Run any Skill in Manus with one click

$pwd:

payment-provider-oauth

Name: Payment Provider Oauth
Author: kryptobaseddev

// Build OAuth connections for payment providers (Stripe Connect, Square) in SvelteKit applications. Use when creating booking platforms, marketplaces, or applications where businesses need to connect their own payment accounts. Covers complete OAuth flows, database schema with Drizzle, token management, security best practices, webhook handling, and extensible provider abstraction for easily adding new providers. Integrates with Better-Auth authentication and includes token refresh strategies.

Run Skill in Manus

$ git log --oneline --stat

stars:0

forks:0

updated:May 21, 2026 at 22:33

File Explorer

5 files

SKILL.md

readonly

related-skills.json

same repository

proxmox-admin.md

from "kryptobaseddev/awesome-skills"

Use this skill to administer a Proxmox VE 8.x/9.x host, node, or cluster remotely — provisioning, day-2 ops, troubleshooting, hardening, IaC, migration off VMware/ESXi. Covers KVM VMs (qm), LXC containers (pct; OCI in 9.1+), storage (pvesm; ZFS, LVM-thin, NFS, Ceph), networking and SDN (zones, VNets, Fabrics in 9.0+, BGP/WireGuard in 9.2+), clustering and HA (pvecm, ha-manager, Dynamic Load Balancer in 9.2+), backup/restore (vzdump, Proxmox Backup Server), API tokens (pveum), firewall and security, and IaC (Terraform bpg/Telmate, Ansible). Onboards a YAML connection profile (SSH key + API token + defaults) under ~/.config/proxmox-admin/ and drives ops via bundled SSH/REST helpers or cv4pve-cli. Trigger even when the user does not say "Proxmox" — e.g. "spin up a VM on my homelab", "the LXC container is OOMing", "web UI at port 8006", "vCenter alternative", ProxMox, PVE, PBS, ProxLB, PegaProx, vmbr0, vmid, cloud-init, GPU passthrough, ZFS pool, cluster quorum, qm, pct, pvesh.

2026-05-220

agent-browser.md

from "kryptobaseddev/awesome-skills"

Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking screenshots, extracting data, testing web apps, or automating any browser task. Triggers include requests to "open a website", "fill out a form", "click a button", "take a screenshot", "scrape data from a page", "test this web app", "login to a site", "automate browser actions", or any task requiring programmatic web interaction.

2026-05-210

code-optimizer.md

from "kryptobaseddev/awesome-skills"

Deep code optimization audit using parallel specialist agents. Each agent hunts for performance anti-patterns, inefficiencies, and suboptimal code using pattern-based detection (Grep/Glob) WITHOUT reading the full source code first — avoiding anchoring bias on existing implementations. Covers ALL optimization domains: database queries, memory leaks, algorithmic complexity, concurrency, bundle size, dead code, I/O & network, rendering/UI, data structures, error handling, caching, build config, security-performance, logging, and infrastructure. Use when asked to: 'optimize my code', 'find performance issues', 'audit code quality', 'speed up my app', 'find bottlenecks', 'code review for performance', 'find anti-patterns', 'improve code efficiency', 'reduce latency', 'optimize performance', 'code smell detection', 'find slow code', 'optimize this project', 'performance audit', 'code optimization'. Also triggers on: 'optimizar codigo', 'encontrar cuellos de botella', 'mejorar rendimiento'.

2026-05-210

drizzle-orm.md

from "kryptobaseddev/awesome-skills"

Expert guidance for Drizzle ORM and drizzle-kit, covering the v1.0.0-beta (RQBv2, defineRelations, new migration folder structure, consolidated validators) and stable 0.x releases. Includes Node 24 node:sqlite integration with drizzle-orm/node-sqlite driver, drizzle-orm/zod validation (createInsertSchema, createSelectSchema, createUpdateSchema, createSchemaFactory), schema design for all dialects (SQLite preferred, PostgreSQL, MySQL, MSSQL), migrations (generate/migrate), rapid prototyping (push), and drizzle-seed. Use when: (1) working with Drizzle ORM projects, (2) setting up or running migrations with drizzle-kit, (3) using Node 24 built-in node:sqlite with Drizzle, (4) validating data with drizzle-orm/zod or drizzle-zod, (5) upgrading from 0.x to v1 beta, (6) defining relations with defineRelations or RQBv2, (7) seeding databases with drizzle-seed, (8) configuring drizzle.config.ts, or (9) any Drizzle ORM question.

