Enable real-time authorization on your Stripe Issuing account and confirm your webhook endpoint URL is configured and reachable with sub-2-second response times
Subscribe to the issuing_authorization.request event type in your Stripe webhook configuration
When the webhook fires, parse the authorization object including merchant_data.category_code (MCC) and pending_request.amount
Apply your MCC-based allow/deny logic; for approved MCCs, respond with approved: true; for blocked MCCs, respond with approved: false and a reason
Verify the webhook signature using the Stripe-Signature header and your webhook secret before processing to prevent spoofing
Handle timeouts gracefully: if your endpoint does not respond within the window, Stripe falls back to the rules configured in the Stripe Dashboard
Known gotchas
Real-time authorization webhook responses must arrive within approximately 2 seconds; any blocking I/O in the handler path (database calls, external API calls) risks timeout and fallback to static rules
The webhook is called for every authorization including partial authorizations and incremental holds; ensure your handler is idempotent and handles duplicate delivery
Stripe Issuing webhooks use a separate signing secret from other Stripe webhooks; using the wrong secret causes all signature verifications to fail silently if you catch exceptions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp