Tech Stack Guides

How to Tell If a Website Uses Stripe

Stripe is the dominant developer-first payment platform. Detect it via the js.stripe.com/v3 script, the Stripe() global, Elements iframes, the __stripe_mid cookie and api.stripe.com calls.

StackOptic Research Team27 May 20267 min read
Detecting Stripe payments via the js.stripe.com script, Elements iframes and cookies

Stripe is the dominant developer-first payment platform, powering checkouts and subscriptions for a vast share of modern online businesses. To tell whether a site uses it, the quickest answer is to open a checkout or pricing page, look for the js.stripe.com/v3 script, and type Stripe into the console. This guide walks through every reliable signal, the PCI-conscious architecture that produces them, and what a Stripe integration tells you about the business.

What is Stripe?

Stripe is a payments-infrastructure company, founded in 2010, that built its reputation on clean APIs and an excellent developer experience. Rather than the clunky, redirect-heavy gateways that preceded it, Stripe lets developers embed a smooth, on-site checkout and handle cards, wallets (Apple Pay, Google Pay), subscriptions, invoicing, marketplaces (Connect) and fraud prevention (Radar) through a single, well-documented platform. It has become the default choice for SaaS products, modern ecommerce, marketplaces and subscription businesses, especially those with engineering teams.

For detection, the key context is that Stripe is code-driven: integrating it requires a developer to add Stripe.js and wire up the API, so its presence signals a genuine transacting business with technical capability — not a template site. Because Stripe handles sensitive card data inside its own iframes, the integration leaves a consistent, recognisable footprint regardless of the surrounding framework. Stripe is also frequently the payment layer behind other tools (subscription-management platforms, no-code checkout builders and some ecommerce platforms), so finding it can imply a broader commerce stack.

How Stripe loads and processes payments

A Stripe integration loads Stripe.js from https://js.stripe.com/v3/ and initialises it by calling Stripe('pk_live_...') (or pk_test_...) with the site's publishable key. That key prefix immediately reveals whether the site is in live or test mode. The library exposes a global Stripe constructor and, through it, Elements — the UI components that collect payment details.

Crucially, Stripe renders card fields inside iframes hosted on js.stripe.com. This is deliberate: by isolating the card number, expiry and CVC in Stripe-controlled iframes, the merchant never touches raw card data, which dramatically simplifies PCI compliance. When the customer pays, the browser talks to api.stripe.com to create payment methods and confirm payment intents. Stripe also runs fraud and telemetry signals, sending beacons to m.stripe.com, r.stripe.com and q.stripe.com, and it sets the first-party cookies __stripe_mid (a long-lived machine identifier) and __stripe_sid (a session identifier). Understanding this flow — Stripe.js, Elements iframes, api.stripe.com, telemetry and cookies — makes every detection signal below fall into place.

How to tell if a website uses Stripe

Confirm at least two of the following, ideally on a checkout, pricing or signup page where payments are actually wired up.

1. Check the Network tab. Reload a checkout page and filter for stripe. You will see js.stripe.com/v3/ load, and once a form is present, telemetry to m.stripe.com/r.stripe.com and API calls to api.stripe.com. This is the most reliable method.

2. Use the console. Type Stripe and press Enter. A returned function (the Stripe constructor) confirms Stripe.js is loaded. On many sites you can find the publishable key in the page source or JavaScript.

3. Inspect the payment form. Open the checkout's card fields and inspect them. Card inputs rendered inside js.stripe.com iframes are a strong, characteristic Stripe signal driven by its PCI-isolation design.

4. Check cookies. Look for __stripe_mid and __stripe_sid first-party cookies, which Stripe.js sets on any page that loads it.

5. Read the publishable key. A pk_live_... or pk_test_... string in the source confirms Stripe and tells you live versus test mode.

What the Stripe signals look like

<script src="https://js.stripe.com/v3/"></script>
const stripe = Stripe("pk_live_51AbC…");
<iframe name="__privateStripeFrame…" src="https://js.stripe.com/v3/elements-inner-card-…"></iframe>
POST https://api.stripe.com/v1/payment_intents/…/confirm
Cookie: __stripe_mid = "…" ; __stripe_sid = "…"

The combination of the js.stripe.com/v3 script, the global Stripe constructor, and Elements iframes (or api.stripe.com calls) is conclusive.

Stripe versus other processors — avoiding false positives

Match the exact host to keep payment processors straight. Stripe uses js.stripe.com and api.stripe.com; Braintree (a PayPal company) uses js.braintreegateway.com; Adyen uses checkoutshopper-live.adyen.com; Square uses web.squarecdn.com/squareup.com; classic PayPal uses www.paypal.com/sdk/js and paypalobjects.com. Each leaves a distinct host fingerprint. A common subtlety is that Stripe can power Apple Pay and Google Pay buttons, so a wallet button does not by itself indicate a wallet "instead of" Stripe — check for the js.stripe.com host underneath. Likewise, several subscription and checkout tools (and some ecommerce platforms) use Stripe behind the scenes, so finding Stripe may mean the merchant uses it directly or via another product that settles through it.

How reliable is each Stripe signal?

The js.stripe.com/v3 script and the global Stripe constructor are definitive. Elements iframes hosted on js.stripe.com are equally strong and characteristic of Stripe's PCI design. Calls to api.stripe.com (especially payment_intents or payment_methods) are conclusive when a payment is attempted. The __stripe_mid/__stripe_sid cookies are reliable corroboration that Stripe.js loaded. The publishable key is unambiguous and reveals live/test mode. The weakest situation is a homepage that does not load Stripe until checkout, so always test a pricing, signup or checkout page rather than the landing page alone. As a rule, the script plus the constructor settles it.

