Purpose
Explain how PayPress decides whether a Stripe event belongs to the local WordPress installation.
Overview
Stripe webhook delivery is account-wide. If multiple PayPress installations use the same Stripe account, each endpoint can receive the same Stripe events. PayPress therefore validates ownership before creating or updating merchant-facing records.
How It Works
Checkout creation attaches installation metadata to Stripe objects. During webhook processing, PayPress compares the event ownership metadata with the local immutable installation UUID. Foreign events are logged and ignored with an HTTP 200 response.
Important Components
- Installation UUID.
- Origin site URL metadata.
- Webhook ownership resolver.
- Legacy fallback logic.
- Foreign event diagnostics.
- Existing local order/subscription relationship checks.
Data Flow
Webhook signature verified -> event parsed -> ownership resolved -> local event accepted, foreign event ignored, or legacy fallback evaluated -> only accepted events reach record persistence.
Security Considerations
Ownership validation prevents cross-site order contamination when multiple WordPress installations share a Stripe account. It should run before order creation, subscription creation, refund synchronization, and invoice enrichment.
Known Limitations
Older Stripe objects may not contain installation UUID metadata. PayPress uses controlled legacy fallback but should not create new merchant-facing records from unowned legacy objects.