notes

Stripe Connect Architecture Document

Overview

A Stripe Connect integration enabling orgs to accept payments from their contacts (customers). System supports:

Provider onboarding via iOS app for business setup and verification
Customer payments via PWA with multiple payment method support
Backend coordination managing Connect accounts, payment intents, and webhooks

Core Components:

Backend API: Stripe Connect account management, payment processing, webhook handling
iOS App: Provider (org member) onboarding flow (business details, identity verification, bank account setup)
PWA: Contact (customer) payment interface with Stripe Checkout

Data Model:

Org: Has contacts (customers), providers (members), and Connect account
Contact: Customer belonging to an org, associated with an account
Account: Can have multiple contacts (e.g., family members)
Provider: Org member who can request payments from contacts

Stripe Connect Model: Standard accounts with Express onboarding

Architecture

┌─────────────────────────────────────────────────────────────┐
│                        Customers (PWA)                      │
│  - View payment options                                      │
│  - Select payment method (Stripe, Venmo, etc.)              │
│  - Complete checkout via Stripe Checkout                    │
└───────────────────────┬─────────────────────────────────────┘
                        │
                        │ Payment Intent
                        ↓
┌─────────────────────────────────────────────────────────────┐
│                    Backend API (FastAPI)                    │
│  - Create payment intents                                   │
│  - Manage Connect accounts                                   │
│  - Process webhooks                                         │
│  - Record events to ledger                                  │
└───────────────┬───────────────────────────────┬─────────────┘
                │                               │
                │ Connect Account                │ Webhook Events
                │ Creation/Updates               │
                ↓                               ↓
┌───────────────────────────────┐  ┌──────────────────────────┐
│       Providers (iOS App)     │  │    Stripe Connect API    │
│  - Onboard via Express flow   │  │    - Account creation    │
│  - Complete verification      │  │    - Payment routing     │
│  - Link bank accounts         │  │    - Disbursements       │
└───────────────────────────────┘  └──────────────────────────┘

Payment Flow:

Provider Setup (iOS):
- Provider initiates onboarding → Backend creates Connect account → Redirect to Stripe Express
- Provider completes verification → Stripe webhook → Backend updates account status
- Provider can view account status and earnings
Customer Payment (PWA):
- Customer receives notification → Opens customer payment page
- Customer selects payment method (Stripe, Venmo, etc.) → Backend creates Checkout Session
- Customer completes Stripe Checkout → Payment captured → Funds split (platform + provider)
- Webhook received → Backend records payment event to ledger using metadata (contact_id, account_id, org_id)
Payouts:
- Automatic via Stripe (Express accounts handle transfers automatically)
- Backend tracks payout events via webhooks

Design Rationale

Why Stripe Connect?

Platform Model:

Modfin is the platform; providers (orgs) are the sellers
Customers pay platform; funds split to provider accounts
Platform takes processing fee; remainder goes to provider

Stripe Connect Benefits:

Express Accounts: Fastest onboarding, Stripe handles compliance
Automated Payouts: Transfers to provider bank accounts automatically
Webhook Infrastructure: Real-time payment and account status updates
Compliance: KYC/AML handled by Stripe (reduces platform liability)
Multi-party Payments: Native support for splitting funds platform + provider

Alternatives Considered:

Direct Stripe Integration:

❌ Providers would manage their own Stripe accounts
❌ No unified platform experience
❌ Customer sees different Stripe accounts per provider
❌ Complex reconciliation across accounts

Stripe Connect Custom:

❌ Custom onboarding (more engineering, compliance burden)
❌ Manual bank account verification
❌ More time to implement
✅ More control over UX

Stripe Connect Express (Chosen):

✅ Stripe handles onboarding flow
✅ Stripe handles compliance
✅ Fastest time to market
✅ Native iOS/Web SDK support
✅ Automatic payouts
✅ Minimal platform compliance exposure

Account Type: Express vs Custom vs Standard

Express (Chosen):

Onboarding: Stripe-hosted flow (redirect to Stripe dashboard)
Control: Providers manage account via Stripe dashboard link
Compliance: Fully handled by Stripe
Payouts: Automatic, configurable schedule
Best for: Marketplaces wanting fast onboarding, minimal compliance burden

Custom:

Onboarding: Platform builds own flow
Control: Full platform control over UX
Compliance: Platform must handle KYC/AML
Payouts: Platform controls transfers
Best for: Platforms needing complete brand control

Standard:

Onboarding: Providers create own Stripe accounts, link to platform
Control: Providers own accounts
Compliance: Handled by Stripe
Payouts: Providers control
Best for: Platforms connecting existing Stripe users

Decision: Express balances speed, compliance, and sufficient control for MVP.

Payment Processing Model

Stripe Connect offers multiple payment flow options. This architecture uses Destination Charges with Application Fees, which best fits Modfin’s marketplace model.

