payment-security_skill

This skill helps you implement secure payments using Clerk Billing and Stripe without handling card data, ensuring PCI-DSS compliance and seamless
  • JavaScript

4

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill payment-security

  • SKILL.md16.6 KB

Overview

This skill implements secure subscription payments using Clerk Billing and Stripe while ensuring your servers never handle card data. It provides components, webhook handlers, and examples to set up Stripe Checkout, subscription gating, and server-side verification without exposing sensitive payment details. Use it to simplify PCI scope and reliably manage subscription lifecycle events.

How this skill works

The frontend uses Clerk's PricingTable to open Stripe Checkout; card entry and processing occur on Stripe's servers so your app never stores or transmits card data. Clerk receives Stripe events, verifies webhooks (Svix), and forwards subscription updates to your backend or Convex where you store subscription state and Stripe IDs only. Server-side checks read subscription metadata to gate premium features and respond to webhook events like created, updated, deleted, and payment_failed.

When to use it

  • Adding subscription plans with Stripe Checkout via Clerk Billing
  • Protecting premium pages or API routes behind paid plans
  • Implementing webhook handling for subscription lifecycle events
  • Ensuring your app remains out of PCI-DSS scope
  • Testing payment flows safely with Stripe test cards

Best practices

  • Never store cardholder data; store only Stripe customer/subscription IDs
  • Always verify webhook signatures (Svix) before processing events
  • Enforce server-side subscription checks for gated features
  • Implement idempotency for webhook handling to avoid duplicate work
  • Use Stripe test cards and CLI to validate webhook flows locally

Example use cases

  • A Pricing page that opens Clerk-managed Stripe Checkout for upgrades
  • A protected dashboard route that requires a paid plan via server auth
  • Webhook receiver that updates internal DB when subscriptions change
  • Automated emails and state changes on subscription.payment_failed events
  • Convex HTTP endpoint that ingests Clerk webhooks and runs mutations

FAQ

No. If you never store, process, or transmit card data and rely on Stripe for payments, Stripe handles PCI-DSS scope. You should still follow webhook and access security best practices.

How do I test payments locally?

Use Stripe test card numbers (e.g., 4242 4242 4242 4242) and the Stripe CLI to forward events to your local webhook endpoint.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
payment-security skill by harperaa/secure-claude-skills | VeilStrat