Audience: Developers, QA, Owners, Admins
Outcomes: Clean pre-launch; fewer “we missed a secret” incidents
Local testing
Tunnel your
/api/webhooks/*to laptopStripe CLI:
stripe listen --forward-to localhost:3000/api/webhooks/stripe
Provider sandboxes: simulate settlement/refund webhooks
Fixtures: record golden events; replay in tests; validate DB + SSE + invoices
Sandbox → production checklist
Stripe live keys loaded; test keys removed
Bank HMAC live secret set; signature verified in prod
Webhook endpoints reachable (TLS ok)
Idempotency table present; unique constraints live
CORS/CSP set to production domains only
Dashboards + alerts configured; on-call runbooks linked
Troubleshooting quick answers
“Signature verification failed” → raw body, secret, clock skew
“Duplicate effects” → missing idempotency; add processed table/unique keys
“SSE never connects” → CORS/credentials or proxy buffering
QA checklist
Full happy path: card success → webhook → order DepositPaid → invoice emitted
Negative: bad signature, duplicate event, 3DS required → handled gracefully