Payment Flow Options

Stripe Connect supports several payment patterns, each with different implications for fees, disputes, branding, and control:

1. Destination Charges with Application Fees (✅ Selected)

How it works:

# Payment appears on customer's card with PLATFORM name
payment_intent = stripe.PaymentIntent.create(
    amount=10000,  # $100.00
    currency='usd',
    application_fee_amount=320,  # Platform keeps $3.20 (2.9% + $0.30)
    transfer_data={
        'destination': connect_account_id,  # Provider gets $96.80 automatically
    }
)

Characteristics:

Customer sees: Platform name on card statement (e.g., “MODFIN”)
Platform: Pays Stripe fee (~2.9% + $0.30 on full amount), keeps application fee
Provider: Receives transfer automatically, pays NO Stripe fee
Disputes: Platform handles all disputes and customer service
Timing: Platform receives fee immediately; provider transfer happens on settlement (typically 2-3 days)

Pros:

✅ Simplest implementation: One PaymentIntent, automatic split
✅ Platform controls customer experience: Unified brand, centralized support
✅ Providers don’t pay Stripe fees: Simpler for providers, they only see net
✅ Automatic transfers: No manual intervention needed
✅ Single reconciliation point: One payment = one ledger entry per party

Cons:

❌ Platform handles all disputes: Support burden on platform
❌ Platform pays full Stripe fee: May need higher platform fee to cover costs
❌ Provider funds delayed: Transferred after settlement (2-3 days typically)

Best for: Marketplaces where platform brand is primary, platform wants control over customer experience.

Fee Example:

Customer pays: $100.00
└─ Stripe fee: $3.20 (platform pays this)
└─ Platform fee: $3.20 (platform keeps - covers Stripe cost)
└─ Provider receives: $96.80 (no fees deducted)
Net platform revenue: $0.00 (fee covers Stripe cost, or you can charge more)

2. Direct Charges (Alternative)

How it works:

# Payment appears on customer's card with PROVIDER name
payment_intent = stripe.PaymentIntent.create(
    amount=10000,
    currency='usd',
    on_behalf_of=connect_account_id,  # Provider's account
    transfer_data={
        'destination': connect_account_id,
    },
    application_fee_amount=320,  # Platform fee collected separately
)

Characteristics:

Customer sees: Provider name on card statement (e.g., “JOE’S YOGA STUDIO”)
Platform: Receives application fee, pays NO Stripe fee
Provider: Pays Stripe fee (~2.9% + $0.30) out of their portion
Disputes: Provider handles disputes and customer service
Timing: Provider receives funds directly from customer

Pros:

✅ Providers handle disputes: Reduces platform support burden
✅ Platform doesn’t pay Stripe fees: Can have lower platform fee
✅ Provider brand visibility: Providers see their name on customer statements
✅ Direct customer relationship: Providers interact with customers directly

Cons:

❌ Providers pay Stripe fees: Need to explain fees to providers
❌ More complex flow: Requires on_behalf_of parameter
❌ Less platform control: Providers manage customer experience
❌ Fragmented branding: Customers see different brands per provider

Best for: Platforms where providers want brand visibility and dispute responsibility.

Fee Example:

Customer pays: $100.00
└─ Stripe fee: ~$2.90 (provider pays this)
└─ Platform fee: $3.20 (platform keeps, doesn't pay Stripe)
└─ Provider receives: $100.00 - $2.90 - $3.20 = $93.90
Net platform revenue: $3.20 (pure profit, no Stripe cost)

3. Separate Charges + Transfers (Advanced)

How it works:

# Step 1: Charge customer on platform account
payment_intent = stripe.PaymentIntent.create(
    amount=10000,
    currency='usd',
    # No connect account involved initially
)

# Step 2: After payment succeeds, transfer to provider (can be delayed/batched)
transfer = stripe.Transfer.create(
    amount=9680,  # $100 - platform fee
    currency='usd',
    destination=connect_account_id,
)

Characteristics:

Customer sees: Platform name
Platform: Handles charge, creates transfers manually
Provider: Receives transfer (platform-controlled timing)
Disputes: Platform handles
Timing: Platform controls when transfers happen (can batch daily, weekly, etc.)

Pros:

✅ Full control over transfer timing: Can batch, hold funds, implement escrow
✅ Complex fee structures: Support multiple recipients, custom splits
✅ Escrow scenarios: Hold funds until service delivery

Cons:

❌ Two-step process: Charge + transfer (more complex reconciliation)
❌ Platform pays full Stripe fee: On the initial charge
❌ Manual transfer management: Requires idempotency and error handling
❌ Higher complexity: More code, more failure points

Best for: Platforms needing escrow, batching, or complex multi-party payment routing.

4. Payment Splits (Multiple Destinations)

How it works:

# Split single payment to multiple providers
payment_intent = stripe.PaymentIntent.create(
    amount=10000,
    currency='usd',
)

# After capture, create multiple transfers
transfer1 = stripe.Transfer.create(amount=5000, destination=provider1_account)
transfer2 = stripe.Transfer.create(amount=4000, destination=provider2_account)
# Platform keeps remaining as fee

Best for: Marketplaces where multiple providers contribute to a single purchase (e.g., group classes with multiple instructors).

Comparison Table

Aspect	Destination + Fees	Direct Charges	Separate + Transfer
Customer sees	Platform name	Provider name	Platform name
Platform pays Stripe fee?	Yes (on full amount)	No	Yes (on full amount)
Provider pays Stripe fee?	No	Yes (on their portion)	No
Who handles disputes?	Platform	Provider	Platform
Fund timing	Automatic on settlement	Direct to provider	Platform controlled
Complexity	Low	Medium	High
Brand control	Platform	Provider	Platform
Implementation	Simplest	Moderate	Most complex

Decision: Destination Charges with Application Fees

Why this flow for Modfin:

Simplest implementation for MVP
Platform controls customer experience
Automatic fee calculation and transfers
Can evolve to other flows later if needed

Checkout Flow Options

Two options for customer payment UI:

1. Stripe Checkout (Redirect) ✅ Selected for MVP

How it works:

Backend creates Checkout Session → returns checkout_url
Customer redirects to Stripe’s hosted payment page
Customer completes payment on Stripe’s page
Stripe redirects back to success/cancel URLs

