Payments with Stripe

Go to stripe.comand sign up. You'll need to complete identity verification, which takes 1–2 business days. Don't wait around for it — you can start building in test mode immediately while verification processes. Test mode is fully functional with its own API keys, products, and data. No real money moves until you explicitly go live.

There's a toggle in the top-right of the dashboard that switches between test and live mode. These are completely separate environments — different API keys, different products, different transaction data. Build everything in test mode first. Test mode keys start with sk_test_ and pk_test_. Live keys start with sk_live_ and pk_live_. Only switch to live when you're ready for real payments.

Go to Products > Add Productin the dashboard. Give it a name, description, and image. Then add a price — either one-time or recurring (for subscriptions). Each price gets a unique ID that looks like price_xxx. This is what you reference in your code when creating Checkout Sessions.

Create test mode products that mirror exactly what you plan to sell. A product can have multiple prices — different tiers, different billing intervals, different currencies. The dashboard is your source of truth for pricing, not your codebase.

Go to Developers > API Keys. You need two keys. The Secret Key(starts with sk_) is for server-side code only — never expose this in the browser or in any NEXT_PUBLIC_ environment variable. The Publishable Key (starts with pk_) is safe for client-side code.

Copy both test mode keys first. Add them to your .env.local file as STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KEY. You'll swap these for live keys later when you go to production.

Run npm install stripe in your project. Then create a Stripe client file at lib/stripe.tsthat imports Stripe, initializes it with your secret key from environment variables, and exports the client. Use the latest API version. This file is server-side only — never import it in a client component.

This is the core integration. Create an API route (e.g., app/api/checkout/route.ts) that creates a Checkout Session. The session needs: line_items (your price IDs and quantities), a success_url where the customer lands after paying, a cancel_url where they go if they bail, and a mode("payment" for one-time, "subscription" for recurring).

Your frontend calls this API route, gets back a session URL, and redirects the user to it. Stripe hosts the entire payment page — card inputs, validation, Apple Pay, Google Pay, all of it. After payment, the customer redirects back to your success URL. You can include {CHECKOUT_SESSION_ID} in the success URL to retrieve session details on the success page.

Webhooks are how Stripe tells your app that something happened — a payment succeeded, a subscription was canceled, a refund was issued. Go to Developers > Webhooks > Add endpoint. Set the URL to your webhook route: https://yourdomain.com/api/webhook.

Select the events you care about. At minimum: checkout.session.completed and payment_intent.succeeded. For subscriptions, also add customer.subscription.updated and customer.subscription.deleted. After creating the endpoint, Stripe gives you a webhook signing secret (starts with whsec_). Save this as STRIPE_WEBHOOK_SECRET in your environment variables.

Create an API route at app/api/webhook/route.ts. This route needs to: read the raw request body(not parsed JSON — the signature verification needs the raw bytes), verify the signature using your webhook signing secret, parse the event, and handle it based on the event type.

For checkout.session.completed, this is where you grant access to whatever the customer bought — update the database, send a confirmation email, deliver a digital product. This webhook is your single source of truth for whether a payment succeeded. Don't rely on the success page redirect alone — customers can close the browser before it loads.

Stripe provides test card numbers. Use 4242 4242 4242 4242 for a successful payment and 4000 0000 0000 0002 for a declined card. Any future expiry date works. Any 3-digit CVC works.

Test the complete path: click buy, go through checkout, enter the test card, complete payment, verify the webhook fires, confirm the database is updated, check that the confirmation email sends, and land on the success page. Then test the decline path — make sure the user sees a clear error and can retry.

Card declines should show a friendly error message, not a stack trace. Duplicate webhooksare the biggest gotcha — Stripe retries failed webhook deliveries, so your handler must be idempotent. Before granting access, check if you already processed this session ID. Use the session ID as a unique key in your database.

Also handle: expired sessions (Checkout Sessions expire after 24 hours), refunds (listen for charge.refundedevents and revoke access), and partial failures (webhook received but email failed to send — log the error, don't throw).

Switch to live modein the dashboard. Create the same products and prices in live mode — the IDs will be different from test mode. Update your environment variables with live API keys (sk_live_, pk_live_). Add a new webhook endpoint for your production URL with the live signing secret.

Do a real test: charge yourself $1using a real card, verify the webhook fires, confirm the product is delivered, then refund the charge. This catches issues that test mode can't — like domain verification and payment method availability in your country.

Install the Stripe CLI: brew install stripe/stripe-cli/stripe. Run stripe login to authenticate. Then forward webhooks to your local server: stripe listen --forward-to localhost:3000/api/webhook.

The CLI prints a temporary webhook signing secret for local testing — use this as your STRIPE_WEBHOOK_SECRET during development. This is essential for testing the webhook flow without deploying. You can also trigger test events with stripe trigger checkout.session.completed.