Passing Stripe Client Intent Secret to Javascript

Question

I need to pass the Stripe Client Intent secret to Javascript to execute some code. I am displaying it like this at the moment. But this is probably not a very secure way of passing the info.

<input type="hidden" id="intent_data_client_secret" value="{{ $intent_data_client_secret }}">

According to the Stripe documentation linked here: https://stripe.com/docs/payments/payment-intents#:~:text=The%20client%20secret%20can%20be,that%20includes%20the%20client%20secret.

The client secret can be used to complete the payment process with the amount specified on the PaymentIntent. It should not be logged, embedded in URLs, or exposed to anyone other than the customer. Make sure that you have TLS enabled on any page that includes the client secret.

What are some better ways of passing secure tokens to javascript?

Answer 1

This is actually a fine approach, and you can see an example of this under the "Server-side rendering" tab of the example integration guide.

Template:

<button id="card-button" data-secret="{{ client_secret }}">
  Submit Payment
</button>

Server code:

app.get('/checkout', async (req, res) => {
  const intent = // ... Fetch or create the PaymentIntent
  res.render('checkout', { client_secret: intent.client_secret });
});

The alternative would be what's in the same guide under the "single page application" tab, making a client-side request to your own backend/api to retrieve the secret for Payment Intent or Checkout Session:

Client:

var response = fetch('/secret').then(...)

Server:

app.get('/secret', async (req, res) => {
  const intent = // ... Fetch or create the PaymentIntent
  res.json({client_secret: intent.client_secret});
});