2026-05-210

flarectl.md

from "kryptobaseddev/awesome-skills"

Cloudflare CLI management via the flarectl tool. Use when the user asks to manage Cloudflare zones, DNS records, firewall rules, cache purging, or zone exports using flarectl. Covers onboarding (installation, API Token vs Global API Key setup), zone CRUD, DNS record CRUD, firewall access rules, cache purging, zone file export, and permission verification. Also guides when to use Wrangler instead (Workers, Pages, R2, KV, D1). Triggers on: 'flarectl', 'cloudflare cli', 'cloudflare dns', 'cloudflare zone', 'CF_API_TOKEN', 'CF_API_KEY', 'manage cloudflare', 'cloudflare firewall', 'purge cloudflare cache', 'cloudflare setup', 'flarectl setup'.

2026-05-210

neonctl.md

from "kryptobaseddev/awesome-skills"

Comprehensive Neon CLI (neonctl) management for serverless Postgres. Use when managing Neon projects, branches, databases, roles, connection strings, IP allowlists, operations, or authentication via the neonctl command-line tool. Triggers on: 'neonctl', 'neon cli', 'neon projects', 'neon branches', 'neon databases', 'neon roles', 'neon connection-string', 'neon set-context', 'neon ip-allow', 'neon operations', 'neon auth', 'neon schema-diff', 'neon branch reset', 'neon branch restore', 'NEON_API_KEY', 'neon completion', 'neon init', 'manage neon', 'neon setup', 'neonctl install'.

2026-05-210

package.json

"author": "kryptobaseddev"

"repository": "kryptobaseddev/awesome-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name

payment-provider-oauth

description

Build OAuth connections for payment providers (Stripe Connect, Square) in SvelteKit applications. Use when creating booking platforms, marketplaces, or applications where businesses need to connect their own payment accounts. Covers complete OAuth flows, database schema with Drizzle, token management, security best practices, webhook handling, and extensible provider abstraction for easily adding new providers. Integrates with Better-Auth authentication and includes token refresh strategies.

Payment Provider OAuth Integration

Build secure OAuth integrations allowing businesses to connect their Stripe or Square payment accounts to your SvelteKit application. Designed for booking platforms, marketplaces, or any application where users need to manage payments through their own merchant accounts.

When to Use This Skill

Use this skill when building:

Booking platforms where businesses accept payments
Marketplace applications with multiple sellers
SaaS platforms requiring merchant payment processing
Applications using platform-to-merchant payment flows

This skill provides OAuth integration for users to connect their own payment provider accounts (different from your application's billing/subscription needs).

Core Capabilities

Complete OAuth Flows: Authorization, callback, token exchange, refresh, and revocation
Multi-Provider Support: Stripe Connect and Square OAuth implementations
Security: Encrypted token storage, CSRF protection, webhook verification
Extensibility: Provider abstraction pattern for adding new payment providers
Token Management: Automatic refresh for expiring tokens (critical for Square)
Better-Auth Integration: Works with existing Better-Auth setup

Quick Start

Step 1: Review Database Schema

Read schema.md for the complete Drizzle schema including:

payment_providers table for storing OAuth connections
Token encryption patterns
Indexes for performance
Zod validation schemas

Generate migration:

npm run drizzle-kit generate
npm run drizzle-kit migrate

Step 2: Choose Implementation Pattern

Option A: Provider-Specific Routes (simpler, two providers only)

Read stripe-oauth.md for Stripe implementation
Read square-oauth.md for Square implementation
Create separate routes for each provider

Option B: Provider Abstraction (recommended for 3+ providers or future extensibility)

Read provider-abstraction.md first
Implement base provider interface
Create provider-specific implementations
Use unified OAuth service
Dynamic routes handle any provider: /api/oauth/[provider]/authorize

