~/VibeHandbook
$39
Read the BookReferencePhilosophyGet the PDFFAQ

Chapter 16 · 04

Wiring Up Payments

If you want to get paid, the standard path for a solo builder is Stripe (or Lemon Squeezy / Paddle if you want them to handle sales tax for you — as a , they take a bigger cut but make the tax headache disappear). The mechanics are repetitive and well-documented, which makes them ideal to delegate. The pieces you need:

  • A checkout flow — Stripe Checkout is the fastest; it hands you a hosted payment page so you never touch raw card details.
  • Think of a like the payment company phoning your app the instant a sale clears, instead of your app having to keep asking "did it go through yet?" A webhook is exactly that: an (a on your server) the payment provider calls so your app learns when a payment actually succeeded. This is the part beginners skip and then wonder why orders never get fulfilled. The redirect back to your site can be closed, blocked, or faked; the webhook is the server-to-server source of truth. Never trust the redirect alone; trust the webhook.
  • A way to store entitlements — mark the user as paid in your , so a refresh or a new device still sees what they bought.

The key insight is which arrow you trust. The user's redirect back to your site can be lost or faked; the webhook is the server-to-server line that actually unlocks the product:

 ┌──────┐  1. click Buy   ┌───────────┐
 │ USER │────────────────▶│  YOUR APP │
 └──────┘                 └─────┬─────┘
    ▲                           │ 2. create checkout session
    │                           ▼
    │                    ┌─────────────┐
    │  3. pay on hosted  │   STRIPE    │
    └───────────────────▶│   Checkout  │
       (card details)    └──────┬──────┘
                                │
          ┌─────────────────────┴─────────────────────┐
          │ 4a. redirect back        4b. WEBHOOK call  │
          │     (can be lost/faked)      (server→server,│
          ▼                              signed, trusted)▼
   ┌──────────────┐                          ┌────────────────────┐
   │ thank-you    │   ✗ do NOT unlock here   │ YOUR APP /webhook   │
   │ page (UI only)│                         │ verify signature →  │
   └──────────────┘                          │ mark user PAID  ✓   │
                                             └────────────────────┘

Ask the AI to scaffold all three and explain the webhook signature verification, since that is the one security-sensitive step — without it, anyone who finds your webhook URL could fake a "payment succeeded" event and unlock your product for free. Test everything in Stripe's test mode with their test card numbers (4242 4242 4242 4242 is the famous one) before flipping to live keys, and use the Stripe to forward webhook events to your local machine so you can watch them fire. Do not skip the test-mode dress rehearsal. The first real money that moves through your app should be a transaction you have already seen work a dozen times.

Want it offline?

Get the PDF + EPUB + downloadable prompt library + version updates.

$ Get the PDF — $39