Stripe Billing
Pathrule2 Rules • 2 Memories • 1 Skill
Rules, memories, and a review skill for adding Stripe billing to a product. Pre-scoped to your Stripe API routes and serverless functions so your AI assistant verifies webhook signatures, keeps handlers idempotent, and picks the correct payment API.
Suggested path map
Pathrule places each piece on the matching path, so your assistant only sees it where it belongs. This is the scoping you get on import; you can adjust it in your workspace.
/ workspace root
stripe-integration-review
api/
stripe/
Always verify webhook signatures
Webhook handlers must be idempotent
Checkout Sessions vs PaymentIntents
supabase/
functions/
Stripe secret handling
Rules
2Always verify webhook signatures/api/stripehighstrictReject any webhook whose Stripe signature does not verify.
| 1 | Verify the `Stripe-Signature` header with the endpoint secret, using the raw request body, before trusting any field. |
| 2 | |
| 3 | - Never act on an unverified event. |
| 4 | - Read the webhook secret from server config, not from the request. |
| 5 | - Return `400` on verification failure. |
Webhook handlers must be idempotent/api/stripehighadvisoryThe same event can arrive more than once; handle it safely.
| 1 | Stripe delivers at least once, so the same event can arrive more than once. |
| 2 | |
| 3 | - Record processed event IDs and skip duplicates, or make the side effect idempotent (upsert by a stable key). |
| 4 | - Do slow work outside the request and return `2xx` quickly so Stripe does not retry a successful delivery. |
Memories
2Checkout Sessions vs PaymentIntents/api/stripeDefault to Checkout; reach for PaymentIntents for custom flows.
| 1 | Default to Stripe Checkout; reach for PaymentIntents only for fully custom flows. |
| 2 | |
| 3 | - Checkout handles SCA, tax, and the payment UI for subscriptions and standard one-time payments. |
| 4 | - Use PaymentIntents with the Payment Element when you need a custom in-app flow. |
| 5 | - Drive entitlements from webhook events, not the client redirect result. |
Stripe secret handling/supabase/functionsSecret key and webhook secret live in server env, never the client.
| 1 | Secret key and webhook signing secret live in server-side env only. |
| 2 | |
| 3 | - Only the publishable key is client-safe. |
| 4 | - In edge or serverless functions, verify the caller and the webhook signature before any billing action. |
Skills
1stripe-integration-review/rootChecklist for reviewing a Stripe billing change.
| 1 | --- |
| 2 | name: stripe-integration-review |
| 3 | description: Review a Stripe billing change for security and correctness. |
| 4 | --- |
| 5 | |
| 6 | # Stripe integration review |
| 7 | |
| 8 | - [ ] Webhook signature verified against the raw body before any logic |
| 9 | - [ ] Handler is idempotent (dedupe by event ID or idempotent side effect) |
| 10 | - [ ] Entitlements are driven by webhook events, not the client redirect |
| 11 | - [ ] Secret key and webhook secret are server-side only |
| 12 | - [ ] Correct API chosen (Checkout for standard, PaymentIntents for custom) |
| 13 | - [ ] Amounts and currency handled in minor units, no float math |
| 14 | - [ ] Handler returns 2xx fast and offloads slow work |
Why this pattern
Billing code trusts unverified webhooks or double-applies retried events, causing security holes and wrong charges.
Built for teams adding subscriptions or payments with Stripe.
Keeps your assistant from:
- Acting on a webhook before verifying its signature
- Non-idempotent handlers that double-process retried events
- Driving entitlements from the client redirect instead of webhooks
- License
- Apache-2.0
- Version
- 1.0.0
- Updated
- 2026-06-09