Developer tools
Building plugins

Building Stripe plugins

When you’re developing Stripe plugins for open-source or self-hosted platforms, you should follow these best practices to safely process on Stripe. If you have questions along the way, you can reach out to

Follow these best practices to ensure that your users can safely process on Stripe’s platform without disruption as our API evolves:

You can also take a few steps to improve the quality of your plugin:

Identifying your plugin

You must provide some basic identifying information so that we can contact you about future issues or critical updates to the API. To do this, use setAppInfo with a hash containing the following options:

  • appName (required): your plugin’s name
  • partnerID (required for Stripe Verified Partners, optional otherwise): your Partner ID from the Partners section of the Dashboard
  • appVersion (optional): your plugin’s version
  • appUrl (optional): the URL for your plugin’s website with your contact details
Stripe.set_app_info( 'WordPress MyStripePlugin', partner_id: 'pp_partner_1234', # Used by Stripe to identify your plugin version: '1.2.34', url: '' )
stripe.set_app_info( 'WordPress MyStripePlugin', partner_id='pp_partner_1234', # Used by Stripe to identify your plugin version='1.2.34', url='' )
\Stripe\Stripe::setAppInfo( 'WordPress MyStripePlugin', '1.2.34', '', 'pp_partner_1234' // Used by Stripe to identify your plugin );
Stripe.setAppInfo( "MyAwesomePlugin", "1.2.34", "", "pp_partner_1234" // Used by Stripe to identify your plugin );
stripe.setAppInfo({ name: "WordPress MyStripePlugin", partner_id: "pp_partner_1234", // Used by Stripe to identify your plugin version: "1.2.34", url: "" });
stripe.SetAppInfo(&stripe.AppInfo{ Name: "WordPress MyStripePlugin", PartnerID: "pp_partner_1234", // Used by Stripe to identify your plugin Version: "1.2.34", URL: "", })
StripeConfiguration.AppInfo = new AppInfo { Name = "MyStripePlugin", PartnerId = "pp_partner_1234", // Used by Stripe to identify your plugin Url = "", Version = "1.2.34", };

Setting the API version

Your plugin should use the setApiVersion function, which will set the Stripe-Version HTTP header on all requests. Your users will use their own API keys to access Stripe, but this header will be included with every request. We recommend that you use the most recently published version of the API. The current API version and details on our versioning policy can be found in the API reference.

Stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' Stripe.api_version = '2017-06-05'
stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' stripe.api_version = '2017-06-05'
\Stripe\Stripe::setApiKey('sk_test_4eC39HqLyjWDarjtT1zdp7dc'); \Stripe\Stripe::setApiVersion('2017-06-05');
// The API version is statically defined in each version of the Java library.
const stripe = require('stripe')('sk_test_4eC39HqLyjWDarjtT1zdp7dc', { apiVersion: '2017-06-05', });
// The API version is statically defined in each version of the Go library.
// The API version is statically defined in each version of the .NET library.

New Stripe users automatically default to the latest version of the API. This header ensures that your plugin is pinned to a specific API version, which keeps the occasional backwards-incompatible change from breaking your plugin’s functionality.

Users can upgrade their own API version through the Stripe Dashboard. If your plugin relies on webhook events, their data format and structure depend on the user’s account API version. You should instruct your users to set the version in their Dashboard to match your plugin.

Subscribing to our mailing list for updates

We regularly release new versions of the Stripe API that bring new features and bug fixes. You can subscribe to the plugins-announce mailing list to be notified of updates that may affect users of your plugin.

Securely collecting payment details

Stripe users are subject to PCI compliance, which specifies how credit card data should be securely stored, processed, and transmitted. Their businesses could face stiff penalties for noncompliance or potential breaches, so it’s important to help them safely process on Stripe.

Since your plugin will make API calls on behalf of a Stripe user, you must transmit credit card data securely using client-side tokenization. Customers submit their personal information through their web browser or mobile app directly to Stripe, and in exchange a simple token will be sent to the Stripe user. This allows your users to securely collect card details without sensitive data ever touching their server.

