sveltekit-stripe
This package contains SvelteKit components for concisely rendering and using Stripe UI elements.
Features
Section titled “Features”To keep things simple and encourage best practices, this library contains only 3 of the available Stripe UI components:
The first two cover the vast majority of use cases for self-hosted checkout. The third is useful for embedding subscription options, with checkout hosted by Stripe.
Create a SvelteKit project and install the package:
npm create svelte@latest my-appcd my-appnpm install -D sveltekit-stripeAdd your Stripe public key to your environment variables:
.env
PUBLIC_STRIPE_KEY=pk_test_1234567890...If you plan to use a pricing table, you will need to create one in your Stripe dashboard. You can add the ID to your environment variables:
PUBLIC_STRIPE_TABLE_ID=prctbl_1234567890...After integrating Stripe with SvelteKit for the umpteenth time, I created this to significantly reduce the boilerplate I was writing over and over again.
A functioning Stripe integration can be achieved with very little code:
Example: Pricing Table
Section titled “Example: Pricing Table”+page.svelte
<script> import { PricingTable } from 'sveltekit-stripe' import { PUBLIC_STRIPE_KEY, PUBLIC_STRIPE_TABLE_ID } from '$env/static/public'</script>
<PricingTable publicKey={PUBLIC_STRIPE_KEY} tableId={PUBLIC_STRIPE_TABLE_ID} />The above is a complete Stripe integration.
Example: Self-Hosted Checkout
Section titled “Example: Self-Hosted Checkout”Self-hosted checkout is more complex, but it allows you to completely customize your checkout flow. This is essential when integrating with an existing backend. In most cases, your existing ecommerce backend (such as Medusa) will handle user auth and generating payment intents and/or setup intents. Client secrets come from these intents. See a section below for more information about generating client secrets if you need to generate them yourself.
+page.svelte
<script> import { Payment, stripeClient, stripeElements } from 'sveltekit-stripe' import { PUBLIC_STRIPE_KEY } from '$env/static/public'
let clientSecret = 'pi_1234567890...' // from your server, see README let success = false
const handleSubmit = async function() { const stripeResponse = await $stripeClient.confirmPayment({ elements: $stripeElements, redirect: 'if_required' }) console.log(stripeResponse) success = (stripeResponse.paymentIntent.status === 'succeeded') }</script>
{#if success === true} <h1>Success!</h1> {:else if !clientSecret} <h1>Something went wrong</h1> {:else} <form class:hidden={success} on:submit|preventDefault={handleSubmit}> <Payment publicKey={PUBLIC_STRIPE_KEY} {clientSecret} /> <button type="submit">Place Your Order</button> </form>{/if}NOTE: For payment setup rather than checkout, replace the line
const stripeResponse = await $stripeClient.confirmPayment({ elements: $stripeElements, redirect: 'if_required' })
with
const stripeResponse = await $stripeClient.confirmSetup({ elements: $stripeElements, redirect: 'if_required' })
Example: Self-Hosted Checkout Using use:enhance
Section titled “Example: Self-Hosted Checkout Using use:enhance”+page.svelte
<script> import { Payment, stripeClient, stripeElements } from 'sveltekit-stripe' import { PUBLIC_STRIPE_KEY } from '$env/static/public' import { enhance } from '$app/forms' let clientSecret = 'pi_1234567890...' // from your server, see README let success = false</script>
{#if success === true} <h1>Success!</h1>{:else if !clientSecret} <h1>Something went wrong</h1>{:else} <form class:hidden={success} method="POST" use:enhance={ async ({ cancel }) => { const stripeResponse = await $stripeClient.confirmPayment({ elements: $stripeElements, redirect: 'if_required' }) console.log(stripeResponse) if (stripeResponse.error) { console.log(stripeResponse.error) cancel() } // At this point, we have a successful payment with Stripe // We still have not submitted the form to our own server // The next line does that by sending it to the default form action return async ({ result }) => { if (result.status === 200) { // our own server has saved the payment success = true } } }}> <Payment publicKey={PUBLIC_STRIPE_KEY} {clientSecret} /> <button type="submit">Place Your Order</button> </form>{/if}+page.server.js
