I'm building a "multiplatform" solution where each user could have it's "shop" and receive the founds directly on their stripe accounts.
So each user when creates it's shop provides public and secret stripe key which are stored on the server and used when some payments are made.
The problem comes when i have to use the webhooks where i have to verify the user webhook endpoint secret, i can't ask the users to provide and store the WH endpoint key...
(I use the webhook to send the order in preparation once the payment charge is succeeded)
So i was wondering if there was a way to manually verify the webhook signature without using the endpoint secret, i saw that here is possible manually verify signature but anyway i have to use the endpoint’s signing secret as key..
It's not possible to verify Stripe webhook event payloads without a webhook signing secret.
However, it sounds like your use case fits Connect quite well, and a Connect webhook endpoint may work for your needs.
Connect webhooks will receive events from all connected accounts, and will avoid the need to manage individual webhook endpoints and secrets for each account.
Related
I have just started implementing a webhook provider, where clients can register by providing their webhook address.
Most of the concepts are clear to me, and as I understood from various sources - we need to implement an HMAC based authentication to validate the authenticity and integrity of the message.
What is not clear to me though is, when and how can we share the secret that we need to use to sign the request (and eventually the client to verify the signature) with the clients? Do we share it as a response when they create the webhook - are there any recommended ways? This part is not very well defined anywhere.
I want to use Envelope-level webhook with HMAC Security for notification, I found in the eventNotification object, a field 'includeHMAC' and for using this I need to setup a HMAC keys in connect page. I have generated a new key, but in the doc https://developers.docusign.com/platform/webhooks/connect/setting-up-hmac/
there are steps which asks to include the HMAC signature in connect configuration, I understand this is required if I want to use account-level webhook, for envelope level webhook do I need to create a custom configuration for HMAC security, or generating the key itself is enough?
Yes, HMAC codes (signatures) can be included for envelope-level connect webhooks.
To do so, set the includeHMAC attribute to true in the eventNotification object of the Envelopes:create API call. See the docs
However, you need to set up the HMAC keys (secrets) using the Connect section of the eSignature Admin tool. So that means that the account needs to have the Connect feature enabled.
You do not need to set up an account-level Connect configuration.
We have an internal enhancement request CONNECT-2406 to enable the HMAC secrets screen to be available to all customers. Please ask your DocuSign contacts to add your information to that ticket.
Recommended: you can also raise this as an issue via https://feedback.docusign.com
HMAC alternative
The main alternative to using HMAC to authenticate the webhook notification message is to use Mutual TLS.
Also
The OP asks:
Is it possible to enable this via esignature api for every account that uses my integration (app created from the Apps & Keys) and generate the HMAC keys programmatically.
Unfortunately the API for managing HMAC keys is not public.
But you can add your vote to change this! See this DocuSign feedback item
I have a website that takes card payments using Stripe. Currently it uses the checkout API, but I am upgrading it to use the SCA API, and PaymentIntents.
I am concerned however that it appears that the PaymentIntents API requires you to present your secret key in order to create the session.
As I don't have my own servers, and am using hosted environments, I don't really want to place a secret key on these.
Indeed Stripe themselves say "Secret API keys should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Stripe without restriction."
I have engaged with Stripe support, and they appear to be saying that yes, you can't use a restricted key, you have to use the secret key, but I don't like this!
Am I missing something, or going about it the wrong way? Has anyone got PaymentIntents working without the secret key?
I am using angular.js for Stripe Integration.
I found a couple of libraries for anuglar.js but I think they don't provide features.
This is what I am trying to do on angular.js using Stripe API for subscription payment.
Create Customer.
Add credit card information on this customer.
Add customer with subscription plan.
Check customer's subscription is expired or not.
If expired, renew subscription.
Does stripe.js will handle this?
What libraries should I use? if not, is it possible using standard $http.post for stripe API?
Looking forward your help.
A payment flow with Stripe is divided in two parts:
client-side, in your frontend code, you collect and tokenize the customer's payment information using Stripe.js or Checkout. You then send the token to your server
server-side, in your backend code, you use the token in an API request, e.g. to create a charge or a customer
Except for token creation requests, all other API requests need to be sent using your secret API key, so you can't do this from your frontend code without revealing the secret API key, which you definitely don't want to do (because then anyone could retrieve it and use it to send API requests on your behalf).
We have a situation where our users will be logging into Paypal and then paying other people from their Paypal account via our dashboard. We have the connection setup to retrieve refresh & authTokens for them via simple-oauth2 module. What I don't see is how to utilize a token in the Paypal Node SDK. It seems to only support client id and secret configurations.
Is there a way to utilize the paypal.configuration with an authToken instead?
Should we be using the REST APIs directly instead of the SDK?
You cannot directly transfer amount to other people account.
You firstly need to transact it into your own buisness account and then you can transfer it to any other person account.