If your plugin includes a client-side payment form in the browser, we recommend that you use either Stripe.js and Elements or Checkout:

  • Elements provides prebuilt UI components and complete control over the look and feel of payment forms
  • Checkout provides a complete checkout experience and can be quickly added to a Stripe user’s website

Both of these options provide client-side tokenization.

If your plugin only operates in a backend environment, please include a note in your plugin’s documentation asking users to tokenize payment details using Elements or Checkout. Tokenization helps Stripe users process as safely as possible on our platform.

Add the Payment Request Button

The Payment Request Button is a single Element that enables Apple Pay, Google Pay, and the Payment Request API—a browser standard that lets customers quickly provide payment and address information stored in their browser.

This Element will show either an Apple Pay or Payment Request button, depending on which device and browser the customer uses. You can see an example in our documentation.

Enabling multiple payment methods

Stripe supports multiple payment methods, aside from credit cards. We’ve published a guide to payment methods that introduces terminology, key considerations, and how we support each method on our platform.

The Sources API enables your users to collect payments using additional payment methods (e.g. Alipay, iDEAL, Sofort). These payment methods can be quickly added using one integration path. For more information, you can read about best practices to consider when using Sources.

Verifying that HTTPS is enabled

If your plugin presents a payment form in a web browser, it should check if the form is being served via HTTPS. We require our users to enable HTTPS: you should present a clear error to your user if they’re not properly secured.

Here are a few examples to verify whether your users have HTTPS enabled:

# This example uses Sinatra, but the `request` object is provided by Rack require 'sinatra' get '/' do if !request.https? # Present an error to the user end # ... end
# This example uses Flask from flask import Flask, request app = Flask(__name__) @app.route('/') def index(): if not request.is_secure: # Present an error to the user
if (isset($_SERVER['HTTPS'])) { // Present an error to the user }
// This example uses Express const express = require('express'); const app = express(); app.get('/', function(request, response) { if (! { // Present an error to the user } }); app.listen(3000);
// This example uses Spark import spark.Request; import static spark.Spark.*; public class Main { public static void main(String[] args) { get("/", (req, res) -> { if (!isSecure(req)) { // Present an error to the user } // ... }); } public static boolean isSecure(Request req) { // Check the URL scheme if (req.scheme().toLowerCase().equals("https")) { return true; } // Check the headers String xForwardedProto = req.headers("X-Forwarded-Proto"); if (xForwardedProto != null && xForwardedProto.toLowerCase().equals("https")) { return true; } // Check the protocol if (req.protocol().startsWith("HTTPS")) { return true; } return false; } }
// This example uses the built-in net/http package package main import ( "fmt" "net/http" "strings" ) func isSecure(r *http.Request) bool { // Check the URL scheme if strings.ToLower(r.URL.Scheme) == "https" { return true } // Check the headers if strings.ToLower(r.Header.Get("X-Forwarded-Proto")) == "https" { return true } // Check the protocol if strings.HasPrefix(r.Proto, "HTTPS") { return true } // Detect TLS if r.TLS != nil { return true } return false } func handler(w http.ResponseWriter, r *http.Request) { if !isSecure(r) { // Present an error to the user } // ... } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":3000", nil) }
// This example works for any ASP.NET Core app (using Microsoft.AspNetCore.Mvc) // You can add this to ConfigureServices in the Startup class: public void ConfigureServices(IServiceCollection services) { services.Configure<MvcOptions>(options => { options.Filters.Add(new RequireHttpsAttribute()); }); }

If your plugin has a front-end component, you can check whether HTTPS is being used from the browser. For example, using JavaScript:

// This example checks for HTTPS from the browser if (window.location.protocol !== "https:") { // Present an error to the user }
Was this page helpful?
Questions? Contact us.
Developer tutorials on YouTube.