Stripe
Stripe is a payment processing platform with APIs for accepting payments, managing subscriptions, handling payouts, Connect marketplaces, and fraud prevention.
Documentation
Best Practices
- •Use PaymentIntents, not Charges — the Charges API and Sources API are legacy. Always use PaymentIntents (or Checkout Sessions) for new integrations. Agents default to Charges; this pattern is deprecated.
- •Use Payment Element, not Card Element — the Payment Element is the current recommended frontend component. The Card Element is older and handles fewer payment methods. Agents often reach for Card Element.
- •Webhook signature verification is mandatory — always verify webhooks with
stripe.webhooks.constructEvent(rawBody, sig, secret). Skipping verification means any attacker can send fake events. This is a security-critical step agents frequently omit. - •Webhooks require the raw request body — do not parse the body with
express.json()or equivalent middleware before the webhook handler. The signature check needs the raw buffer, not a parsed object. Applying a body parser upstream silently breaks verification. - •Add idempotency keys to mutations — pass
{ idempotencyKey: 'unique-key' }on PaymentIntent creation and other write operations to prevent duplicate charges on network retries. Agents almost never include these. - •Never hardcode
payment_method_types— omit the parameter to let Stripe dynamically show the optimal payment methods for each customer's location and wallet. Hardcoding limits international acceptance unnecessarily.