Step 3: Set Up Environment Variables

# .env
# Stripe
STRIPE_CONNECT_CLIENT_ID=ca_xxx
STRIPE_SECRET_KEY=sk_test_xxx

# Square
SQUARE_APPLICATION_ID=sq0idp-xxx
SQUARE_APPLICATION_SECRET=sq0csp-xxx
SQUARE_ENVIRONMENT=production # or 'sandbox'

# Encryption (32 bytes hex for AES-256)
ENCRYPTION_KEY=<generate-with-crypto.randomBytes(32).toString('hex')>

Step 4: Implement OAuth Routes

Create the following routes based on your chosen pattern:

Authorization Routes:

src/routes/api/oauth/{stripe|square}/authorize/+server.ts
Or: src/routes/api/oauth/[provider]/authorize/+server.ts

Callback Routes:

src/routes/api/oauth/{stripe|square}/callback/+server.ts
Or: src/routes/api/oauth/[provider]/callback/+server.ts

Disconnect Routes:

src/routes/api/oauth/{stripe|square}/disconnect/+server.ts
Or: src/routes/api/oauth/[provider]/disconnect/+server.ts

Webhook Routes (optional but recommended):

src/routes/api/webhooks/{stripe|square}/+server.ts

See reference files for complete implementations.

Step 5: Token Encryption Utilities

Create src/lib/server/utils/encryption.ts:

import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';

const ALGORITHM = 'aes-256-gcm';
const KEY = Buffer.from(process.env.ENCRYPTION_KEY!, 'hex');

export function encryptToken(token: string): string {
  const iv = randomBytes(16);
  const cipher = createCipheriv(ALGORITHM, KEY, iv);
  let encrypted = cipher.update(token, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  const authTag = cipher.getAuthTag();
  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
}

export function decryptToken(encryptedToken: string): string {
  const [ivHex, authTagHex, encrypted] = encryptedToken.split(':');
  const decipher = createDecipheriv(
    ALGORITHM, 
    KEY, 
    Buffer.from(ivHex, 'hex')
  );
  decipher.setAuthTag(Buffer.from(authTagHex, 'hex'));
  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  return decrypted;
}

Step 6: Token Refresh Job (Required for Square)

Square tokens expire after 30 days and must be refreshed every 7 days (Square best practice).

Create src/lib/server/jobs/token-refresh.ts:

import cron from 'node-cron';
import { db } from '$lib/server/db';
import { paymentProviders } from '$lib/server/db/schema';
import { eq, and, lt } from 'drizzle-orm';

export function startTokenRefreshJob() {
  // Run daily at 2 AM
  cron.schedule('0 2 * * *', async () => {
    const sevenDaysFromNow = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
    
    const providers = await db.query.paymentProviders.findMany({
      where: and(
        eq(paymentProviders.providerType, 'square'),
        eq(paymentProviders.isActive, true),
        lt(paymentProviders.expiresAt, sevenDaysFromNow)
      ),
    });

    for (const provider of providers) {
      // Implement refresh logic from square-oauth.md
      await refreshSquareToken(provider);
    }
  });
}

UI Integration Example

Svelte 5 Component for connecting providers:

<script lang="ts">
  let { providers = $bindable([]) } = $props();
  
  async function connectProvider(type: 'stripe' | 'square') {
    window.location.href = `/api/oauth/${type}/authorize`;
  }
  
  async function disconnectProvider(providerId: string) {
    const response = await fetch(`/api/oauth/disconnect`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ providerId })
    });
    
    if (response.ok) {
      providers = providers.filter(p => p.id !== providerId);
    }
  }
</script>

<div class="payment-providers">
  <h2>Connected Payment Providers</h2>
  
  {#if providers.length === 0}
    <p>No payment providers connected</p>
  {:else}
    {#each providers as provider}
      <div class="provider-card">
        <span>{provider.providerType}</span>
        <button onclick={() => disconnectProvider(provider.id)}>
          Disconnect
        </button>
      </div>
    {/each}
  {/if}
  
  <div class="connect-buttons">
    <button onclick={() => connectProvider('stripe')}>
      Connect Stripe
    </button>
    <button onclick={() => connectProvider('square')}>
      Connect Square
    </button>
  </div>
</div>

Making Payment API Calls

After OAuth connection, use stored tokens to make API calls:

import { decryptToken } from '$lib/server/utils/encryption';

