Stripe Checkout Done Right: The 12-Point Setup Most Sites Get Wrong

Stripe is, by a wide margin, the easiest payment processor on the planet. It's also the easiest to misconfigure in ways that lose you money silently. Here are twelve things to verify on every checkout flow before you go live. Skip any of them and money walks out the door without you noticing.

1. Live keys vs. test keys are unambiguously separated

The single most common Stripe mistake: shipping with test keys still in production. Use environment variables. Never hardcode. Verify the live deploy actually has the live keys before announcing the launch.

2. Webhooks are configured AND tested

Stripe Checkout success doesn't always mean payment success. Webhooks are how you confirm the charge actually completed. Configure the relevant events (`checkout.session.completed`, `payment_intent.succeeded`, `payment_intent.payment_failed`) and verify each one fires correctly in test mode before going live.

3. Webhook signatures are verified

Anyone can hit your webhook endpoint and claim a payment was successful. Verify the signature on every webhook request before processing. Stripe's libraries make this a one-liner. Do not skip it.

4. Idempotency keys on every API call

Network blips happen. Without idempotency keys, a retry can create a duplicate charge. With them, retries are safe. Use them on every Stripe API call without exception.

5. Failed payments trigger the right downstream actions

When a payment fails, what happens? Does the customer's subscription get marked past-due? Do they get an email? Does support get a notification? Does the dashboard show the failure? Map every failed-payment scenario before launch.

6. Receipt emails are configured

Stripe sends receipts automatically — if you turn it on. Without it, customers don't get confirmation, your support inbox fills with "did my payment go through?" messages, and chargebacks rise. Turn on automatic receipts in the Stripe dashboard.

7. Tax calculation is handled

If you sell to multiple states or countries, Stripe Tax (the paid feature) handles tax calculation. If not, you're either undercharging or overcharging — both are bad. Decide your tax strategy before you ship.

8. Refunds have a clear workflow

You will refund customers. The question is whether it takes you 30 seconds in the Stripe dashboard, or 30 minutes of database surgery to update your own records. Build the refund flow into your admin dashboard from day one.

9. Subscription edge cases are handled

If you're charging recurring: pausing, upgrading, downgrading, canceling, reactivating, prorating — each one is its own UX flow. Stripe Customer Portal handles a lot of this for you. Use it unless you have a specific reason not to.

10. Dispute and chargeback alerts are wired

Stripe will tell you about a dispute by email — but you need to respond within a specific window or you lose by default. Wire up alerting so disputes go to a real human's inbox the moment they're raised, not whenever someone happens to check the dashboard.

11. PCI compliance is actually maintained

Stripe Checkout (the redirect flow) keeps you in PCI-SAQ-A scope, the simplest tier. Stripe Elements (embedded forms) keeps you in SAQ-A-EP, slightly more involved but still manageable. If you build your own card form, you're in SAQ-D and need real compliance work. Pick the simplest tier that meets your design needs.

12. Everything works in incognito mode and on mobile

Test the full purchase flow on at least three devices: desktop Chrome (incognito), iOS Safari, and Android Chrome. Verify the redirect from Checkout back to your site works, the success message appears, the receipt arrives, and the order shows up in your admin. Anything less is shipping hopes and prayers.

The cost of skipping

Each of these issues looks small in isolation. Combined, they account for the vast majority of "Stripe doesn't work the way I expected" support tickets. Spend the day before launch walking through this list. Future you will be relieved.