Securing Stripe webhooks without authentication

The plot thickens

I agree with that. It’s for sure a risk - whether it’s worth it to secure the webhook isn’t obvious.

For what it’s worth, I’m currently sticking to the event + time check method with IP validation as I know that there’s no way for clients to get an event ID in basically all of my apps + client apps.

2 Likes

It was formerly there and was removed during an update to our API documentation. However, we will be adding the capability of this url parameter back into our documentation, so you should be able to see it there soon.

2 Likes

Hi @georgecollier ,

Thanks for the detailed explanation! I do have a question though. What’s the “only when” for “terminate this workflow” look like?

I know I should terminate it if no event could be found, but how to craft that conditional, I don’t know.

Would “result of step 1’s body id :is empty” work?

You assistance would be greatly appreciated!

Only when result of step 1’s returned an error is no should do the trick (the ‘check event API call nerds headers and continue workflow checkboxes enabled in API connector’

Do you know whether or where this got published in the Bubble manual? I don’t find it.

Great post! Thank you so much.

I tried this with LemonSqueezy and it seems to work just fine. Was wondering if there is anything LemonSqueezy specific to note?

I heard LemonSqueezy was built on top of stripe (not sure if true). Also, don’t mean to hijack this thread. Can delete if you want to keep it to Stripe only.

Thanks either way!

Do you need to expose the endpoint to use the webhook as only a trigger? If I don’t want to expose any endpoints at all, could I just refetch at certain intervals? It’s concerning that Bubble only allows you to generate a single type of API token (full admin access to everything) rather than dynamically allowing only limited access.

if the endopoint is not publicly accessible stripe can’t send requests to it. the solution is easy: don’t use the admin token for stripe webhooks and use only the data that you fetch from stripe using the api connector.

1 Like

Yep that’s what I think I’ll do using recurring workflows. Thanks!