server? Hm.

I'll have to look into that.

That is the publishable key returned by the OAuth connection request.

I do not think this is the case.

If it was the case I think it would work.

Then perhaps there is an issue with our connect server.

That is the key that I'm getting, but it may be what is sent by the middle man.

Yeah, I think whatever is sending you that key is sending the wrong thing.

Thanks for your help! I really appreciate it.