export const actions = { default: async({ request }) => { // handle the form submission // save to databse, queue email notification, etc return { success: true } }}Example: Self-Hosted Checkout Using the Address Element
Section titled “Example: Self-Hosted Checkout Using the Address Element”To easiest way to use the Address component is to bind the container, like in the example below. Once we have a binding, we can use the Stripe-provided function getValue():
+page.svelte
<script> import { Payment, Address, stripeClient, stripeElements } from 'sveltekit-stripe' import { PUBLIC_STRIPE_KEY } from '$env/static/public' import { enhance } from '$app/forms' let clientSecret = 'pi_1234567890...' // from your server, see README let success = false let addressContainer</script>
{#if success === true} <h1>Success!</h1>{:else if !clientSecret} <h1>Something went wrong</h1>{:else} <form class:hidden={success} method="POST" use:enhance={ async ({ cancel }) => { const {complete, value} = await addressContainer.getValue() if (complete) { // save the address somewhere console.log(value) } //else { // You can choose to handle the error yourself (e.g., show an error message) // Or you can just continue the submission and Stripe will handle the error //} const stripeResponse = await $stripeClient.confirmPayment({ elements: $stripeElements, redirect: 'if_required' }) console.log(stripeResponse) if (stripeResponse.error) { console.log(stripeResponse.error) cancel() } return async ({ result }) => { if (result.status === 200) { success = true } } }}> <Address publicKey={PUBLIC_STRIPE_KEY} {clientSecret} bind:addressContainer /> <Payment publicKey={PUBLIC_STRIPE_KEY} {clientSecret} /> <button type="submit">Place Your Order</button> </form>{/if}Obtaining a Client Secret
Section titled “Obtaining a Client Secret”Each time a user begins checkout, a payment intent needs to be generated. The payment intent contains a client secret that must be passed to the client. A valid client secret must be passed to the Address and Payment components, or they will not render.
In many use cases, another system, such as an ecommerce backend, already has a method of generating and providing client secrets for checkout. Please see the relevant documentation for your backend.
Passing from Server to Client in a Load Function
Section titled “Passing from Server to Client in a Load Function”One way to pass a client secret to the client in SvelteKit is via the load function. The client secret can be passed to the client as a prop, which is then passed to the Address and Payment components.
+page.server.js
export const load = async () => { const clientSecret = await generateClientSecret() // example function return { clientSecret }}Please note that generateClientSecret() is not a real function. It is a placeholder for however you generate a client secret using your ecommerce backend.
+page.svelte
<script> ... export let data let clientSecret = data?.clientSecret ...</script>Passing from Server to Client in an Endpoint
Section titled “Passing from Server to Client in an Endpoint”Another way to obtain a client secret is to use an endpoint. A simplified example:
+server.js
import { json } from '@sveltejs/kit'
export async function POST({ request }) { const data = await request.json() // some sort of validation on data const clientSecret = await generateClientSecret() // example function return json(clientSecret)}+page.svelte
...{#if success === true} <h1>Success!</h1>{:else if !clientSecret} let clientSecret = await fetch('/api/stripe', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({some:data}) }).then(res => res.json())...A Note About Security
Section titled “A Note About Security”Client secrets include payment intents. Exposing a way that a bot could generate payment intents very rapidly will expose you to carding attacks. There are number of ways to mitigate the risk of automated carding attacks. One way is client-side tools like Turnstile or reCAPTCHA. A full discussion is outside the scope of this readme, but it’s important to mention. Consider using Turnstile or reCAPTCHA and other tools to rate limit the generation of payment intents.
If passing the client secret via a load function, consider adding a form action to the checkout page and make your checkout button post the token from Turnstile. The checkout page form action will run before the checkout page load function.