Pros:

✅ Simplest implementation (no frontend Stripe.js required)
✅ PCI compliance handled by Stripe
✅ Mobile-optimized out of the box
✅ Supports all payment methods (cards, ACH, Apple Pay, Google Pay, etc.)
✅ Built-in success/cancel handling

Cons:

❌ Customer leaves your site (redirects away)
❌ Less control over payment form styling
❌ Requires redirect URLs for success/cancel

Best for: MVP, fast implementation, when redirect UX is acceptable

2. Stripe Elements (Embedded)

How it works:

Backend creates PaymentIntent → returns client_secret
Frontend loads Stripe.js Elements widget
Customer enters payment details in your page (embedded form)
Frontend calls stripe.confirmPayment() with client_secret
Payment processes without leaving your site

Pros:

✅ Customer stays on your site (no redirect)
✅ Full control over form styling and UX
✅ Seamless brand experience

Cons:

❌ More complex implementation (frontend Stripe.js required)
❌ PCI compliance requires careful handling (Stripe.js helps)
❌ More frontend code and error handling
❌ Payment method limitations (cards primarily, fewer wallet options)

Best for: When brand consistency and no-redirect UX are critical

Decision: Stripe Checkout (redirect) for MVP - simpler, faster to implement, full payment method support. Can migrate to Elements later if needed.

Platform Control:
- Unified customer experience (all payments show “Modfin” brand)
- Centralized customer support
- Consistent payment UI across all providers
Simplified Provider Experience:
- Providers don’t need to understand Stripe fees
- They see simple net amounts
- No dispute handling burden on providers
Implementation Simplicity:
- Single API call creates payment and split
- Automatic transfers (no manual management)
- Straightforward reconciliation
Customer Trust:
- Customers pay Modfin (recognized platform brand)
- Consistent billing experience
- Platform handles all customer issues

Trade-offs Accepted:

Platform handles all disputes (acceptable for marketplace model)
Platform pays Stripe fees (can be covered by platform fee)
Provider funds delayed 2-3 days (standard for marketplace payouts)

When to Consider Direct Charges:

Providers want their brand on statements
Platform wants to offload dispute handling
Platform wants to avoid paying Stripe fees directly

Implementation:

# Platform fee: 2.9% + $0.30
# Provider receives: remainder

def calculate_platform_fee(amount_cents: int) -> int:
    """Calculate platform fee: 2.9% + $0.30."""
    percentage_fee = int(amount_cents * (PLATFORM_FEE_PERCENT / 100))
    fixed_fee = PLATFORM_FEE_FIXED
    return percentage_fee + fixed_fee

payment_intent = stripe.PaymentIntent.create(
    amount=amount_cents,
    currency='usd',
    application_fee_amount=calculate_platform_fee(amount_cents),
    transfer_data={
        'destination': connect_account_id,  # Provider's Connect account
    },
    metadata={
        'contact_id': contact_id,  # From token/DB lookup
        'account_id': account_id,   # From token/DB lookup
        'org_id': org_id,          # From token/DB lookup
    }
)

Rationale Summary:

Single PaymentIntent, automatic split
Platform receives fee immediately
Provider receives transfer automatically (after settlement)
Simplified reconciliation (one payment = one ledger entry per party)
Platform maintains brand consistency and customer experience

Database Schema

Stripe Connect via Connectors Table

Stripe Connect accounts are managed through the existing connectors table using the connector service pattern. This approach:

Uses existing connector infrastructure (status flow, policies, encryption)
Stores Stripe Connect data in connector’s public JSONB field
Leverages connector status: new → verifying → ready
Follows org_singleton policy (one Stripe Connect account per org)

No new tables needed - Stripe Connect is a connector service like Venmo.

Connector Service Configuration

Add Stripe to connector services:

# api/connectors/consts.py

class ConnectorService(enum.StrEnum):
    venmo = 'venmo'
    stripe = 'stripe'  # Add Stripe Connect

class ServiceConfig(utils.NamespaceEnum):
    venmo = dict(policy=ServicePolicy.org_singleton, processor=ServiceProcessor.none)
    stripe = dict(
        policy=ServicePolicy.org_singleton,  # One Connect account per org
        processor=ServiceProcessor.backend   # Uses status flow (new->verifying->ready)
    )

Stripe Connect Data in Connector Schema

Connector public JSONB field structure:

# api/connectors/schemas.py
import enum

class StripeCapability(enum.StrEnum):
    """Stripe Connect account capabilities."""
    charges = 'charges'
    payouts = 'payouts'
    details = 'details'

class StripeConnectorPublic(helpers.BaseModel):
    """Stripe Connect account data stored in connector.public JSONB field."""
    # Stripe Connect Account ID (from Stripe API)
    stripe_account_id: str
    
    # Account capabilities (instead of boolean flags)
    capabilities: list[StripeCapability] = []
    
    # Cached onboarding URL (expires after 24 hours)
    # Stored to avoid regenerating if user returns to complete onboarding
    # Expiration checked via connector.updated_at when status is 'verifying'
    onboarding_url: str | None = None      # Stripe Express onboarding link
    
    # Note: account_link_url (dashboard access) is NOT stored - generated on-demand via POST /account-link
    
    # Optional: additional Stripe account metadata
    country: str | None = None              # Account country code
    business_type: str | None = None       # 'individual' or 'company'
    requirements: dict | None = None        # Current/past_due requirements from Stripe

class StripeConnectorMixin(helpers.BaseModel):
    service: Literal[consts.Service.stripe]
    public: StripeConnectorPublic | None = None

