TLDR at the bottom. I know I’m wordy.
I have an issue with getting the Stripe Radar risk information off of a SetupIntent object. Our business doesn’t invoice users until well after taking their payment information, so we can’t use an immediate Charge object, which would include the risk information by default. Instead, we have to store their payment information with Stripe’s SetupIntent API. I can set up block rules on the Radar page on the dashboard to block “elevated” and “highest” risk levels, but then when the SetupIntent gets blocked, I can’t tell why it was blocked. There’s nothing about which rule it violated, or its risk score, or its risk level, or anything useful. The only information that seems like it might vary enough in the response object is this:
code: 'card_declined',
decline_code: 'generic_decline',
doc_url: 'https://stripe.com/docs/error-codes/card-declined',
But even this doesn’t seem to vary between “elevated” and “highest” risk PaymentMethods. The SetupIntent is correctly blocked by the dashboard, but our eventual hope is to block “highest” risk payment methods, but allow “elevated” risk payment methods while sending our fraud staff a notification about the potential risk. To make that distinction, I need either the risk score or the risk level itself. I’ve investigated the SetupAttempt and Card/PaymentMethod objects as well, and none of them have Radar risk information either. Is this simply not information that can be garnered until a Charge is applied to the PaymentMethod? It sure seems like it should be accessible somehow since I can see the risk score for the SetupIntent on the dashboard.
The most infuriating part about this is that if I watch the Network tab from my devtools on the page about a specific SetupIntent on the dashboard, the request that gets the SetupIntent data expands the latest_attempt property and gets a full object value out of it, but if I do that from our API I just get the SetupAttempt ID, and as I said the SetupAttempt doesn’t show any radar information. This is despite the fact that the request from the dashboard gets the following property as part of its SetupAttempt object:
"radar_results": {
"risk_level": "elevated",
"risk_score": 64
}
So I know the information exists, and if it’s not public it doesn’t appear to have any reason not to be. If it’s the case that the information simply isn’t exposed to the API at that step, and anyone knows of some real reason why, like some obscure potential security risk, I’d appreciate that as well.
TLDR; Is the Stripe Radar risk information simply not available for SetupIntents via the Stripe API until after a Charge is made, despite the fact that it’s shown just fine on the dashboard? If not, is there any actual reason why, or just seemingly an oversight on the API’s part?