playbooks

home / skills / secondsky / claude-skills / payment-gateway-integration

payment-gateway-integration skill

/plugins/payment-gateway-integration/skills/payment-gateway-integration

This skill helps you implement secure payment gateway flows with Stripe and PayPal, including subscriptions, webhooks, and PCI-compliant error handling.

npx playbooks add skill secondsky/claude-skills --skill payment-gateway-integration

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.8 KB
---
name: payment-gateway-integration
description: Integrates payment processing with Stripe, PayPal, or Square including subscriptions, webhooks, and PCI compliance. Use when implementing checkout flows, recurring billing, or handling refunds and disputes.
---

# Payment Gateway Integration

Integrate secure payment processing with proper error handling and compliance.

## Stripe Integration (Node.js)

```javascript
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);

class PaymentService {
  async createPaymentIntent(amount, currency, customerId) {
    return stripe.paymentIntents.create({
      amount: Math.round(amount * 100), // Convert to cents
      currency,
      customer: customerId,
      automatic_payment_methods: { enabled: true }
    });
  }

  async createSubscription(customerId, priceId) {
    return stripe.subscriptions.create({
      customer: customerId,
      items: [{ price: priceId }],
      payment_behavior: 'default_incomplete',
      expand: ['latest_invoice.payment_intent']
    });
  }

  async refund(paymentIntentId, amount = null) {
    const params = { payment_intent: paymentIntentId };
    if (amount) params.amount = Math.round(amount * 100);
    return stripe.refunds.create(params);
  }
}
```

## Webhook Handling

```javascript
app.post('/webhooks/stripe', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['stripe-signature'];

  let event;
  try {
    event = stripe.webhooks.constructEvent(req.body, sig, process.env.STRIPE_WEBHOOK_SECRET);
  } catch (err) {
    return res.status(400).send(`Webhook Error: ${err.message}`);
  }

  switch (event.type) {
    case 'payment_intent.succeeded':
      await handlePaymentSuccess(event.data.object);
      break;
    case 'invoice.payment_failed':
      await handlePaymentFailed(event.data.object);
      break;
  }

  res.json({ received: true });
});
```

## PayPal Integration

See [references/paypal-integration.md](references/paypal-integration.md) for complete PayPal implementation with:
- Order creation and capture
- Refund processing
- Webhook handling
- Frontend SDK integration
- Success/cancel callbacks

## Security Checklist

- [ ] Use official SDK only
- [ ] Verify webhook signatures
- [ ] Never log full card numbers
- [ ] Store minimal payment data
- [ ] Test in sandbox first
- [ ] HTTPS for all payment routes
- [ ] Handle all error cases
- [ ] Use idempotency keys
- [ ] Implement retry logic

## Best Practices

**Do:**
- Use official SDK libraries
- Verify all webhook signatures
- Log transaction IDs (not card data)
- Test in sandbox environment
- Handle all payment states
- Implement proper error messages

**Don't:**
- Process raw card data directly
- Store sensitive payment info
- Hardcode API keys
- Skip webhook signature validation
- Ignore failed payment events
- Use test keys in production

Overview

This skill integrates payment processing with Stripe, PayPal, and Square, providing production-ready patterns for checkout flows, recurring billing, refunds, and dispute handling. It includes subscription management, webhook handling with signature verification, and a security checklist for PCI-conscious deployments. The implementation is TypeScript-friendly and designed for cloud and frontend frameworks like React and Tailwind.

How this skill works

The skill wraps official SDK calls to create payment intents, subscriptions, refunds, and order captures while converting amounts and managing idempotency. It exposes webhook endpoints that verify provider signatures, parse events, and route them to handlers for success, failure, or invoice events. Security and error handling are built in: signature verification, minimal logging of sensitive data, retry logic, and sandbox testing recommendations.

When to use it

  • Building a new checkout flow that needs one-time payments or saved customers.
  • Implementing recurring billing, trials, or subscription management.
  • Handling refunds, partial refunds, chargebacks, and disputes.
  • Connecting backend webhook handlers to reconcile payment state.
  • Migrating between payment providers or adding multiple gateways.

Best practices

  • Use only official SDKs and environment variables for API keys.
  • Verify webhook signatures and reject invalid events.
  • Never log full card numbers or store raw PAN data; log transaction IDs only.
  • Test thoroughly in sandbox environments before switching to production.
  • Use idempotency keys and implement retry logic for transient failures.

Example use cases

  • Create a Stripe PaymentIntent for a cart total and complete checkout via client SDK.
  • Set up a subscription flow that creates a Stripe subscription and handles invoice.payment_failed events.
  • Implement webhook endpoints that update order status on payment_intent.succeeded and trigger fulfillment.
  • Process refunds programmatically with amount conversion and partial refund support.
  • Add PayPal order creation and capture for international customers alongside Stripe.

FAQ

Does this skill handle PCI compliance?

It helps follow PCI best practices by avoiding raw card processing, using official SDKs, verifying webhooks, and recommending minimal storage of payment data, but you must follow your organization’s PCI responsibilities and environment controls.

How do I test webhooks locally?

Use the provider’s webhook simulator or a tunneling tool (like ngrok) to forward events to your local webhook endpoint and verify signatures with the provider’s test secret.