#mtliendo - charges

Hello. Any particular reason you are using the charges API? Is it in a legacy system? We recommend using PaymentIntents now

Ah! Then that answers that haha. I was just browsing through a blog post and came across it.

Got it

What type of payments do you want to accept?

One-time or subscriptions?

And do you want a custom payment page hosted on your site, or a stripe-hosted payment page?

A stripe hosted payment page that takes in both one-time payments as well as subscriptions. I typically use the hosted checkout solution but when setting up a webhook, it seems I'm limited in how I can verify the webhook signature.

Stripe passes it on a specific header, but I wish I could tell it to put it on the Authorization header instead--which led me to explore other API calls that were both secure but didn't need a webhook.

Webhooks are recommended because it protects against all kinds of issues like browser crashes, etc.

Why does the header that the signature is provided in matter?

I'm not using a REST API, but a graphQL API (AppSync) which means all the endpoints are protected. To call it from an external source like Stripe, I can either pass an API key, or I can inspect an authorization header.

Ah I see. Unfortunately, with webhooks, the best way is to use an endpoint that is publicly accessible and then protect it by verifying the webhook signature

I'm not familiar with graphQL API, but is there no way to disable that auth header check for 1 endpoint?

There's not. The entire API is a single POST endpoint my-api.com/graphql . I can setup a REST API and forward the request to it, but now I'm paying for and managing 2 API's.

Maybe a feature request: Allow developers to specify which header the webhook secret lives on.

Sure, I can pass along this note