Connector status flow for Stripe Connect:

new: Connect account created, onboarding URL generated
verifying: Onboarding in progress (user completing Stripe Express flow)
ready: Account fully onboarded (StripeCapability.charges in capabilities, can accept payments)
failed: Onboarding failed or account restricted
released: Account was ready but is now disabled

Connector public field example:

{
  "stripe_account_id": "acct_1234567890",
  "capabilities": ["charges", "payouts", "details"],
  "onboarding_url": null,  // null after onboarding complete, or if expired (checked via connector.updated_at)
  "country": "US",
  "business_type": "individual"
}

Finding Stripe Connect Account

# Get Stripe connector for an org
connector = await OrgWideConnector.get_latest(
    dbs,
    owner_id=org_id,
    service=consts.Service.stripe,
    latest_mode=consts.ConnectorLatest.available
)

if connector and connector.public:
    stripe_data = connector.public  # Direct access, no nesting
    account_id = stripe_data.get('stripe_account_id') if isinstance(stripe_data, dict) else stripe_data.stripe_account_id
    capabilities = stripe_data.get('capabilities', []) if isinstance(stripe_data, dict) else getattr(stripe_data, 'capabilities', [])
    has_charges = StripeCapability.charges.value in capabilities

Migration: Add Stripe Service

No schema changes needed - just add the service enum value:

-- If using ENUM (may need migration depending on schema)
-- Otherwise, just add to Python enum, no DB change
ALTER TYPE service ADD VALUE IF NOT EXISTS 'stripe';

Webhook Events Table (service-agnostic)

CREATE TABLE webhook_events (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    
    -- Event Identification
    service VARCHAR(50) NOT NULL,  -- Connector service: 'stripe', 'venmo', etc.
    event_id VARCHAR(255) NOT NULL,  -- External event ID (from service provider)
    event_type VARCHAR(255) NOT NULL,
    account_id VARCHAR(255),  -- Service-specific account ID (e.g., Connect account ID for Stripe)
    
    -- Event Data
    event_data JSONB NOT NULL,
    
    -- Processing
    processed BOOLEAN DEFAULT FALSE,
    processed_at TIMESTAMP,
    error_message TEXT,
    
    -- Metadata
    created_at TIMESTAMP NOT NULL DEFAULT NOW(),
    
    UNIQUE(service, event_id),  -- Prevent duplicate events per service
    INDEX idx_service_event_id (service, event_id),
    INDEX idx_event_type (event_type),
    INDEX idx_processed (processed),
    INDEX idx_account_id (account_id),
    INDEX idx_service (service)
);

REST API Endpoints

Connect Account Management

Note: Stripe Connect accounts are managed via the existing connector endpoints:

POST   /v1/connectors/org/id/{org_id}/connector/service/stripe
       Creates Connect Express account via connector pattern
       Returns: Connector object with Stripe account data (including onboarding_url if needed)

GET    /v1/connectors/org/id/{org_id}/connector/service/stripe
       Returns connector with Stripe Connect account data
       Returns: Connector object with public.stripe_account_id, public.capabilities, etc.
       (Uses existing connector GET endpoints - no separate endpoint needed)

POST   /v1/connectors/id/{connector_id}/refresh
       Generic connector refresh endpoint (for account links and other connector operations)
       Body: { type?: 'account_onboarding' | 'account_update' }  # For Stripe account links
       Returns: { url: string }  # Account link URL, or connector-specific refresh data
       
       Note: For Stripe, generates fresh account link URLs (expire after 24 hours).
       Can be extended for other connector refresh operations.

Customer Payment Processing

POST   /v1/payments/customer/service/{service}/checkout
       Creates checkout session for customer payment
       Headers: Authorization (customer token from SMS notification)
       Body: {
         amount: decimal,
         currency: string,
         description?: string,
         flow?: 'redirect' | 'embedded'  // Optional: 'redirect' (default) or 'embedded'
       }
       Returns: { checkout_url: string } OR { client_secret: string }
       
       Token contains (from SMS notification):
       - contact_id (contact/customer making payment - contact belongs to org)
       - account_id (account the contact is associated with - account can have multiple contacts)
       - org_id (the org - has the Connect account, has provider as member, has contact as customer)
       
       Note: Contact and provider belong to the same org. Payment: Contact → Org.
       Uses Stripe Checkout (redirect) by default. Supports Elements widget (embedded) flow.
       Metadata (contact_id, account_id, org_id) encoded in PaymentIntent for webhook processing.

Webhooks

POST   /v1/payments/webhooks/stripe
       Receives Stripe Connect webhook events
       Headers: stripe-signature (for verification)
       Processes: account updates, payment events, payout events
       
       Note: Separate webhook endpoint from subscriptions (/v1/subscriptions/webhooks/stripe).
       Uses STRIPE_CONNECT_WEBHOOK_SECRET (subscriptions use STRIPE_WEBHOOK_SECRET).

Backend Implementation

Project Structure

api/
├── payments/
│   ├── __init__.py
│   ├── config.py              # Stripe API keys, webhook secrets
│   ├── connect.py              # Connect account operations (via connectors)
│   ├── stripe.py               # Stripe Connect operations (checkout, webhooks)
│   └── routes.py               # API routes
│
├── connectors/
│   ├── models.py               # OrgWideConnector (used for Stripe Connect)
│   ├── schemas.py              # StripeConnectorMixin (extends schemas)
│   ├── consts.py               # Service.stripe enum added here
│   └── ...                     # Existing connector infrastructure

Note: Stripe Connect uses the existing connectors infrastructure. No separate models/crud needed.

