Diagnosing Stripe Subscription State Drift Before It Silently Downgrades Users
A user emails your support team: they paid for the Pro plan three days ago but their account is sitting on Free. Stripe shows the subscription as active. Your database shows free. No error was ever logged. This is subscription state drift, and it is quietly costing you revenue and trust right now.
What is subscription state drift?
Subscription state drift is any persistent mismatch between the subscription status stored in your own database and the ground truth held by Stripe. Your system thinks a user is on Free; Stripe knows they are on Pro. Or the reverse β your database says active but Stripe cancelled the subscription two billing cycles ago.
Both directions are damaging. Underprovisioning means paying customers lose access. Overprovisioning means you are giving away paid features for free, silently bleeding revenue. Neither situation produces a loud exception you can grep for β it just sits there.
What you'll learn in this article:
- The root causes that cause Stripe and your database to diverge
- The four most common drift scenarios in production SaaS apps
- How to audit your existing data to surface drift right now
- A reconciliation script pattern you can adapt and schedule
- An ongoing alerting strategy so drift never goes undetected again
Why Stripe and your database diverge silently
Most teams store a copy of subscription status locally because they do not want to make a live Stripe API call on every request. That is a reasonable decision. The problem is the sync mechanism β webhooks β is not as reliable as developers assume.
Stripe delivers events over HTTPS to your endpoint. If that endpoint returns anything other than a 2xx status within a few seconds, Stripe queues a retry. But retries follow an exponential backoff schedule, and after enough failures Stripe stops retrying. If your server was in a deployment window, your database was briefly unavailable, or a bug in your webhook handler threw an uncaught exception, the event is gone from the practical delivery queue and your database never updated.
There is also a subtler problem: event ordering. Stripe does not guarantee that events arrive in the order they were created. A customer.subscription.updated event can arrive before customer.subscription.created if your endpoint has variable response latency. If your handler is not idempotent and does not check event timestamps, you can process a stale status on top of a fresh one.
For a deeper look at where webhook events go missing in practice, see this guide on debugging webhook failures in SaaS pipelines.
The four most common drift scenarios
1. Missed cancellation events
A customer cancels through the Stripe Customer Portal or via a direct API call. Stripe fires customer.subscription.deleted. Your endpoint was down or returned a 500. The user keeps full access indefinitely. This is the most common overprovisioning drift scenario.
2. Failed payment recovery not reflected locally
A subscription goes past_due, then the customer updates their card and the payment succeeds. Stripe fires invoice.paid and customer.subscription.updated (status back to active). If only the past_due event landed, your system downgrades the user even though they are now current. This is the most damaging underprovisioning scenario.
3. Upgrade or downgrade mid-cycle not applied
A user upgrades from Starter to Pro mid-month. Your handler processes the proration invoice but misses the customer.subscription.updated event that carries the new price ID. The user is charged for Pro but served Starter features.
4. Trial expiry not acted on
A trial ends, the subscription converts to paid or cancels, and Stripe fires customer.subscription.trial_will_end followed by either customer.subscription.updated or customer.subscription.deleted. If your handler treats trials and paid subscriptions as completely separate code paths, one of those branches may silently swallow errors.
How to audit your current state right now
Before writing any fix, measure how bad the problem actually is. Pull every active subscription from Stripe and compare it against your database in a read-only audit pass.
The Stripe API returns paginated subscription lists. Use the status=all parameter to get every subscription regardless of status, then filter locally. Here is a minimal Python audit script:
import stripe
import psycopg2
stripe.api_key = "sk_live_..."
