How to integrate Stripe payments into your vibe coded Apps
Prompt for Replit Agent 3 (Stripe Sandbox Paywall & Entitlements)
@ankur
10/18/20252 min read
Here’s a single, copy-pasteable prompt you can give to Replit Agent 3 for Stripe integration:
--------------------------------------------------------------------------------------------------------------------------------------------------------
You are my senior full-stack engineer. Integrate Stripe (test/sandbox mode) into the current Replit app to accept payments for select in-app features, and build a secure backend that stores who bought what and enforces access.
Refer to Stripe sandbox API for more details - https://docs.stripe.com/sandboxes
First, ask me these quick questions (then proceed):
Which app features should require payment? (Give me a checklist based on routes/components you detect.)
What is the user identity key in this app (e.g., auth user id, email, or session id)?
One-time purchase or subscription for each feature? If subscription, what term (monthly/annual)?
Preferred checkout flow: Stripe Checkout (recommended) or Payment Links?
Database in this repo (e.g., SQLite/Prisma/Postgres)? If none, propose a minimal option and implement it.
Core requirements
Do not assume a specific stack. Detect the app’s language/framework and implement accordingly.
Use Stripe Test Mode only.
Implement a products/prices layer:
Create (or programmatically ensure) Stripe Products/Prices for each paywalled feature.
Name products clearly (e.g., Feature: <feature_name>), store their price_ids in config.
Webhooks:
Endpoint: POST /webhooks/stripe
Verify signatures with STRIPE_WEBHOOK_SECRET.
Handle at least:
checkout.session.completed
invoice.paid (for subscriptions)
customer.subscription.deleted (revoke access)
Mark purchases/entitlements in DB. Ensure idempotency (e.g., by recording event IDs).
Data model (adapt to existing ORM/DB):
Entitlement enforcement:
Create a reusable server-side check (middleware/helper) that blocks routes and server actions for paywalled features unless entitlements.active is true for that user_id + feature_key.
Admin/ops:
Lightweight admin endpoint or script to list users, purchases, and entitlements for debugging.
Log webhook events (sanitized) for observability.
Security & correctness
Never trust the client for entitlement status; always check server-side.
Verify Stripe webhook signatures; reject unverified requests.
Use idempotency keys for Checkout creation and event-id de-dup for webhooks.
Store only necessary Stripe IDs; no raw card data.
Add rate limiting to payment endpoints if the stack already uses a limiter.
Write unit/integration tests for:
Checkout session creation (mocks)
Webhook handler idempotency & entitlement updates
Middleware blocking on non-entitled users and allowing entitled users
Test plan (document in README_BILLING.md)
Set STRIPE_SECRET_KEY (test), run stripe listen --forward-to /webhooks/stripe to get STRIPE_WEBHOOK_SECRET.
Use Stripe test cards (e.g., 4242 4242 4242 4242) to purchase each feature.
Confirm:
Checkout returns a URL and redirects properly.
Webhook marks purchases and activates entitlements.
Paywalled endpoints/components are blocked before purchase and allowed after.
Subscription cancel event revokes entitlement.
Try duplicate webhook delivery and verify idempotency.
Acceptance criteria
I can specify a list of features to paywall; the app exposes a working paywall with Stripe Checkout in Test Mode.
Entitlements are persisted and enforced server-side.
Webhooks are signature-verified and idempotent.
Clear docs (README_BILLING.md) and .env.example provided.
Minimal admin listing and basic tests are present.
Built with AI and Humans Working in Harmony