Stripe Connect Express scaffolding for ɳCloud MAX operators. Handles platform account onboarding for tenant operators, Checkout Session creation under connected accounts, entitlement cache management, and dual webhook processing (platform + Connect channels). Tokens are encrypted at rest via pgcrypto.
This plugin is used internally by nSelf Cloud infrastructure. It is not available to self-hosted operators and does not appear in nself plugin list.
nself plugin install nself-stripe
nself build
nself start# Start Connect Express onboarding for a tenant
curl -X POST https://api.yoursite.com/onboard \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"entity_id": "tenant-abc"}'
# Returns: {"url": "https://connect.stripe.com/setup/..."}
# Check entitlement after checkout
curl https://api.yoursite.com/entitlement/tenant-abc/video-streaming \
-H "Authorization: Bearer $ADMIN_TOKEN"
# Returns: {"allowed": true, "cached_at": "2026-05-01T10:00:00Z"}| Variable | Required | Description |
|---|---|---|
STRIPE_PLATFORM_SECRET_KEY | Yes | Platform Stripe secret key (sk_live_... or sk_test_...) |
STRIPE_PLATFORM_WEBHOOK_SECRET | Yes | HMAC secret for platform-level webhook events |
STRIPE_CONNECT_WEBHOOK_SECRET | Yes | HMAC secret for connected-account webhook events |
STRIPE_CLIENT_ID | Yes | Stripe Connect client ID for OAuth Express onboarding |
NSELF_CLOUD_BASE_URL | Yes | Base URL for cloud callbacks (e.g., https://cloud.nself.org) |
NSELF_DB_ENCRYPTION_KEY | No | pgcrypto key for encrypting stored Stripe tokens at rest |
STRIPE_ENTITLEMENT_CACHE_TTL_SECONDS | No | Entitlement cache TTL in seconds (default: 3600) |
STRIPE_API_VERSION | No | Stripe API version to pin (default: 2024-12-18.acacia) |
| Endpoint | Method | Description |
|---|---|---|
/onboard | POST | Initiate Stripe Express onboarding for a tenant operator |
/onboard/callback | GET | OAuth callback — exchanges authorization code for tokens |
/checkout | POST | Create a Checkout Session under a connected account |
/stripe/webhook/platform | POST | Platform webhook receiver (HMAC verified, raw body required) |
/stripe/webhook/connect | POST | Connected-account webhook receiver (reads Stripe-Account header) |
/entitlement/:entity_id/:capability | GET | Check billing.can(entity_id, capability) from entitlement cache |
/account/:entity_id | GET | Get connected account status and onboarding state |
/account/:entity_id/disconnect | POST | Deauthorize a connected account |
The plugin handles 12 Stripe events across both channels. Platform events include payment_intent.succeeded, transfer.created, charge.dispute.created, and charge.refunded. Connect events include checkout.session.completed (grants entitlements), customer.subscription.updated (refreshes cache), customer.subscription.deleted (revokes), and invoice.payment_failed (flags and notifies).
np_stripe_accounts — connected account records with encrypted tokensnp_stripe_entitlements — cached entitlement state per entitynp_stripe_processed_events — idempotency table for webhook deduplicationBoth webhook endpoints use timing-safe SHA-256 HMAC verification with a 300-second timestamp tolerance window. Raw body is required for signature validation — do not parse the body before forwarding to the plugin. Stripe tokens in np_stripe_accounts are encrypted using pgcrypto.pgp_sym_encrypt when NSELF_DB_ENCRYPTION_KEY is set. Each webhook event is recorded in np_stripe_processed_events for exactly-once processing.
Internal Plugin — ɳCloud MAX | Port: 3830 | v0.1.0