Stripe Configuration

# api/payments/config.py
import os
import stripe

stripe.api_key = os.environ.get('STRIPE_SECRET_KEY')
STRIPE_CONNECT_WEBHOOK_SECRET = os.environ.get('STRIPE_CONNECT_WEBHOOK_SECRET')  # Separate from STRIPE_WEBHOOK_SECRET used for subscriptions
STRIPE_CONNECT_CLIENT_ID = os.environ.get('STRIPE_CONNECT_CLIENT_ID')  # OAuth client ID (if using OAuth flow)

# Platform fee configuration
PLATFORM_FEE_PERCENT = float(os.environ.get('STRIPE_PLATFORM_FEE_PERCENT', '2.9'))
PLATFORM_FEE_FIXED = int(float(os.environ.get('STRIPE_PLATFORM_FEE_FIXED', '0.30')) * 100)  # cents

Connect Account Operations (via Connector Pattern)

create_connect_account:

Create Stripe Connect Express account via Stripe API:
- type=’express’
- country, email
- metadata: org_id
- capabilities: card_payments, transfers (requested)
Create onboarding account link via Stripe API:
- type=’account_onboarding’
- refresh_url and return_url (PWA URLs)
Create/upsert connector with:
- service=’stripe’
- public.stripe_account_id = Stripe account ID
- public.capabilities = [] (no capabilities yet)
- public.onboarding_url = account link URL (cached)
- status = ‘verifying’ (indicates onboarding started)
Return connector

get_connect_account:

Query OrgWideConnector by owner_id (org_id) and service=’stripe’
Return latest available connector or None

is_onboarding_url_expired:

If connector missing or updated_at missing, return True
If connector.status != ‘verifying’, return True
Calculate expiration: connector.updated_at + 24 hours
Return True if current time > expiration, else False

get_account_status:

Get connector for org_id
If no connector or no public data, return None
Retrieve latest account status from Stripe API
Build capabilities list from Stripe account:
- If charges_enabled → add ‘charges’
- If payouts_enabled → add ‘payouts’
- If details_submitted → add ‘details’
Update connector.public.capabilities
Clear onboarding_url if:
- Account has ‘charges’ capability (fully onboarded), OR
- onboarding_url exists and is_expired()
Determine connector status:
- Has ‘charges’ → ready
- Has ‘details’ (but not ‘charges’) → verifying
- Otherwise → new
Update connector if status or capabilities changed
Return account_id, capabilities, requirements, connector_status, onboarding_url

create_account_link:

Get connector for org_id
Extract stripe_account_id from connector.public
Create Stripe AccountLink:
- type: ‘account_onboarding’ or ‘account_update’
- refresh_url and return_url
If type = ‘account_onboarding’:
- Update connector.public.onboarding_url (cache for user to return)
Return { url: account_link.url }

Stripe Checkout and Webhook Processing

Note: This implementation uses Destination Charges with Application Fees. See “Payment Processing Model” section above for detailed comparison of all flow options.

Platform Fee Calculation:

Calculate percentage fee: amount_cents × 2.9%
Add fixed fee: $0.30 (30 cents)
With Destination Charges flow:
- Platform pays Stripe fee on full amount
- Platform keeps application_fee_amount as revenue
- Provider receives remainder with no Stripe fees deducted

Checkout Session Creation (Redirect Flow):

Convert amount to cents
Calculate platform fee (2.9% + $0.30)
Create Stripe Checkout Session with:
- application_fee_amount (platform fee)
- transfer_data.destination (provider’s Connect account ID)
- metadata (contact_id from token, account_id from token, org_id from token - the org)
- line_items (amount, currency, description)
- success_url and cancel_url
Return checkout_url

PaymentIntent Creation (Elements Widget Flow):

Convert amount to cents
Calculate platform fee (2.9% + $0.30)
Create Stripe PaymentIntent with:
- application_fee_amount (platform fee)
- transfer_data.destination (provider’s Connect account ID)
- metadata (contact_id from token, account_id from token, org_id from token - the org)
- automatic_payment_methods enabled
Return client_secret

Webhook Processing

process_webhook:

Extract payload and signature from request
Verify webhook signature using STRIPE_CONNECT_WEBHOOK_SECRET
- Note: Separate from STRIPE_WEBHOOK_SECRET used for subscriptions webhooks
If invalid signature, return error 400
Store event in webhook_events table for audit/replay
Route to handler based on event.type:
- account.updated → handle_account_updated
- payment_intent.succeeded → handle_payment_succeeded
- payment_intent.payment_failed → handle_payment_failed
- transfer.created → handle_transfer_created
- payout.paid → handle_payout_paid
Return { received: true }

handle_account_updated:

Extract account_id from event.data.object
Find connector by stripe_account_id in connector.public JSONB field
If connector not found, log warning and return
Build capabilities list from Stripe account status:
- If charges_enabled → add ‘charges’
- If payouts_enabled → add ‘payouts’
- If details_submitted → add ‘details’
Determine connector status from capabilities:
- Has ‘charges’ → ready
- Has ‘details’ (but not ‘charges’) → verifying
- Otherwise → new
Update connector.public.capabilities and connector.status
Dispatch event for app-side notifications

handle_payment_succeeded:

Extract payment_intent from event.data.object
Extract metadata (contact_id, account_id, org_id)
If metadata missing, log warning and return
Convert amount from cents to dollars
Create ledger event with:
- org_id, event=’payment’, amount, currency
- metadata: payment_intent_id, contact_id, account_id, payment_method=’stripe’

store_webhook_event:

