Stripe

Live audit of your Stripe webhook + entitlements config. Catches the things a repo scan can't: webhooks subscribed to no events, mis-routed payment_intent flows, prod still in test mode.

Available on the Growth tier. Read-only API access — we never mutate your Stripe account.

Why this matters

The single most common AI-built-app billing failure: a Stripe webhook endpoint declared in code, but the Stripe-side webhook either doesn’t exist, isn’t subscribed to the events the code handles, or is stuck in test mode while the rest of the app is in live mode. None of that shows up in a repo scan. Your Stripe dashboard does. So we read it.

Connect Stripe

01

Open project settings.

From the project page, click the gear icon → Connected platformsStripe.

02

Authorise via Stripe OAuth.

You’re redirected to Stripe’s standard OAuth consent screen. We request a single scope: read_only. You can confirm this on the consent page.

03

Pick the account.

If you have multiple Stripe accounts, pick the one this project ships against. We sync from your live mode by default; test-mode is opt-in for staging projects.

04

First scan.

Once connected, the next scan includes the Stripe Connected Check findings alongside repo findings — rolled up into the Billable pillar.

What we verify

  • Webhook endpoint exists

    Your code references a webhook URL; we confirm Stripe has an endpoint registered at that URL (or a parent path that would catch it).

  • Webhook subscribed to live events

    We list the event types your handler dispatches on (e.g. payment_intent.succeeded, customer.subscription.deleted) and confirm the Stripe webhook is subscribed to each. Mismatch → blocker.

  • Live mode, not test mode

    If your repo references env vars suffixed with _LIVE or similar but the Stripe account is still test-only, we surface a blocker before you accidentally launch on test keys.

  • Webhook secret reachable

    We don’t read the secret value, but we verify it exists on Stripe’s side and that your code includes a path that would consume it.

Common findings

STRIPE-WEBHOOK-001 — Webhook signature verification missing
  File: app/api/stripe/webhook/route.ts:22
  Why:  The handler calls req.json() before verifying the
        Stripe-Signature header. Spoofed events could unlock
        paid access or corrupt subscription state.
  Fix:  stripe.webhooks.constructEvent(rawBody, sig, secret).

STRIPE-WEBHOOK-002 — Endpoint not subscribed to required events
  Live webhook at https://app.example.com/api/stripe/webhook
  Subscribed to:   ['payment_intent.succeeded']
  Code dispatches: ['payment_intent.succeeded',
                    'customer.subscription.deleted']
  Missing:         ['customer.subscription.deleted']

STRIPE-MODE-001 — Account is in test mode
  Code references STRIPE_SECRET_KEY (live shape).
  Stripe account still gates live activations. Verify
  account in Stripe Dashboard before launch.

What we don’t do

We never list invoices, customers, or charges. We don’t read the webhook signing secret. We never call any create, update, or delete Stripe endpoint. The OAuth scope is read-only and the API surface we touch is auditable in your Stripe Dashboard’s API request log.

Disconnect

From the same Settings → Connected platforms → Stripe screen, click Disconnect. PulseLight revokes the OAuth grant and purges your Stripe access token. Past Stripe findings remain in your scan history (since they’re point-in-time evidence) but no new ones surface until you reconnect.

See also: Connected Checks overview and the Billable pillar.