# Pull all subscriptions from Stripe (paginated)
def fetch_all_stripe_subscriptions():
subs = []
params = {"limit": 100, "status": "all", "expand": ["data.customer"]}
while True:
page = stripe.Subscription.list(**params)
subs.extend(page.data)
if not page.has_more:
break
params["starting_after"] = page.data[-1].id
return subs
# Compare against your local DB
def audit_drift(conn):
stripe_subs = fetch_all_stripe_subscriptions()
stripe_map = {
sub.customer.email: {
"stripe_status": sub.status,
"stripe_price_id": sub.items.data[0].price.id,
"stripe_sub_id": sub.id,
}
for sub in stripe_subs
if hasattr(sub.customer, "email")
}
cur = conn.cursor()
cur.execute("SELECT email, subscription_status, price_id FROM users WHERE subscription_status != 'free'")
rows = cur.fetchall()
drift_found = []
for email, db_status, db_price_id in rows:
stripe_entry = stripe_map.get(email)
if stripe_entry is None:
drift_found.append({"email": email, "issue": "not_in_stripe", "db_status": db_status})
continue
if stripe_entry["stripe_status"] != db_status:
drift_found.append({
"email": email,
"issue": "status_mismatch",
"db_status": db_status,
"stripe_status": stripe_entry["stripe_status"],
})
if stripe_entry["stripe_price_id"] != db_price_id:
drift_found.append({
"email": email,
"issue": "price_mismatch",
"db_price_id": db_price_id,
"stripe_price_id": stripe_entry["stripe_price_id"],
})
return drift_found
conn = psycopg2.connect("dbname=myapp user=postgres")
results = audit_drift(conn)
for r in results:
print(r)
Run this in read-only mode first. Log the output to a file so you have a snapshot before any remediation. You may be surprised how many rows surface β teams that have never run an audit commonly find drift rates of a few percent, which at scale translates to real users and real revenue.
Writing a reconciliation script
Once you know the shape of the problem, write a reconciliation function that accepts a single subscription record from Stripe and applies it to your database. Keep this function idempotent β calling it twice with the same Stripe payload must produce the same outcome.
def reconcile_subscription(stripe_sub, conn):
"""
Apply a Stripe subscription's ground truth to the local database.
Idempotent: safe to call multiple times with the same sub.
"""
customer_id = stripe_sub.customer if isinstance(stripe_sub.customer, str) else stripe_sub.customer.id
status = stripe_sub.status
price_id = stripe_sub.items.data[0].price.id
current_period_end = stripe_sub.current_period_end # Unix timestamp
cur = conn.cursor()
cur.execute(
"""
UPDATE users
SET
subscription_status = %s,
price_id = %s,
current_period_end = to_timestamp(%s),
updated_at = NOW()
WHERE stripe_customer_id = %s
""",
(status, price_id, current_period_end, customer_id),
)
conn.commit()
return cur.rowcount # 0 means no matching user found β log this
Two important design choices here. First, you update from Stripe's payload rather than constructing your own status string β this prevents the local mapping logic from drifting over time. Second, you return rowcount so the caller can detect when no user row was updated, which itself signals a data integrity problem worth alerting on.
This function is also what your webhook handler should call. If your current webhook handler contains inline SQL or direct status string assignments, replace that logic with a call to reconcile_subscription. Now both the scheduled job and the real-time webhook use the same code path.
For related billing edge cases that affect reporting, see Stripe metered billing gotchas that break revenue reports.
Setting up ongoing drift detection
A one-off reconciliation fixes today's problem. You need a recurring job to catch tomorrow's.
Scheduled full reconciliation
Run the full audit-and-reconcile process nightly. Paginate through all Stripe subscriptions, call reconcile_subscription for each one, and emit a metric for how many rows changed. Alert if that count exceeds a threshold β a sudden spike means your webhook handler has a new bug.
Event-driven spot checks
After every webhook event your handler processes, re-fetch the subscription from Stripe immediately and compare it to what you just wrote. If they differ, you have an ordering bug in your handler. This adds a small latency overhead but catches stale-event overwrite issues in real time.
def handle_subscription_updated(event, conn):
# Apply the event payload
reconcile_subscription(event.data.object, conn)
# Spot-check: fetch fresh from Stripe and re-apply
fresh_sub = stripe.Subscription.retrieve(event.data.object.id)
reconcile_subscription(fresh_sub, conn)
This double-write pattern is slightly redundant but eliminates the entire class of ordering bugs. The extra Stripe API call costs a few milliseconds and counts against your rate limit β monitor your rate limit headroom if webhook volume is high.
Dashboard metric: drift count over time
Emit the number of mismatched rows as a gauge metric to your monitoring system after each reconciliation run. If the gauge is consistently above zero between runs, your webhook handler has a structural gap, not a one-off failure. Treat a nonzero steady-state drift count the same way you would treat a memory leak: it will compound.
This kind of ongoing monitoring pairs well with the broader discipline of catching silent access-control bugs β the same category of issue explored in multi-tenant feature flag isolation bugs.
