The Prince Academy株式会社 | Best Practices for Webhook Management | Handling Webhooks and Real-time Updates | Stripe for Next.js: A Developer's Guide to Seamless Payments

Webhooks are Stripe's primary mechanism for notifying your application about events in real-time. Effectively managing these webhooks is crucial for building a robust and responsive payment system. This section outlines best practices to ensure your Stripe webhook handling is secure, reliable, and maintainable.

Secure Your Webhook Endpoint: Always verify the signature of incoming Stripe webhooks. This ensures that the request genuinely originates from Stripe and hasn't been tampered with. Stripe signs each webhook with your webhook signing secret, which you can find in your Stripe dashboard. Your Next.js application should use this secret to verify the signature before processing the event.

import { buffer } from 'micro';
import Stripe from 'stripe';

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);

export default async (req, res) => {
  if (req.method === 'POST') {
    const buf = await buffer(req);
    const sig = req.headers['stripe-signature'];

    let event;

    try {
      event = stripe.webhooks.constructEvent(buf, sig, process.env.STRIPE_WEBHOOK_SECRET);
    } catch (err) {
      console.log(`Webhook signature verification failed.`, err.message);
      return res.status(400).send(`Webhook Error: ${err.message}`);
    }

    // Handle the event
    switch (event.type) {
      case 'payment_intent.succeeded':
        const paymentIntent = event.data.object;
        console.log(`PaymentIntent for ${paymentIntent.amount} was successful!`);
        // Then define and call a function to handle the successful payment intent.
        // handlePaymentIntentSucceeded(paymentIntent);
        break;
      case 'charge.succeeded':
        const charge = event.data.object;
        console.log(`Charge for ${charge.amount} was successful!`);
        // Then define and call a function to handle the successful charge.
        // handleChargeSucceeded(charge);
        break;
      // ... handle other event types
      default:
        console.log(`Unhandled event type ${event.type}`);
    }

    // Return a 200 response to acknowledge receipt of the event
    res.json({ received: true });
  } else {
    res.setHeader('Allow', 'POST');
    res.status(405).end('Method Not Allowed');
  }
};

Respond Quickly with 200 OK: As soon as you receive a webhook, respond with a 200 OK status code to acknowledge receipt. This tells Stripe that your endpoint received the event successfully. Perform any heavy processing or business logic asynchronously.

res.json({ received: true });

Handle Events Idempotently: Design your webhook handlers to be idempotent. This means that processing the same event multiple times should have the same effect as processing it once. Stripe may occasionally send the same event twice (e.g., during network disruptions). You can achieve idempotency by tracking processed events in your database or by using Stripe's built-in idempotency keys for API requests related to webhook events.

graph TD
    Stripe -- POST Webhook --> NextJSEndpoint
    NextJSEndpoint -- Verify Signature --> Stripe
    NextJSEndpoint -- Respond 200 OK --> Stripe
    NextJSEndpoint -- Process Event Asynchronously --> Database

Process Events Asynchronously: Avoid performing long-running operations directly within your webhook handler. This could lead to timeouts and Stripe retrying the webhook, potentially causing duplicate processing. Instead, use a message queue (like Redis, RabbitMQ, or AWS SQS) or a background job processor to handle the actual business logic.

import { buffer } from 'micro'; import Stripe from 'stripe'; const stripe = new Stripe(process.env.STRIPE_SECRET_KEY); export default async (req, res) => { if (req.method === 'POST') { const buf = await buffer(req); const sig = req.headers['stripe-signature']; let event; try { event = stripe.webhooks.constructEvent(buf, sig, process.env.STRIPE_WEBHOOK_SECRET); } catch (err) { console.log(`Webhook signature verification failed.`, err.message); return res.status(400).send(`Webhook Error: ${err.message}`); } // Handle the event switch (event.type) { case 'payment_intent.succeeded': const paymentIntent = event.data.object; console.log(`PaymentIntent for ${paymentIntent.amount} was successful!`); // Then define and call a function to handle the successful payment intent. // handlePaymentIntentSucceeded(paymentIntent); break; case 'charge.succeeded': const charge = event.data.object; console.log(`Charge for ${charge.amount} was successful!`); // Then define and call a function to handle the successful charge. // handleChargeSucceeded(charge); break; // ... handle other event types default: console.log(`Unhandled event type ${event.type}`); } // Return a 200 response to acknowledge receipt of the event res.json({ received: true }); } else { res.setHeader('Allow', 'POST'); res.status(405).end('Method Not Allowed'); } };

graph TD Stripe -- POST Webhook --> NextJSEndpoint NextJSEndpoint -- Verify Signature --> Stripe NextJSEndpoint -- Respond 200 OK --> Stripe NextJSEndpoint -- Process Event Asynchronously --> Database