curiositech/mobile-payment-integration-specialist
skills/mobile-payment-integration-specialist/SKILL.md
Mobile payment integration for Stripe, Apple Pay, Google Pay, in-app purchases, and subscription management. Activate on: mobile payments, Stripe SDK, Apple Pay, Google Pay, in-app purchase, StoreKit 2, Google Play Billing, subscription management, payment sheet. NOT for: backend payment processing (use api-architect), general e-commerce (use frontend-architect), financial compliance (use security-auditor).
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills mobile-payment-integration-specialistInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:15 PM4.2s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- mobile-payment-integration-specialist
- description:
- Mobile payment integration for Stripe, Apple Pay, Google Pay, in-app purchases, and subscription management. Activate on: mobile payments, Stripe SDK, Apple Pay, Google Pay, in-app purchase, StoreKit 2, Google Play Billing, subscription management, payment sheet. NOT for: backend payment processing (use api-architect), general e-commerce (use frontend-architect), financial compliance (use security-auditor).
- allowed-tools:
- Read,Write,Edit,Bash(docker:*,kubectl:*,terraform:*,npm:*,npx:*)
- category:
- Mobile Development
- - skill:
- mobile-biometric-auth-expert
- reason:
- High-value payments should require biometric confirmation
Mobile Payment Integration Specialist
Expert in integrating mobile payments including Stripe, Apple Pay, Google Pay, in-app purchases, and subscription lifecycle management.
Activation Triggers
Activate on: "mobile payments", "Stripe SDK mobile", "Apple Pay integration", "Google Pay", "in-app purchase", "StoreKit 2", "Google Play Billing", "subscription management", "payment sheet", "RevenueCat"
NOT for: Backend payment processing → api-architect | General e-commerce → frontend-architect | Financial compliance → security-auditor
Quick Start
- Choose payment model — direct payments (Stripe) vs. in-app purchases (App Store/Play Store) based on product type
- Integrate payment SDK — Stripe Mobile SDK, StoreKit 2, or Google Play Billing Library
- Implement server-side verification — never trust client-side payment confirmations
- Handle subscription lifecycle — trials, renewals, cancellations, grace periods, upgrades
- Add Apple Pay / Google Pay — express checkout for returning customers
Core Capabilities
| Domain | Technologies | |--------|-------------| | Direct Payments | Stripe Mobile SDK 23.x, Payment Sheet, Braintree | | iOS IAP | StoreKit 2, App Store Server API, Server Notifications V2 | | Android IAP | Google Play Billing 7.x, BillingClient, PurchaseFlow | | Subscriptions | RevenueCat, Superwall, Qonversion, custom server logic | | Express Pay | Apple Pay, Google Pay, Link (Stripe) |
Architecture Patterns
Payment Model Decision
What are you selling?
│
├─ Digital content consumed IN the app (stickers, coins, premium features)
│ └─ MUST use In-App Purchases (Apple/Google mandatory)
│ ├─ Apple: StoreKit 2 + App Store Server API
│ └─ Android: Google Play Billing Library
│
├─ Physical goods or real-world services (food, rides, consulting)
│ └─ CAN use direct payment (Stripe, Braintree)
│ └─ No 30% commission
│
└─ Reader/media apps (Netflix, Kindle, Spotify)
└─ CAN link to web for signup (US/EU/KR as of 2026)
└─ External purchase entitlement via App Store Server API
Stripe Payment Sheet (React Native)
import { useStripe } from '@stripe/stripe-react-native';
function CheckoutScreen({ amount }: { amount: number }) {
const { initPaymentSheet, presentPaymentSheet } = useStripe();
async function checkout() {
// 1. Create PaymentIntent on your server
const { clientSecret, ephemeralKey, customerId } = await api.post(
'/create-payment-intent',
{ amount, currency: 'usd' }
);
// 2. Initialize Payment Sheet
const { error: initError } = await initPaymentSheet({
merchantDisplayName: 'My Store',
paymentIntentClientSecret: clientSecret,
customerEphemeralKeySecret: ephemeralKey,
customerId,
applePay: { merchantCountryCode: 'US' },
googlePay: { merchantCountryCode: 'US', testEnv: __DEV__ },
defaultBillingDetails: { name: 'Jane Doe' },
});
if (initError) return handleError(initError);
// 3. Present Payment Sheet
const { error: payError } = await presentPaymentSheet();
if (payError) {
if (payError.code === 'Canceled') return; // User dismissed
handleError(payError);
} else {
// Payment succeeded — server confirms via webhook
navigation.navigate('OrderConfirmation');
}
}
return <Button onPress={checkout} title={`Pay $${amount}`} />;
}
StoreKit 2 Subscription Lifecycle
// Modern StoreKit 2 (async/await)
import StoreKit
class SubscriptionManager {
func purchase(_ product: Product) async throws -> Transaction {
let result = try await product.purchase()
switch result {
case .success(let verification):
let transaction = try checkVerified(verification)
await transaction.finish()
// Notify server of purchase for server-side validation
await api.verifyPurchase(transactionId: transaction.id)
return transaction
case .pending:
throw SubscriptionError.pendingApproval // Ask-to-Buy
case .userCancelled:
throw SubscriptionError.cancelled
@unknown default:
throw SubscriptionError.unknown
}
}
// Listen for subscription status changes
func observeTransactionUpdates() async {
for await result in Transaction.updates {
guard let transaction = try? checkVerified(result) else { continue }
await handleTransactionUpdate(transaction)
await transaction.finish()
}
}
}
Anti-Patterns
- Client-side payment verification — trusting the mobile app's report that payment succeeded. Always verify on the server via Stripe webhooks or App Store Server Notifications.
- Using In-App Purchase for physical goods — Apple and Google require IAP only for digital content consumed in-app. Physical goods, real-world services, and person-to-person payments should use Stripe/Braintree.
- Ignoring subscription grace period — when a renewal fails, Apple/Google grant a grace period. If you revoke access immediately, users churn unnecessarily.
- Not handling pending transactions — Ask-to-Buy (Family Sharing) results in pending state. Show a "pending approval" UI instead of failing.
- Hardcoded product IDs — product IDs and pricing embedded in the app. Fetch products from the store at runtime so pricing and availability can change without app updates.
Quality Checklist
[ ] Server-side payment verification via webhooks (never trust client)
[ ] Correct payment model chosen (IAP for digital, Stripe for physical)
[ ] Apple Pay and Google Pay configured as express checkout options
[ ] Subscription lifecycle handled: trial, renewal, cancellation, grace period
[ ] Pending transactions (Ask-to-Buy) handled gracefully
[ ] Product IDs fetched from store at runtime (not hardcoded)
[ ] Restore purchases implemented for app reinstalls
[ ] Receipt validation on server (App Store Server API / Google Developers API)
[ ] Refund handling via server notifications
[ ] Price displayed in user's local currency
[ ] Subscription management screen links to platform settings
[ ] PCI DSS compliance: no raw card data touches your servers (use Stripe tokenization)
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026