Insert into webhook_events table:
- service=’stripe’
- event_id (Stripe event ID)
- event_type
- account_id (Connect account ID if present)
- event_data (full event JSON)

API Routes

POST /v1/payments/customer/service/{service}/checkout

Authentication: customer token (from SMS notification)
Body: { amount: decimal, currency: string, description?: string, flow?: ‘redirect’ | ‘embedded’ // Optional: ‘redirect’ (default) or ‘embedded’ }
Response: { checkout_url: string } OR { client_secret: string }

Logic:

Validate amount and currency are provided
Extract identifiers from customer token:
- contact_id (contact/customer making payment - belongs to org)
- account_id (account contact is associated with - can have multiple contacts)
- org_id (the org - has Connect account, has provider as member, has contact as customer)
Get flow type from body (default: ‘redirect’)
Find connector for service:
- Query OrgWideConnector by owner_id=org_id, service=service
- (org_id is the org where Connect account is set up and where contact/provider belong)
Validate connector exists and is configured
For Stripe service:
- Validate connector has ‘charges’ capability
- Extract connect_account_id from connector.public.stripe_account_id
If flow = ‘redirect’ (or not specified):
- Create Stripe Checkout Session
- Return { checkout_url: string }
If flow = ‘embedded’:
- Create Stripe PaymentIntent
- Return { client_secret: string }

POST /v1/payments/webhooks/stripe

Authentication: None (signature verification via Stripe webhook secret)
Body: Stripe webhook event payload
Response: { received: true }

Logic:

Call stripe.process_webhook(request, db_session)
Returns { received: true }

Dependencies

# api/requirements.txt (additions)
stripe>=7.0.0

Environment Variables

# .env
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLIC_KEY=pk_test_...  # For client-side (if needed)
STRIPE_CONNECT_WEBHOOK_SECRET=whsec_...  # Separate webhook secret for Connect (subscriptions use STRIPE_WEBHOOK_SECRET)
STRIPE_PLATFORM_FEE_PERCENT=2.9
STRIPE_PLATFORM_FEE_FIXED=0.30

iOS App Implementation (Provider Onboarding)

Project Structure

Underboss/
├── APIs/
│   └── ConnectorsAPI.swift           # Existing API - add refresh() method
├── Stores/
│   └── ConnectorStore.swift          # Existing store - use with service='stripe'
├── Views/
│   └── StripeConnect/
│       ├── OnboardingView.swift      # Onboarding entry point
│       ├── AccountStatusView.swift   # Account status dashboard
│       └── OnboardingCompleteView.swift

API Client

Uses existing ConnectorsAPI (add refresh method):

createConnector(orgId, service='stripe'):
- POST to /v1/connectors/org/id/{orgId}/connector/service/stripe
- Include auth token in Authorization header
- Returns Connector object with public.onboarding_url, public.stripe_account_id
getConnector(orgId, service='stripe'):
- GET from /v1/connectors/org/id/{orgId}/connector/service/stripe
- Include auth token in Authorization header
- Returns Connector object with public (stripe_account_id, capabilities, onboarding_url), status

refresh(connectorId, body):

POST to /v1/connectors/id/{connectorId}/refresh with body: { type?: “account_onboarding” “account_update” }

Include auth token in Authorization header
Returns { url: string } (account link URL for Stripe)

Store (State Management)

Uses existing Store.connector:

Use Store.connector.get(connectorId) to load connector
Use ConnectorsAPI.createConnector(orgId, service=’stripe’) to create
Call ConnectorsAPI.refresh(connectorId, body) directly (not through store) for refresh endpoint

Onboarding View

OnboardingView:

Get connector ID (from orgId/service lookup or passed as parameter)
On view appear:
- Call Store.connector.get(connectorId)
If isLoading:
- Show ProgressView
If connector exists:
- Extract capabilities from connector.public.capabilities
- If ‘charges’ in capabilities:
  - Show OnboardingCompleteView
- Else:
  - Show “Complete Your Payment Setup” message
  - Show “Continue Setup” button
  - On button tap:
    - If connector.public.onboarding_url exists: use it
    - Else: Call ConnectorsAPI.createConnector(orgId, service=’stripe’) then call Store.connector.get(newConnectorId)
    - Open onboarding URL in SafariViewController (sheet modal)
If error exists:
- Display error message
When SafariViewController dismissed:
- Reload connector via Store.connector.get(connectorId) to check if onboarding completed

SafariView wrapper:

Create UIViewControllerRepresentable wrapper around SFSafariViewController
Display Stripe onboarding URL in Safari
Handle modal dismissal

Account Status View

AccountStatusView:

Get connector ID (from orgId/service lookup or passed as parameter)
On view appear:
- Call Store.connector.get(connectorId)
Display status indicator:
- Extract capabilities from connector.public.capabilities
- If ‘charges’ in capabilities: green checkmark + “Account Ready”
- Else: orange exclamation + “Setup Incomplete”
If ‘charges’ in capabilities:
- Display status rows:
  - Charges: check if ‘charges’ in capabilities
  - Payouts: check if ‘payouts’ in capabilities
- Show “View Stripe Dashboard” button
- On button tap:
  - Call ConnectorsAPI.refresh(connectorId, body: { type: “account_update” })
  - Open URL from response in SafariViewController (sheet modal)
If isLoading:
- Show ProgressView

Integration into Onboarding Flow

Add Stripe Connect to onboarding:

