Critical-risk tools in Stripe
10 of the 39 tools in Stripe are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
archive_customerDestructiveSoft-delete a customer by setting archived metadata. The customer remains in Stripe but is flagged for future purge.
-
cancel_payment_intentDestructiveCancel a payment intent that has not yet been captured. Accepts an optional cancellation reason.
-
cancel_subscriptionDestructiveCancel a subscription immediately or at the end of the current billing period. Routes through risk engine.
-
delete_customerDestructivePermanently delete a customer. Requires force: true. Routes through risk engine and approval. Consider archive_customer instead.
-
purge_expired_customersDestructiveFind and permanently delete customers whose archive period has expired. Use dry_run: true to preview.
-
create_payment_intentFinancialCreate a payment intent for a specified amount and currency. Optionally associate with a customer.
-
create_refundFinancialRefund a charge or payment intent — fully or partially. Routes through risk engine and approval for high-value refunds.
-
full_refundFinancialFull refund — no partial amount specified
-
high_refund_ratioFinancialRefund ratio ${(ratio * 100).toFixed(0)}%
-
pay_invoiceFinancialAttempt to collect payment on an open invoice. Supports payment method override and off-session mode.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.