Lemon Squeezy

Live audit of your Lemon Squeezy store — confirms webhooks exist, subscribe to the right lifecycle events, and that you've actually exited test mode.

Available on the Growth tier. Read-only API key — we never create webhooks, modify products, or trigger purchases.

Why this matters

Lemon Squeezy is the merchant-of-record alternative to Stripe — popular with bootstrapped SaaS founders because it handles global VAT / sales-tax compliance. Same Billable pillar question as Stripe (can you safely charge customers) with a different API shape and a different common failure pattern: stores left in test mode long after the founder thought they’d “turned it on for real,” or webhooks pointing at stale ngrok URLs from the prototype phase.

Connect Lemon Squeezy

01

Mint an API key.

Lemon Squeezy Dashboard → Settings APICreate new API key. Note: Lemon Squeezy doesn’t offer scope control on API keys today; the key has full read access to the account. We commit in code to read-only calls.

02

Note your store ID.

Lemon Squeezy → Stores. The store ID is the numeric identifier shown alongside each store name — you can also find it in URLs like /dashboard/stores/12345.

03

Paste into PulseLight.

From the project page, click the gear icon → Connected platformsLemon Squeezy. Paste the API key and store ID. We probe the API once to confirm both are valid.

04

First scan.

The next scan includes the Lemon Squeezy Connected Check findings — rolled up into the Billable pillar.

What we verify

  • Webhook is configured — CONN-LMSQ-WEBHOOK-001

    We list webhooks attached to the store. Zero webhooks = your app has no way to learn about successful purchases, cancellations, or refunds in real time. Likely you’re relying on the user clicking back to a success page, which is fragile.

  • Webhook subscribes to lifecycle events — CONN-LMSQ-EVENTS-001

    We check the event types the webhook subscribes to and flag missing critical signals: order_created, subscription_created, subscription_cancelled, and the refund / payment-recovery events. Missing one = silent subscription churn or duplicate-grant bugs when a customer cancels.

  • Store is in live mode — CONN-LMSQ-MODE-001

    We read the store’s mode and flag any still in test mode. Test-mode stores never produce real charges — if you’re shipping to real customers but the store mode wasn’t flipped, every “purchase” is a no-op.

Privacy + scope

Your API key is encrypted at rest with KMS envelope encryption and decrypted only at scan time. We read store config, webhook config, and store mode only. We never read customer records, never modify products, never trigger purchases or refunds. Revoke the key in Lemon Squeezy’s Settings → API at any time; the next scan reports the integration as revoked.