When to retry
Retry only transient failures such as timeouts and rate limits. Do not retry terminal declines like an invalid card, because the answer will not change and you waste attempts.
Retry safely
- Attach an idempotency key so a retry of a possibly successful charge does not double it.
- Use exponential backoff with jitter so many clients do not retry in sync and storm the processor.
- Enforce a retry budget that caps total attempts and total time.
The ambiguous case
A timeout is dangerous because the charge may have succeeded. Never blindly retry a timeout without the same idempotency key, or you risk a duplicate charge. With the key, the retry is safe because the processor collapses it.
Key idea
Safe payment retries combine idempotency keys, exponential backoff with jitter, and a retry budget, retrying only transient failures so charges are never doubled or amplified into a storm.