I've been building a Solana checkout flow. The core challenge: the server needs to control the terms of every payment — the amount, the recipient, the audit trail — without ever holding a private key. This post documents the pattern I landed on: Checkout session with TTL and CSRF protection Atomic token invalidation to prevent TOCTOU race conditions A server-side pending record (similar to Stripe's Payment Intent) written before the wallet is ever involved Webhook authentication and idempotent confirmation The server constructs the unsigned transaction, the wallet signs it, and confirmation happens via webhook rather than client reporting. Solana-specific in implementation but the architecture applies to any chain. Already got a good question in the HN thread about meta-transactions and commit-reveal schemes. Full post: https://blauenlabs.com/blog/web3-checkout-pattern/ https://news.ycombinator.com/item?id=47821168 Happy to discuss the tradeoffs.