A browser-confirmable session: the server creates the intent, the browser SDK confirms it with clientSecret, so raw
card data never touches the server (PCI-scope reduction). Crediting lands on the processor webhook, not the create
call. This is the piece a pure server-side authorize can't express — the Payment-Element / one-click / add-card flows.
A browser-confirmable session: the server creates the intent, the browser SDK confirms it with
clientSecret, so raw card data never touches the server (PCI-scope reduction). Crediting lands on the processor webhook, not the create call. This is the piece a pure server-sideauthorizecan't express — the Payment-Element / one-click / add-card flows.