Grade your Stripe webhook handler in 30 seconds.
Most Stripe webhook bugs ship to production silently and surface as duplicate charges, missed disputes, or stale subscriptions. Describe your setup (or paste the handler code), get an A-F grade plus a per-finding fix.
What gets checked
Are you calling stripe.webhooks.constructEvent? Without it, the endpoint accepts spoofed events.
Is the same event id deduped? Stripe retries on non-200 responses and you do not want double side effects.
Under 5 seconds, or Stripe retries. Heavy work goes to a queue.
checkout.session.completed, payment_intent.succeeded, charge.dispute.created, invoice.payment_failed, customer.subscription.deleted.
Hard-coded event shapes break across Stripe API versions.
Throwing on a parse error retries forever; logging + 200 is the pattern.
Free tier returns the grade and top findings. Paid full reports with copy-paste fix snippets per language coming soon.
Hookscan is a Coldsmith side-project
Most of Coldsmith is about getting B2B prospects into your inbox. Hookscan is what we built to keep our own Stripe integration honest. The same audit tool, made public.