Third-Party Implementation Standards
Standards for integrating external services into our applications. Each standard covers full setup, configuration, usage patterns, metadata conventions, and error handling specific to that service.
Standards in This Folder
| File | Service | Covers |
|---|---|---|
| stripe.md | Stripe | Payment Intents, Checkout, Subscriptions, Webhooks, Metadata, Refunds |
| razorpay.md | Razorpay | Orders, Payment Verification, Subscriptions, Webhooks, Notes, Refunds |
| sendgrid.md | SendGrid | Setup, Template Decision, Dynamic Templates, Transactional Standards, Error Handling |
| gmail.md | Gmail | OAuth2, SMTP, Rate Limits, When to Use, When Not to Use |
Core Principles
- API keys never in code — always in environment variables, never committed
- Secrets server-side only — Stripe secret key, Razorpay key_secret, SendGrid API key never exposed to the browser
- Webhook signatures always verified — before processing any payload
- Idempotency on webhooks — store event IDs, skip already-processed events
- Never 500 for business logic in webhooks — return 200 with a log entry instead
- Test mode before live — use test credentials locally and in staging, live keys only in production