# Stripe Payment And Webhook Test Runbook

## Required Stripe Dashboard Setup

- Test publishable key configured.
- Test secret key configured server-side only.
- Webhook signing secret configured server-side only.
- Connected organiser account configured in test mode.
- Endpoint subscribes to the exact event types used by the app, including checkout completion and any expiry/failure events the app handles.

## Required Tests

1. Successful Checkout Session completion.
   - Expected: signed webhook marks order paid and creates ticket, QR token, and ledger entries.
2. Unsigned actionable webhook.
   - Expected: rejected/signature_required; no ticket issuance.
3. Success redirect without webhook.
   - Expected: no paid status, no ticket issuance.
4. Duplicate webhook replay.
   - Expected: idempotent; no duplicate tickets/ledger.
5. Failed payment.
   - Expected: no ticket; clear customer state; seat hold release policy correct.
6. Expired Checkout Session.
   - Expected: order/hold state correct.
7. Connected account incomplete/disabled.
   - Expected: paid event publishing or checkout blocks safely.
8. Amount/metadata tampering attempt.
   - Expected: server-calculated totals and metadata win; no underpayment.
9. SCA/3DS test card if supported.
   - Expected: customer challenge and final webhook state handled.

## Evidence To Capture

- Stripe event ID.
- Checkout Session ID.
- Order ID.
- Ticket IDs.
- QR token row count.
- Ledger rows and totals.
- Connected account ID redacted.
- Screenshots/log snippets with secrets redacted.