What a Stripe integration reveals about a business

Finding Stripe is a strong signal of a genuine, transacting, technically capable business. Because Stripe is developer-implemented, its presence implies an engineering team (or a platform that provides Stripe-powered checkout) and a real revenue model — subscriptions, one-off sales, marketplace payments. The live-versus-test key tells you whether the site is actually processing money. If you sell to online businesses — finance, accounting, tax, subscription tooling, fraud, analytics, or developer products — a Stripe integration marks a buyer with revenue and a modern stack. The specific Stripe products in use are also informative: Stripe Billing signals subscriptions, Connect signals a marketplace or platform, and Checkout (the hosted checkout.stripe.com flow) versus Elements tells you how custom the integration is. Each detail sharpens your picture of the business model.

Stripe in a modern commerce stack

Stripe usually sits at the centre of a modern commerce or subscription stack. On a SaaS product you will often find Stripe Billing alongside a subscription-management or revenue tool, a CRM, and product analytics. On a custom ecommerce site, Stripe handles payments while the catalogue, cart and orders are managed by the application or a headless commerce engine. Stripe also frequently coexists with wallet options (Apple Pay, Google Pay), tax tools (Stripe Tax or Avalara) and fraud tooling. For an auditor, the valuable details are live versus test mode, whether the integration uses Checkout or Elements, which Stripe products are evident (Billing, Connect), and what surrounds it (subscription tools, CRM, analytics); together these reveal not just that the business takes payments but how its revenue model and commerce architecture are put together.

A quick Stripe confirmation walkthrough

Navigate to the site's pricing, signup or checkout page — not just the homepage — with developer tools open on the Network panel, and filter for stripe. You should see js.stripe.com/v3/ load. Switch to the Console and type Stripe to confirm the constructor, then search the source for pk_live_ or pk_test_ to read the key and mode. Inspect the card fields and confirm they are js.stripe.com iframes. Finally, check the Application panel for __stripe_mid and __stripe_sid. Two of these signals together confirm Stripe, and the key reveals whether real payments are being processed.

A quick Stripe detection checklist

  • On a checkout page, filter the Network tab for stripe; the js.stripe.com/v3 load is conclusive.
  • Type Stripe in the console to confirm the constructor.
  • Inspect card fields for js.stripe.com Elements iframes.
  • Check cookies for __stripe_mid and __stripe_sid.
  • Find the pk_live_/pk_test_ publishable key to determine live vs test mode.
  • Note whether Checkout, Elements, Billing or Connect is in use to infer the model.

Reading the sophistication of a Stripe integration

Not all Stripe integrations are equal, and the details tell you how mature the business is. The simplest setup is Stripe Checkout, the hosted flow that redirects to checkout.stripe.com — quick to implement and common among smaller merchants and no-code builds, signalling a team that wanted payments working with minimal engineering. A custom Elements or Payment Element integration, where card fields are embedded directly in the merchant's own checkout, signals more engineering investment and a desire to control the experience — typical of scaled SaaS and ecommerce. The presence of the Payment Element specifically (rather than the older Card Element) indicates a recent, well-maintained integration, since it is Stripe's current recommended approach and supports many payment methods from one component.

Beyond the checkout UI, the Stripe products in play reveal the business model with unusual clarity. Stripe Billing (subscriptions and invoicing) points to recurring revenue and a SaaS or membership model. Stripe Connect points to a marketplace or platform that pays out to third parties, a meaningfully more complex business. Stripe Tax, Radar (fraud) and Identity each indicate the merchant has matured beyond basic payments into compliance, risk and verification. For anyone selling to online businesses, reading these signals turns a simple "uses Stripe" into a rich understanding of the company's revenue model, scale and engineering maturity — which is exactly what makes the detection commercially useful rather than merely a checkbox.

Detecting Stripe at scale

Checking one site is quick, but identifying every transacting business in a list — to prospect revenue-generating companies, say — calls for automation. StackOptic detects Stripe and thousands of other technologies from a real browser, so you can build a list of businesses that take online payments and infer their commerce stack. For related reading, see our guide to finding out what payment processor a website uses and the full Stripe technology profile.

Frequently asked questions

What is the fastest way to tell if a site uses Stripe?

Open the Network tab on a checkout or pricing page, reload and filter for 'stripe'. You will see the js.stripe.com/v3/ script load and, once a payment form appears, requests to api.stripe.com and telemetry to m.stripe.com. The js.stripe.com script plus the global Stripe() function is definitive.

How does Stripe Elements appear in the page?

Stripe Elements (and the newer Payment Element) render card fields inside iframes served from js.stripe.com, which isolates sensitive card input for PCI compliance. Inspecting a checkout form and finding js.stripe.com iframes embedded for the card number, expiry and CVC is a strong, characteristic Stripe signal.

What cookies does Stripe set?

Stripe sets __stripe_mid (a machine identifier used for fraud prevention) and __stripe_sid (a session identifier) as first-party cookies on sites that load Stripe.js. Spotting the __stripe_mid and __stripe_sid cookies alongside the js.stripe.com script is a reliable confirmation.

Can I tell if Stripe is in live or test mode?

Often, yes. The publishable key passed to Stripe('pk_...') begins with pk_live_ for live mode or pk_test_ for test mode. If you can find the key in the page source or JavaScript, the prefix tells you whether the site is processing real payments or is still in testing.

What does it mean if a site uses Stripe?

Stripe is a developer-first payment platform, so its presence signals a business that takes online payments with a modern, code-driven checkout — common across SaaS, ecommerce, marketplaces and subscriptions. It usually indicates a technically capable team and a genuine transacting business rather than a brochure site.

Analyse any website with StackOptic

Get the full technology stack, performance, security and SEO report in seconds — free.

Analyse a website

Related articles