Entitlement Provisioning

Subscription creates, changes, and cancellations emit events. The system doesn't know or care whether payment succeeded.

Access is granted the moment the subscription changes, not when payment confirms. Provisioned asynchronously.

~50 product services query entitlements at runtime. Binary — access granted or not. No visibility into payment status.

Access granted the moment subscription changes, not when payment confirms. If payment fails or requires 3DS, the customer already has the product. The entitlement was granted on intent, not proof.

When dunning eventually flags the account, the system revokes something the customer may believe they legitimately have. Indistinguishable from a bait-and-switch.

Entitlements granted. The customer paid, the payment resolved, access is provisioned. This is the only path to feature access.

No entitlements. The subscription records intent, but access is not provisioned. The customer sees a clear state — pay to activate.

Entitlements held. 3DS challenges, async resolution — no access until the outcome resolves. The customer knows they're waiting.

Users subscribe and pay interactively. 3DS works because the user is present. PM collection decoupled from subscription changes.

Consumes payment outcomes from both on-session and off-session flows. Grants or revokes based on whether money moved.

Manages payment recovery when renewal charges fail. Produces payment outcomes that feed into this system.