Payment confirmation redirect: GET query string?

778 views

Skip to first unread message

EML

unread,

Jan 26, 2023, 12:26:14 PM1/26/23

to Stripe API Discussion

When stripe.confirmPayment redirects back to the return_url on payment completion, it adds 3 GET query parameters to the URL:

payment_intent=xxx (the id)
payment_intent_client_secret=yyy
redirect_status=succeeded

'redirect_status' doesn't appear to be documented anywhere. I suppose it's pretty obvious that that the status is 'succeeded', since the GET has arrived. Can I just ignore this parameter, or are there any other status codes that we should know about?

Remi J.

unread,

Jan 26, 2023, 12:31:58 PM1/26/23

to api-d...@lists.stripe.com

Hello,

My advice is to not rely on anything undocumented so ignore `redirect_status`. Overall, we advise that you retrieve the PaymentIntent from the API [1] after the redirect if you need to confirm its status. If it were me, I'd store the PaymentIntent id in a cookie/session too instead of trusting the one on the URL since an attacker could always attempt to hit your return url with a different value in it!

Best,

Remi

[1] https://stripe.com/docs/api/payment_intents/retrieve

--
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.

Reply all

Reply to author

Forward

0 new messages