Search code examples
stripe-payments

Why is there a "two way handshake" with Stripe PaymentIntents?

https://docs.stripe.com/api/payment_intents/create

Creates a PaymentIntent object.

After the PaymentIntent is created, attach a payment method and confirm to continue the payment. Learn more about the available payment flows with the Payment Intents API.

I was reading that, and it looks like you have to do two POST requests if I'm not mistaken. Why can't we just do one POST request? I asked ChatGPT, and it said security purposes, but I just wanted to confirm.

Solution

  • Some of this is conjecture, but I'm confident enough to post it as a response.

    It has to do with how payment method collection and Payment Intent creation cannot be made using the same approach.

    • Stripe only officially* allows you to collect payment method data from the client (with confirmPayment, createPaymentMethod, etc.). This is for security / PCI compliance reasons.
    • The Payment Intent cannot be created from the client - if it could, bad actors could manipulate the client to change anything about your Payment Intent - e.g. the amount.

    Because the Payment Intent creation and payment method collection have to be made on back and front ends respectively, you have to make two calls.

    *I mentioned "officially". Privately, Stripe supports MOTO flows, which allows you to pass raw payment method details directly from the backend.
    https://support.stripe.com/questions/mail-order-telephone-order-(moto)-transactions-when-to-categorize-transactions-as-moto
    This flow requires you to have a PCI compliant server and prove it with Stripe.
    I don't have access to the documentation on how to integrate MOTO, but I would suspect that because all of it can be done serverside, you could perform a single call for that flow.