Common pitfalls when fixing drift
Using email as a join key
The audit script above joins on email for readability, but email is mutable. A user can change their email on Stripe or in your app. Always use stripe_customer_id as the join key in production. Store it when you create the Stripe customer and never use it as a display field β it should only ever be a lookup key.
Reconciling canceled subscriptions back to active
If a subscription was legitimately cancelled and your reconciliation script reads a cached or stale Stripe response, you can accidentally reactivate it. Always fetch a fresh subscription object from the Stripe API during reconciliation β never pass a webhook event payload that has been sitting in a queue for more than a few minutes without re-fetching.
Not handling customers with multiple subscriptions
Stripe allows one customer to have multiple active subscriptions. If your data model assumes one subscription per customer and you pick the first result from a list query, you may apply the wrong subscription's status. Query stripe.Subscription.list(customer=customer_id, status="active") and decide explicitly which subscription governs access β usually the most recently created one or the highest-tier one.
Forgetting incomplete and incomplete_expired statuses
Stripe has more subscription statuses than just active, past_due, and canceled. A subscription can be incomplete if the initial payment failed, and incomplete_expired after 23 hours. If your access-control logic only checks for active, you may correctly deny access β but if it checks for anything-other-than-canceled, an incomplete user could slip through with no payment ever collected. Map all six statuses explicitly in your entitlement logic.
Related: this same class of edge case in activation flows is covered in depth in the article on SaaS trial-to-paid conversion gaps.
Wrapping up: next steps
Subscription state drift is not a rare edge case β it is an expected outcome of webhook-based sync in any system that has been running for more than a few months. The good news is it is entirely fixable with a systematic approach.
Here are the concrete actions to take in order:
- Run the read-only audit script against production today. Capture the output. Understand the scale of your current drift before writing a single fix.
- Refactor your webhook handler to use a single
reconcile_subscriptionfunction, making it idempotent and timestamp-aware so out-of-order events cannot overwrite fresh state. - Schedule a nightly full reconciliation job that iterates all Stripe subscriptions, applies the ground truth to your database, and emits a drift-count metric.
- Alert on nonzero drift counts between scheduled runs. Wire the gauge metric to your existing alerting stack and treat sustained drift the same as a P2 bug.
- Audit your status-to-entitlement mapping to ensure all six Stripe subscription statuses are handled explicitly, not as a catch-all fallback.
None of this requires a major architectural overhaul. Most of it is a few hundred lines of Python and a cron entry. The return is proportional to your subscriber count β and at any meaningful scale, even a one-percent drift rate represents real paying users being silently shortchanged.
Frequently Asked Questions
How do I tell if my Stripe subscription status is out of sync with my database?
Run a reconciliation audit by fetching all subscriptions from the Stripe API and comparing the status and price ID fields against your local database rows. Any row where the Stripe status differs from your stored status is a drift record. A drift rate above zero on a production system almost always indicates a gap in your webhook handling.
Why does Stripe stop retrying webhook events and how long does it keep trying?
Stripe retries failed webhook deliveries over several days using exponential backoff, but it will eventually stop if your endpoint keeps returning non-2xx responses or timing out. After the retry window closes, the event is no longer actively delivered, and you must use the Stripe Dashboard event log or the API to manually replay it.
Is it safe to call the Stripe API on every request to check subscription status?
For most apps it is not practical because Stripe enforces rate limits and the latency would slow down every authenticated request. The better pattern is to cache subscription status locally, keep it fresh via webhooks, and run a scheduled reconciliation job to catch any events that were missed.
What Stripe subscription statuses should my entitlement logic handle explicitly?
Stripe has six subscription statuses: active, past_due, incomplete, incomplete_expired, trialing, and canceled. Your access control code should map each one to an explicit access decision rather than using a fallback β otherwise incomplete or past_due subscriptions may get unintended access.
Can a user have multiple active Stripe subscriptions on the same customer record?
Yes, Stripe allows multiple subscriptions per customer by default. If your app only models one subscription per user, you need to decide explicitly which subscription governs access β typically by querying active subscriptions for that customer and applying a clear priority rule such as highest tier or most recently created.
π€ Share this article
Sign in to saveRelated Articles
Comments (0)
No comments yet. Be the first!