Add stripeConnect case to existing OnboardingItem enum
Define title: “Payment Setup”
Define description: “Connect your bank account to receive payments”
In OnboardingProgressView:
- If item == .stripeConnect:
  - Show NavigationLink to StripeConnectOnboardingView(orgId)

PWA Implementation (Customer Payments)

Project Structure

pwa/
├── app/
│   └── payment/
│       ├── page.tsx               # Payment page
│       ├── success/
│       │   └── page.tsx           # Success page
│       └── cancel/
│           └── page.tsx           # Cancel page
├── lib/
│   └── api/
│       └── payments.ts            # Payments API client

API Client

paymentsAPI.createCheckout:

POST to /v1/payments/customer/service/{service}/checkout
Include customer token in Authorization header (from SMS notification)
Body: { amount, currency, description?, flow? }
Returns: { checkout_url: string } OR { client_secret: string }

Payment Page

PaymentPage component:

Load payment details (amount, currency, description) from customer account/notification context
Query available payment methods (connectors) for customer’s org
Display payment details:
- Amount and currency
- Description
Display available payment methods:
- Filter to show only available methods
- For each method: Show button with service name
On payment method button click:
- Set loading state for selected service
- Call paymentsAPI.createCheckout(service, { amount, currency, description, flow })
- If flow=’redirect’ (or not specified):
  - Redirect to checkout_url (window.location.href)
- If flow=’embedded’:
  - Use client_secret with Stripe Elements widget (embedded payment form)
Handle errors:
- Display error message if checkout creation fails
- Reset loading state

Success Page

PaymentSuccessPage component:

Extract session_id from URL query params (if available)
Display success message:
- Green checkmark icon
- “Payment Successful!” heading
- Confirmation message
Show “Return Home” button that navigates to home page

Cancel Page

PaymentCancelPage component:

Display cancel message:
- Orange X icon
- “Payment Cancelled” heading
- Message that payment wasn’t completed
Show action buttons:
- “Go Back” button (router.back())
- “Return Home” button (router.push(‘/’))

Security Considerations

Webhook Verification

Critical: Always verify webhook signatures to prevent spoofed events.

# api/payments/stripe.py (webhook processing functions)
import stripe

event = stripe.Webhook.construct_event(
    payload, sig_header, STRIPE_CONNECT_WEBHOOK_SECRET
)

Environment Variables:

Store STRIPE_CONNECT_WEBHOOK_SECRET securely (AWS Secrets Manager in production)
- Separate from STRIPE_WEBHOOK_SECRET used for subscriptions webhooks
- Both use different webhook endpoints: /v1/payments/webhooks/stripe (Connect) vs /v1/subscriptions/webhooks/stripe (subscriptions)
Use different secrets for test vs. live mode
Rotate secrets if compromised

API Authentication

Provider Endpoints:

Require org authentication (org_acls with Resource.payments)
Verify user has permission to manage Connect account
Validate org_id matches authenticated user’s org

Customer Endpoints:

Customer checkout endpoint requires customer token from SMS notification (contains contact_id, account_id, org_id)
Consider rate limiting to prevent abuse
Validate connector exists and is ready before creating checkout

PCI Compliance

PCI DSS Scope Reduction:

Stripe Checkout: Stripe handles all card data (PCI SAQ A)
No card storage: Never store card numbers or CVV
Stripe.js: If using Elements, Stripe.js tokenizes cards (never touch raw card data)

Best Practices:

Use Stripe Checkout (simplest, lowest PCI scope)
If custom UI needed, use Stripe Elements (still SAQ A)
Never log card data or sensitive payment information
Use HTTPS everywhere

Account Security

Connect Account Access:

Providers access their account via Stripe dashboard (secure, Stripe-managed)
Platform can create account links with expiration
Monitor for suspicious activity via webhooks

Platform Fee Calculation:

Calculate fees server-side only
Never trust client-provided fee amounts
Validate fees are within acceptable range

Testing Strategy

Backend Testing

# api/stripe/tests.py
import pytest
from unittest.mock import patch, MagicMock

async def test_create_connect_account(dbs):
    """Test Connect account creation."""
    with patch('stripe.Account.create') as mock_create:
        mock_account = MagicMock()
        mock_account.id = 'acct_123'
        mock_create.return_value = mock_account
        
        result = await connect.create_connect_account(
            org_id='org_123',
            email='test@example.com'
        )
        
        assert result['account_id'] == 'acct_123'
        assert 'onboarding_url' in result

async def test_checkout_session_creation(dbs):
    """Test checkout session creation with Connect."""
    with patch('stripe.checkout.Session.create') as mock_create:
        mock_session = MagicMock()
        mock_session.id = 'cs_test_123'
        mock_session.url = 'https://checkout.stripe.com/...'
        mock_create.return_value = mock_session
        
        result = await stripe.create_checkout_session(
            amount=Decimal('100.00'),
            currency='USD',
            connect_account_id='acct_123',
            org_id='org_123',
            contact_id='contact_123',
            account_id='account_123',
            description='Test payment',
        )
        
        assert 'checkout_url' in result
        mock_create.assert_called_once()

async def test_webhook_processing(dbs):
    """Test webhook event processing."""
    event = {
        'id': 'evt_123',
        'type': 'payment_intent.succeeded',
        'data': {
            'object': {
                'id': 'pi_123',
                'amount': 10000,
                'currency': 'usd',
                'metadata': {
                    'contact_id': 'contact_123',
                    'account_id': 'account_123',
                    'org_id': 'org_123',
                },
                'created': 1234567890,
            }
        }
    }
    
    with patch('stripe.Webhook.construct_event', return_value=event):
        await stripe.handle_payment_succeeded(event)
        
