#Paul X - Checkout

Hi Paul. Just to clarify, are you creating a Stripe Checkout Session?

What do you mean by are the checkouts captured?

via
POST /v1/checkout/sessions

captured as in the payment goes through automatically without prompting for any verification

is that the expected behavior with a payment method already saved for the customer?

this is a bit unexpected since our system is wired in a way that anyone can send the customer a payment request, but normally without a saved payment method, the customer then visits the payment page and enters their credit card

however, we're seeing after saving the payment method, the stripe hosted checkout page automatically completes a charge against the saved payment method

There is an option on the Checkout page for users to save their payment info with stripe for faster checkouts: https://support.stripe.com/questions/using-link-with-stripe-to-save-your-payment-information

It essentially enables 1-click payments

Could this be what you're seeing?

Hm no i don't think so. Is it possible for me to share a payment intent id with you for debugging?

Yes that would help. Thanks

You're saying the charge is completed just by creating the Checkout Session? The user doesn't even visit the Checkout page?

That's what i'm trying to figure out right now

the intent id is pi_3KOjyNFMvsRFROsZ1uulvJPX

Ok will look into this

Thank you! this is a pressing issue for us since it could mean the customer's credit card is wired in a way that anyone can charge it automatically right now

@atomic lily isolated my question, would it be possible for anyone with access to the stripe hosted payment page to complete the checkout via saved payment method?

log is here https://dashboard.stripe.com/logs/req_WSs0FDniR3nyIL

what i mean by this is, if i share this payment page, can anyone complete the payment with a saved card?

i can't seem to reproduce this issue in dev mode

You can read the details here: https://support.stripe.com/questions/using-link-with-stripe-to-save-your-payment-information. If it's on the same device that you set up Link, then no verification will be needed to do a 1-click payment. However, if the payment is attempted on a new device, the customer will need to verify by a code sent to their mobile device

So, no not anyone can complete the payment with a saved card. They'd need to verify

https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-customer
I have to test this but does the hosted page pre-populate the payment method?

if the customer id is sent via POST /checkout/sessions call?

If they have Link enabled, then it will. It won't show the whole card though. Just the last 4 I believe

Their browser could also autofill

If they saved card details in their browser, then that could autofill the payment

Third party autofill is allowed: https://stripe.com/payments/checkout

Ah yeah ok. So i've verified that if the payment method has all billing information completed (address + email)

the stripe hosted page automatically prefills the card info

That's.. very unexpected

Can you share the payment intent of the one you just tested?

Yes

pi_3KOlLSFMvsRFROsZ0K0KXVOO

in test mode

When i navigate to this stripe hosted page:
https://checkout.stripe.com/pay/cs_test_b1PBeYo9NUJc9wwnxJ2BBtWPiO8EmkWDMNNWXN3hernAApNfz1tIzuqr6i#fidkdWxOYHwnPyd1blpxYHZxWlB0YzZgMTA9akBOdU1gNVNpY0IyQUFcQjU1YTBGYXZ1Q2cnKSdobGF2Jz9%2BJ2JwbGEnPydmMTZnNT03PSg1YTVmKDE0NzwoZzw3MihjPWQ2M2BmPTdhMzU3YDBhMGcnKSdocGxhJz8nYDRgPWY2NGYoZ2czZigxPDZmKGRhMT0oPTE8MDE8PWdhMDJnNTRjPGM2JykndmxhJz8nZzJgM2E2YGAoNDMzNSgxNzNgKDw2NTwoPTBgZmQ1NDNgZDE2NGNjYzI0J3gpJ2dgcWR2Jz9eWCknaWR8anBxUXx1YCc%2FJ2hwaXFsWmxxYGgnKSd3YGNgd3dgd0p3bGJsayc%2FJ21xcXV2PyoqZHV1KHZxZGJsa2IrZmlqcHFhYHZuK2ZqaCd4JSUl

the payment method is pre-filled completely

Maybe this is the intended behavior

I can't access the page. Can you share a screenshot of what the prefilling looks like. Trying to see if it's from the browser or Stripe. There are scenarios when we prefill. Just need to see exactly why it's happening in this instance

But to your original question about that checkout session in live mode. That particular checkout session prefilled due to the customer having set up link: https://support.stripe.com/questions/using-link-with-stripe-to-save-your-payment-information

Link make sense. But i wasn't prompted with authorization step (this is test mode)

I meant link was used with your original query (the live payment intent)

For this test mode one it's due to the scenario described here: https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-customer

Got it, so with customer id set, the payment page would automatically populate the payment method.

is there a way to disable this behavior?

Ie, i still want the customer id to be set, so that a new customer isn't created in stripe

Ah no. If this is already a customer that has paid on your site before, then there isn't a way to disable that prefill in Checkout

Ok thank you. Just to double clarify, this means if anyone gets access to the stripe hosted checkout session page, they can complete the checkout with pre-saved payment method*

without authenticating again

Much appreciate the help btw

Yes. Checkout session links expire after payment has been completed or after 24 hours though. Also, if you're being careful not to log the session links and you do server-side redirects as recommended in the docs, i don't know how someone would gain access to that checkout session page

Got it. ok thank you. That's a change we'll have to make on our end. Appreciate all the insights