Hi team,
We run a SaaS app and create Lemon Squeezy checkout sessions for authenticated users.
Repro:
1) User A is logged into our app and clicks Subscribe.
2) Checkout opens prefilled with A’s email (a@a.com)
3) User A or their browser changes email to B (b@a.com) in checkout and completes payment.
Actual:
- Subscription/customer in lemon ownership follows checkout email B (b@a.com).
- In our app, entitlement must stay tied to user A (authenticated actor), so we detect mismatch in webhook and reject entitlement.
- This can result in an orphan paid subscription and poor self-service cancellation experience for the intended user.
Expected:
- A supported way to hard-bind checkout identity to the initiating app user A’s email a@a.com, or lock/prevent editing of checkout email for this flow.
Current mitigation:
- We pass custom_data.user_id and validate in subscription_created webhooks.
- We reject local entitlement when email mismatches.
Problem remaning:
- User A can’t cancel the subscritpion they made using the wrong email because they don’t have access to said wrong email.
Questions:
1) Is this behavior expected?
2) Is there any official way to lock email editing or bind subscription ownership to a stable customer/app identifier?
3) If not, what is Lemon Squeezy’s recommended pattern for this scenario?