← Dashboard · Trust Center · Compliance · Pricing · Privacy · Terms

Stripe operator setup

Do this once per environment (test vs live). Customers click Subscribe in the dashboard; Stripe calls your Worker webhook to attach subscription state to the tenant ID.

Apply D1 migrations (includes billing columns). From trust-engine:
```
npx wrangler d1 migrations apply consent-metadata --remote
```
Use your database name from wrangler.jsonc if different.
Create a Product & recurring Price in Stripe Dashboard (Products → Add product → recurring). Copy the Price ID (price_…). Match it to your public tier (e.g. Builder $19).
Add Worker secrets (never commit keys). From trust-engine:
```
npx wrangler secret put STRIPE_SECRET_KEY
npx wrangler secret put STRIPE_WEBHOOK_SECRET
npx wrangler secret put STRIPE_PRICE_ID
```
Or run scripts\set-stripe-secrets.ps1 (interactive). Non-interactive: set $env:STRIPE_* then scripts\push-stripe-secrets-from-env.ps1. Test keys sk_test_; live sk_live_.
STRIPE_PRICE_ID is stored as a secret so it isn’t exposed to the browser. Redeploy after changing secrets.
Webhook endpoint — Stripe Dashboard → Developers → Webhooks → Add endpoint.
URL: https://YOUR_DOMAIN/webhooks/stripe (e.g. https://capchacloud.com/webhooks/stripe).
Events to send: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted.
Reveal the signing secret (whsec_…) and set it as STRIPE_WEBHOOK_SECRET.
Customer Portal (optional but recommended): Stripe Dashboard → Settings → Billing → Customer portal → Activate. Lets users manage cards and invoices after checkout.
Deploy Worker:
```
npx wrangler deploy
```
Local webhook testing — install Stripe CLI, then:
```
stripe login
stripe listen --forward-to http://127.0.0.1:8787/webhooks/stripe
```
Copy the CLI webhook signing secret into .dev.vars as STRIPE_WEBHOOK_SECRET while developing.

Verify: sign in → Trust & billing → Subscribe → complete Checkout → billing status should become active after webhook delivery (refresh).