Webhooks are Stripe's primary mechanism for notifying your application about events in real-time. Effectively managing these webhooks is crucial for building a robust and responsive payment system. This section outlines best practices to ensure your Stripe webhook handling is secure, reliable, and maintainable.
- Secure Your Webhook Endpoint: Always verify the signature of incoming Stripe webhooks. This ensures that the request genuinely originates from Stripe and hasn't been tampered with. Stripe signs each webhook with your webhook signing secret, which you can find in your Stripe dashboard. Your Next.js application should use this secret to verify the signature before processing the event.
import { buffer } from 'micro';
import Stripe from 'stripe';
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
export default async (req, res) => {
if (req.method === 'POST') {
const buf = await buffer(req);
const sig = req.headers['stripe-signature'];
let event;
try {
event = stripe.webhooks.constructEvent(buf, sig, process.env.STRIPE_WEBHOOK_SECRET);
} catch (err) {
console.log(`Webhook signature verification failed.`, err.message);
return res.status(400).send(`Webhook Error: ${err.message}`);
}
// Handle the event
switch (event.type) {
case 'payment_intent.succeeded':
const paymentIntent = event.data.object;
console.log(`PaymentIntent for ${paymentIntent.amount} was successful!`);
// Then define and call a function to handle the successful payment intent.
// handlePaymentIntentSucceeded(paymentIntent);
break;
case 'charge.succeeded':
const charge = event.data.object;
console.log(`Charge for ${charge.amount} was successful!`);
// Then define and call a function to handle the successful charge.
// handleChargeSucceeded(charge);
break;
// ... handle other event types
default:
console.log(`Unhandled event type ${event.type}`);
}
// Return a 200 response to acknowledge receipt of the event
res.json({ received: true });
} else {
res.setHeader('Allow', 'POST');
res.status(405).end('Method Not Allowed');
}
};- Respond Quickly with 200 OK: As soon as you receive a webhook, respond with a 200 OK status code to acknowledge receipt. This tells Stripe that your endpoint received the event successfully. Perform any heavy processing or business logic asynchronously.