        # Verify event stored
        stored = await crud.get_webhook_event(dbs, service='stripe', event_id='evt_123')
        assert stored is not None
        assert stored.processed is True

Stripe Test Mode

Test Cards:

4242 4242 4242 4242 - Success
4000 0000 0000 0002 - Card declined
4000 0000 0000 9995 - Insufficient funds

Test Scenarios:

Successful payment
Failed payment
Account onboarding flow
Payout events

Webhook Testing:

Use Stripe CLI: stripe listen --forward-to localhost:8000/v1/payments/webhooks/stripe
Trigger test events: stripe trigger payment_intent.succeeded

Integration Testing

End-to-End Flow:

Create Connect account (iOS app → Backend → Stripe)
Complete onboarding (Stripe dashboard)
Customer receives notification → Opens payment page
Customer selects Stripe → Backend creates checkout session
Customer completes payment (PWA → Stripe Checkout)
Verify webhook processing
Verify ledger entry created with contact_id, account_id from metadata

Deployment Checklist

Backend

Stripe API keys configured (test and live)
Webhook secret stored securely
Webhook endpoint registered in Stripe Dashboard
Database migrations run (connect accounts, webhook events tables)
Environment variables set (fee percentages, URLs)
CORS configured for PWA domain
Rate limiting enabled on webhook endpoint

iOS App

Stripe Connect onboarding integrated
Account status view implemented
Error handling for failed onboarding
Deep linking from onboarding completion

PWA

Payment page created
Success/cancel pages implemented
Checkout session creation integrated
Error handling for failed checkout
Payment status polling (optional)

Stripe Dashboard

Connect application created
Webhook endpoint configured
Webhook events subscribed (account.updated, payment_intent.*, etc.)
Test mode verified
Live mode activated (when ready)

Future Enhancements

Phase 2: Enhanced Features

Alternative Payment Flows:

Direct Charges: Support provider-branded payments (provider name on statements)
- Use on_behalf_of parameter in PaymentIntent
- Providers handle disputes and pay Stripe fees directly
- Platform earns pure revenue (no Stripe fees)
- See “Payment Processing Model” section for detailed comparison
Payment Splits: Support multiple providers per payment
- Group classes, multi-instructor services
- Automatic split calculation and transfers
Separate Charges + Transfers: Advanced escrow/batching
- Hold funds until service delivery
- Batch transfers for operational efficiency
- Platform-controlled payout timing

Multi-Currency Support:

Support payments in multiple currencies
Convert platform fees appropriately
Handle currency-specific Connect accounts (if needed)

Payout Scheduling:

Customizable payout schedules (daily, weekly, monthly)
Minimum payout thresholds
Payout notifications

Payment Methods:

ACH/SEPA support (for lower fees)
Apple Pay / Google Pay integration
Saved payment methods (Stripe Customers)

Advanced Connect Features:

Custom accounts (more control, requires more compliance)
OAuth flow (alternative to Express onboarding)
Account requirements monitoring
Automatic retry for failed requirements

Phase 3: Analytics & Reporting

Provider Dashboard:

Earnings overview
Transaction history
Payout timeline
Fee breakdown

Platform Analytics:

Total processed volume
Platform fee revenue
Provider onboarding metrics
Payment success rates

Phase 4: Compliance & Risk

KYC/AML:

Monitor account requirements (via webhooks)
Notify providers of missing requirements
Block payments if account is restricted

Fraud Prevention:

Integrate Stripe Radar (fraud detection)
Review flagged payments
Manual review workflow

Dispute Management:

Webhook handling for chargebacks
Dispute creation tracking
Provider notifications

Troubleshooting

Common Issues

“Account not ready for payments”

Check StripeCapability.charges is in capabilities array
Verify account requirements are met
Check account status in Stripe Dashboard

“Webhook signature verification failed”

Verify STRIPE_CONNECT_WEBHOOK_SECRET matches Stripe Dashboard (not STRIPE_WEBHOOK_SECRET used for subscriptions)
Ensure raw request body is used (not parsed JSON)
Check webhook timestamp is not too old
Confirm correct webhook endpoint: /v1/payments/webhooks/stripe for Connect vs /v1/subscriptions/webhooks/stripe for subscriptions

“PaymentIntent creation failed”

Verify Connect account ID is valid
Check account has StripeCapability.charges in capabilities array
Ensure platform fee calculation is correct
Verify amount is within Stripe limits

“Onboarding URL expired”

Account links expire after 24 hours
Create new account link when needed
Consider implementing refresh mechanism

References

Appendix: Environment Variables Reference

# Backend (.env)
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLIC_KEY=pk_test_...
STRIPE_CONNECT_WEBHOOK_SECRET=whsec_...  # Connect webhook secret (subscriptions use STRIPE_WEBHOOK_SECRET)
STRIPE_PLATFORM_FEE_PERCENT=2.9
STRIPE_PLATFORM_FEE_FIXED=0.30
PWA_URL=https://app.modfin.io

# iOS (Info.plist or environment)
STRIPE_PUBLISHABLE_KEY=pk_test_...  # If using Stripe SDK client-side

# PWA (.env.local)
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_...  # If using Stripe.js

Change Log

2024-01-XX: Initial architecture document created
- Express Connect accounts
- PaymentIntent with platform fees
- Webhook processing
- iOS onboarding flow
- PWA checkout flow