Purpose
Explain how PayPress handles multiple WordPress sites connected to the same Stripe account.
Overview
Stripe sends account-wide events to webhook endpoints on the same account. Without ownership validation, multiple WordPress installations could process the same Stripe transaction.
How It Works
PayPress marks Checkout-created Stripe objects with installation metadata. Each site compares incoming event metadata against its own installation UUID and ignores foreign events.
Important Components
- Separate WordPress databases.
- Shared Stripe account.
- Separate webhook endpoints.
- Installation UUID per site.
- Ownership resolver.
- Foreign event diagnostics.
- Installation-scoped refund idempotency.
Data Flow
Site A creates Checkout Session with UUID A -> Stripe sends event to endpoints for Site A and Site B -> Site A accepts -> Site B logs Foreign Event Ignored and does not create records.
Security Considerations
This protects orders, subscriptions, refunds, and diagnostics from cross-site contamination. It is required for agencies or merchants testing several sites against one Stripe account.
Known Limitations
Manual Stripe-created objects and old objects may not include ownership metadata. Legacy fallback is intentionally conservative.