I’m listening to Stripe events (namely checkout session completed) via a webhook (i.e. backend workflows).
Is it okay to check all these boxes? Any security/privacy concerns? Thanks!
I’m afraid if i disable one of these, something might not work.
EDIT Authentication does need to be switched off (as you have to use other other methods to secure the endpoint with Stripe Webhooks)
This post discusses it http://forum.bubble.io/t/stripe-webhook-in-bubble-big-vulnerability-to-all-apps-that-use-them/134030/27
You have to find out what you are personally comfortable with, and balance effort to implement vs what the risks are.
For me - checking the source IP addresses matches any of Stripes IP addresses is low effort to implement and reduces a lot of risk …
Good luck!
2 Likes
Thanks guys. I disabled the 2nd checkbox and the webhook failed.
It seems that I need to enable authentication, but I can’t find info on how to do this. Do you know of any writeup on this? Thanks!
As I’m sure @lindsay_knowcode meant to say (and as you’ve discovered for yourself), the ‘This workflow can be run without authentication’ box must be checked for a Stripe webhook to work (not unchecked)…
So it’s up to you to validate the webhook on your end using the Stripe signature provided in the webhook header:
4 Likes
Whoops typo … sorry about that … cheers @adamhholmes 
2 Likes
oh right, thanks for that! so all 3 checkboxes need to be ticked to work properly, but we need to validate the webhook manually in the workflow.
Was just setting up some webhooks for first time in a long time and had the errors.
After reading the forum threads, and deciding I don’t want to authenticate the way Stripe suggests with their own libraries etc. (I’m a NoCoder for Apps Sake!); I decided I will add a bit of metadata to my checkout session API calls that will be the ‘api token’ that I create. The metadata parameters will be private (ugghhh I wish I could be my four year old son who whipped it out on in the middle of the restaurant to relieve himself, and not have to worry about Privacy Concerns).
When I have the webhook, I will in the backend workflow first verify that the metadata api key matches the value…if not, TERMINATE WORKFLOW!
1 Like
How are you hiding the token you send from the user’s client during the checkout session?