If obtaining the client secret via an endpoint, you can obtain a client-side token before calling the endpoint and validate the token before returning a payment intent. A Turnstile Example:
+server.js
import { validateToken } from 'sveltekit-turnstile'import { SECRET_TURNSTILE_KEY } from '$env/static/private'import { error, json } from '@sveltejs/kit'
export async function POST({ request }) { const data = await request.json() if (!await validateToken(data.token, SECRET_TURNSTILE_KEY)) throw error(400, { message: 'Bot risk' }) // some sort of validation on data const clientSecret = await generateClientSecret() // example function return json(clientSecret)}+page.svelte
<script> ... import { PUBLIC_TURNSTILE_SITE_KEY } from '$env/static/public' import { Turnstile } from 'sveltekit-turnstile' ...</script>...{#if success === true} <h1>Success!</h1>{:else if !token} <Turnstile siteKey={PUBLIC_TURNSTILE_SITE_KEY} on:turnstile-callback={ async (e) => { token = e.detail.token let body = { token, other: data } try { clientSecret = await fetch('/api/turnstile', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) }).then(res => res.json()) } catch (err) { console.log(err) } }} />{:else}...Generating a Client Secret
Section titled “Generating a Client Secret”If you need to generate a client secret yourself, you will first need to add your secret Stripe key to your .env file:
.env
SECRET_STRIPE_KEY="sk_1234567890..."You must also add the Stripe SDK to your project:
npm install -D stripeThen, you can generate a payment intent in your load function and export the client secret:
+page.server.js
import { Stripe } from 'stripe'import { SECRET_STRIPE_KEY } from '$env/static/private'
export const load = async () => { const stripe = new Stripe(SECRET_STRIPE_KEY)
const options = { price: 1000, // price in smallest units (eg pennies), REQUIRED currency: 'USD', // currency code, REQUIRED //customer: locals.user.stripeCustomerId, required for setup intent //setup_future_usage: 'on_session', //automatic_payment_methods: { enabled: true } }
const paymentIntent = await stripe.paymentIntents.create(options)
return { clientSecret: paymentIntent.client_secret }}While the above example works fine, you will probably notice that instantiating a new Stripe object on every load is not ideal. We could instead create a singleton Stripe object in your app and export it.
lib/server/stripe.js
import { Stripe } from 'stripe'import { SECRET_STRIPE_KEY } from '$env/static/private'export default new Stripe(SECRET_STRIPE_KEY)+page.server.js
import stripe from '$lib/server/stripe'
export const load = async () => { const options = { price: 1000, currency: 'USD' }
const paymentIntent = await stripe.paymentIntents.create(options)
return { clientSecret: paymentIntent.client_secret }}Passing Options
Section titled “Passing Options”The Payment and Address components support all options available in the Stripe SDK.
For details about options available, see the Stripe Documentation:
Example: Passing Options
Section titled “Example: Passing Options”+page.svelte
<script> ... let addressOptions = { autocomplete: 'automatic', allowedCountries: ['US', 'CA'], blockPoBox: false, display: { name: 'split' } contacts: [{ name: 'Jenny Rosen', address: { line1: '185 Berry St.', city: 'San Francisco', state: 'CA', postal_code: '94941', country: 'US', } }] } ...</script>
...<Address publicKey={PUBLIC_STRIPE_KEY} {clientSecret} {addressOptions} bind:addressContainer />...Example: Passing Options from a Separate File
Section titled “Example: Passing Options from a Separate File”If preferred, your options can be set in a separate file and imported.
addressOptions.js
export default addressOptions = { // options}+page.svelte
import addressOptions from './addressOptions'...Customizing the Elements
Section titled “Customizing the Elements”The Payment and Address components support the Appearance API.
Pass appearance as part of the addressOptions or paymentOptions property to customize the appearance of the elements.
Example: Customizing the Elements
Section titled “Example: Customizing the Elements”+page.svelte
<script> ... let appearance = { theme: 'stripe' }
let addressOptions = { appearance ... } ...</script>