I am using Stripe for payments in my app. There are two Ids: payment_method_id and payment_intent_id. I noticed that when I try to use a payment_method with a different Stripe Customer, it doesn’t let me, so my guess is that it is not that secret. Are payment_intent_ids secret? If I store the payment_intent_id in a database for each transaction is that bad?
Answer
The PaymentIntent id (pi_123456) is really just an identifier and doesn’t have to be kept secret. No one can do anything with the id unless they have your Secret API key or the PaymentIntent‘s client_secret.
It’s definitely common practice to store the PaymentIntent id in your database as a reference to the object in the API. It’s similar to how you can store a Customer id (cus_123) or its PaymentMethods ids (pm_123) in your database.