Install collect.js on your checkout
One-line install. Add the script tag and collect.js automatically associates the cardholder's device fingerprint and IP with your Stripe payments — no wiring — so Reflex has stronger pre-dispute evidence when a chargeback fires.
Why install it
When a dispute fires, Reflex builds an evidence package from whatever data Stripe captured at the time of the charge. Without collect.js, that package is limited to what Stripe sees natively — billing address, AVS, CVC checks, and (if you have 3DS configured) authentication results.
With collect.js, Reflex additionally has the cardholder's device fingerprint, IP address, browser environment, and risk signals — all captured at the moment of payment, before any dispute could be filed. This evidence directly contradicts the typical "I wasn't there" fraud claim by showing the cardholder's own device was present at the time of the charge.
Add the script tag
Drop this single line in the <head> of your checkout page (or anywhere before the payment form is submitted).
<script src="https://certnode.io/collect.js"></script>That's the entire install. The script auto-loads, collects the device + IP signal in the background, and — when it sees your Stripe.js create the PaymentIntent — securely sends the signal to CertNode, which joins it to the payment when it succeeds. It observes your Stripe calls; it never modifies them.
Allow CertNode in your CSP
If your checkout page sends a Content-Security-Policy (most serious checkouts do, and PCI-DSS 4.0 expects a script inventory on payment pages), allow CertNode in script-src and connect-src so the script can load and send its signal. Without this, the browser silently blocks it.
Content-Security-Policy:
script-src 'self' https://certnode.io https://js.stripe.com;
connect-src 'self' https://certnode.io https://api.stripe.com;No CSP on your checkout? You can skip this step — the one script tag is all you need.
Advanced (optional): attach the metadata yourself
If you create PaymentIntents fully server-side and would rather attach the signal explicitly, the classic API still works and takes precedence over the automatic path. Read it with CertNode.onReady() and put it on the PaymentIntent metadata (not the PaymentMethod, which the webhook never reads).
// Client → forward to your server
const md = await new Promise((r) => CertNode.onReady(r));
// Server
await stripe.paymentIntents.update(pi.id, { metadata: md });Verify it's working
On your next few live charges, the Reflex Stripe App detects the device fingerprint and stops showing the "Add device fingerprinting" banner on the dashboard home view (it confirms after a few captures).
Using the optional manual path instead? You can verify directly on the PaymentIntent — open it in the Stripe dashboard and look for the device_fingerprint / ip_address keys under Metadata.
What gets captured
- Device fingerprint (canvas, WebGL renderer, screen, timezone, platform, languages)
- IP address (server-side, from the request the browser sends)
- User agent (browser environment)
No cookies and no cross-site tracking. These are best-effort, client-reported signals captured at payment time — they corroborate that the cardholder's own device was present at the charge. They are not a substitute for 3DS authentication, and the device fingerprint and IP are handled as evidence data, not used to track users across sites.