LostChurn Docs
Customer Portal

What Customers See

An overview of the customer-facing portal where subscribers can review failed payments, check recovery status, and update their payment method.

The customer portal is a lightweight, branded interface that gives your subscribers a self-service way to resolve failed payments. Rather than sending customers to a generic payment page, LostChurn provides a focused experience that shows exactly what went wrong and guides them toward a fix.

How Customers Reach the Portal

Customers land on the portal in one of two ways:

  1. Tokenized email link -- Every dunning email includes a unique {{update_url}} that points to the portal. Clicking the link verifies the customer's identity automatically, with no password or login required.
  2. Direct URL -- You can embed the portal link anywhere your customers will see it: in-app banners, support chat replies, or SMS messages. The link format and generation process are covered in Payment Update Links.

When a customer clicks a portal link, they are taken to a verification screen. The signed token in the URL is validated server-side using HMAC-SHA256 before the customer is granted access. Invalid or expired tokens show a clear error message and prompt the customer to request a new link.

Portal Dashboard

Once verified, the customer sees a dashboard with two cards:

Payment Method on File

Displays the customer's current default payment method with the following details:

  • Card brand -- Visa, Mastercard, Amex, etc.
  • Last four digits -- e.g., ending in 4242
  • Expiration date -- month and year
  • Default badge -- indicates whether this is the primary payment method

The card number is never shown in full. LostChurn only stores the last four digits and brand, which are fetched from your payment processor at webhook ingestion time.

Recent Payment Activity

Shows the most recent failed payment events for the customer, including:

  • Amount and currency -- formatted to the customer's locale
  • Date of failure -- when the charge was declined
  • Status badge -- Failed, Pending, or Recovered

Customers can click through to a full payment history view that includes a table with decline reason descriptions (formatted from the raw decline code) alongside each event.

Recovery Status Alerts

When the customer has an active recovery in progress, the portal displays a prominent alert banner at the top of the dashboard. The banner communicates recovery status in plain language:

Internal StateCustomer-Facing Label
SilentRetryPending / SilentRetryInProgressRetrying your payment
CommunicationPending / CommunicationActiveAwaiting your action
AwaitingCustomerAwaiting payment update
RecoveredResolved
TerminalNeeds attention

The alert includes a prominent button directing the customer to update their payment method.

Updating a Payment Method

When a customer clicks "Update Payment Method," LostChurn creates a Stripe Billing Portal session scoped exclusively to the payment_method_update flow. This means:

  • The customer cannot cancel their subscription or change their plan through this portal.
  • All card data entry happens inside Stripe's PCI-compliant hosted interface -- raw card numbers never touch your servers or LostChurn's infrastructure.
  • After the update completes, Stripe redirects the customer back to the portal with a success confirmation.

The Stripe Billing Portal session is restricted to payment method updates only. Customers cannot access subscription management, invoices, or cancellation flows through LostChurn's portal.

Security

The portal is designed with defense in depth:

  • HMAC-SHA256 signed tokens -- Every portal link contains a cryptographically signed token that encodes the customer ID, merchant ID, and expiration timestamp. The signature prevents forged or tampered links from granting access.
  • Constant-time signature comparison -- Token verification uses timingSafeEqual to prevent timing-based attacks.
  • Token expiration -- Portal tokens have a configurable TTL. Expired tokens are rejected even if the signature is valid, with a 5-minute clock-skew tolerance.
  • No stored credentials -- The portal does not use passwords or session cookies. Access is granted exclusively through verified token links.
  • PCI compliance -- Card data is handled entirely by Stripe. LostChurn never sees, stores, or transmits full card numbers.

For a deeper look at LostChurn's security model, see the Security documentation.

Customization

Branding

The portal renders with your organization's identity. The layout is minimal and centered, with a branded header displaying the LostChurn shield icon and your merchant name. The footer can display custom text such as your support email or legal notices.

Localization

All portal text is served through next-intl translation keys, so you can fully localize the customer experience. Translation keys cover every string in the portal: page titles, button labels, status badges, error messages, and informational text.

Messaging

The tone and content of recovery alerts, status labels, and instructional text are all driven by translation files. You can tailor the messaging to match your brand voice without modifying any portal code.

Next Steps

  • Payment Update Links -- Learn how to generate and embed portal links in your dunning campaigns
  • Email Campaigns -- Set up the dunning emails that drive customers to the portal
  • Security -- Review the full security architecture

Win-Back Campaigns

Create targeted reactivation campaigns that bring churned customers back with personalized offers and messaging based on why they cancelled.

Payment Update Links

How to generate, embed, and manage tokenized payment update links that direct customers to the LostChurn portal.

On this page

How Customers Reach the PortalPortal DashboardPayment Method on FileRecent Payment ActivityRecovery Status AlertsUpdating a Payment MethodSecurityCustomizationBrandingLocalizationMessagingNext Steps