// Stripe example
import Stripe from 'stripe';

export async function createStripePayment(provider, amount, currency) {
  const accessToken = decryptToken(provider.accessToken);
  const stripe = new Stripe(accessToken, {
    apiVersion: '2024-10-28.acacia',
  });
  
  return await stripe.paymentIntents.create({
    amount,
    currency,
  });
}

// Square example
import { Client, Environment } from 'square';

export async function createSquarePayment(provider, amount, currency) {
  // Check if token needs refresh
  if (needsRefresh(provider.expiresAt)) {
    await refreshSquareToken(provider);
  }
  
  const accessToken = decryptToken(provider.accessToken);
  const client = new Client({
    accessToken,
    environment: Environment.Production,
  });
  
  const { result } = await client.paymentsApi.createPayment({
    sourceId: 'payment-nonce',
    amountMoney: { amount: BigInt(amount), currency },
    locationId: provider.metadata.squareLocationId,
    idempotencyKey: crypto.randomUUID(),
  });
  
  return result.payment;
}

Critical Security Practices

Encrypt Tokens at Rest: Use AES-256-GCM encryption (see schema.md)
Verify OAuth State: Always validate state parameter to prevent CSRF
HTTPS Only: Required for production redirect URLs
Webhook Verification: Always verify webhook signatures
Token Refresh: Proactively refresh Square tokens every 7 days
Environment Variables: Never hardcode secrets
Sanitize Logs: Never log access/refresh tokens

Testing Strategy

Development Environment:

Use test mode credentials (Stripe test mode, Square sandbox)
Test complete OAuth flows
Verify token refresh
Test disconnection/revocation
Verify CSRF protection

Key Test Cases:

Initial connection
Reconnection (updating existing provider)
User denies authorization
Invalid/expired authorization codes
Token refresh (especially Square)
Webhook handling
Concurrent connections (multiple providers)

Common Errors and Solutions

Stripe:

invalid_request: Check client_id and redirect_uri match dashboard config
invalid_grant: Authorization code expired (5 minutes) or already used

Square:

UNAUTHORIZED: Token expired, trigger refresh
Authorization fails in sandbox: Must have Square Dashboard open first
Token refresh returns same refresh token (code flow) - this is expected

General:

CSRF error: State verification failed, regenerate state
Database constraint error: Provider already connected, update instead

References

Read these files for detailed implementations:

schema.md - Complete database schema with encryption
stripe-oauth.md - Stripe Connect implementation
square-oauth.md - Square OAuth implementation
provider-abstraction.md - Extensible provider pattern

External Documentation:

Architecture Decisions

Why encrypt tokens?: Access tokens grant full API access to merchant accounts. Encryption protects against database breaches.

Why CSRF protection?: OAuth state parameter prevents attackers from tricking users into connecting attacker's accounts.

Why proactive token refresh?: Square recommends 7-day refresh cycle to ensure sufficient time to handle failures. Waiting until 30-day expiration risks service disruption.

Why provider abstraction?: Standardizes OAuth flows across providers, making it trivial to add new payment providers (PayPal, Adyen, etc.) without duplicating logic.

Why webhook handlers?: Provides real-time notification when merchants revoke access, ensuring accurate connection status.

payment-provider-oauth

More from this repository

More from this repository

Payment Provider OAuth Integration

When to Use This Skill

Core Capabilities

Quick Start

Step 1: Review Database Schema

Step 2: Choose Implementation Pattern

Step 3: Set Up Environment Variables

Step 4: Implement OAuth Routes

Step 5: Token Encryption Utilities

Step 6: Token Refresh Job (Required for Square)

UI Integration Example

Making Payment API Calls

Critical Security Practices

Testing Strategy

Common Errors and Solutions

References

Architecture Decisions

Payment Provider OAuth Integration

When to Use This Skill

Core Capabilities

Quick Start

Step 1: Review Database Schema

Step 2: Choose Implementation Pattern

Step 3: Set Up Environment Variables

Step 4: Implement OAuth Routes

Step 5: Token Encryption Utilities

Step 6: Token Refresh Job (Required for Square)

UI Integration Example

Making Payment API Calls

Critical Security Practices

Testing Strategy

Common Errors and Solutions

References

Architecture Decisions