No trusted browser price
The browser submits no amount, currency, Stripe Price ID, merchant account, or arbitrary return URL.
Security by explicit boundaries
Yito Pay minimizes exposed payment data, validates every application boundary, and makes fulfillment traceable to signed Stripe events instead of browser claims.
Reduced payment data exposure
Yito Pay does not provide card-number fields and does not ask a product to collect sensitive payment details. Stripe Checkout renders the payment interface and sends payment information to Stripe. Yito Pay receives Stripe object identifiers and business status, not full card numbers or CVC values.
This boundary reduces exposure, but it does not erase the merchant’s compliance duties. Each seller remains responsible for its Stripe account, product claims, customer support, taxes, refund terms, disputes, and the PCI validation that applies to its integration.
All production traffic uses HTTPS. Secrets are stored as Cloudflare Worker secrets rather than source-controlled variables, public JavaScript, or general-purpose database columns.
The browser submits no amount, currency, Stripe Price ID, merchant account, or arbitrary return URL.
The database contains a keyed digest. Plaintext product credentials are issued once and rotated if lost.
A success page can inform the customer, but only verified server events change access.
Application isolation
The app credential resolves to one active application record. Orders, customer mappings, products, domains, portal sessions, and refunds are queried under that app ID. The product cannot use its credential to inspect another app’s order or choose another app’s Price ID.
Exact return origins and checkout domains are registered ahead of time. A request cannot introduce an open redirect by supplying a new URL. Server-side rate limits and unique external order IDs reduce abuse without replacing financial idempotency.
Event integrity
The Stripe webhook validates the exact raw body and endpoint signature before persistence. A unique event ID prevents duplicate processing. Queue consumers claim events and record concrete failures rather than silently swallowing them.
Product callbacks have a separate app-derived signing secret. Their timestamp, raw body, and stable event ID let the receiver reject forged or replayed updates. Database uniqueness ensures a retry cannot grant an entitlement twice.
Operational logs exclude secret keys, webhook secrets, app keys, Checkout client secrets, full signature headers, card details, and authentication payloads. Errors identify the failed object without printing the credential that authorized it.
Responsible operations
Dependencies, Worker configuration, response headers, endpoint behavior, and live checkout paths require ongoing review. Access to Stripe, Cloudflare, GitHub, Neon, analytics, and search tools should be granted by role and removed when no longer necessary.
Potential vulnerabilities should be sent privately to contact@pay.yito.ai with the affected URL, a concise reproduction, and the reporter’s contact information. Do not include real card data, customer secrets, or exploit unrelated accounts. We will acknowledge a credible report and coordinate a safe review.
Availability, payment status, and downstream callback failures are observable separately. A product should retain a pending customer state when confirmation is delayed and must never trade correctness for a misleading success screen.
Questions, answered
No. Stripe Checkout collects payment details directly. Yito Pay stores order and Stripe object identifiers needed to reconcile the purchase.
The plaintext key is issued once to the product backend. Yito Pay stores a keyed digest, and production master keys are kept as Cloudflare Worker secrets.
Email contact@pay.yito.ai with the affected URL and a safe reproduction. Do not include real payment details or access data that does not belong to you.
Build on a reliable payment boundary
Start with the integration guide, then register the app, domain, and server credentials before enabling checkout.