I’m appending the subscription data via Auth0 and then validating it on the client side. Here’s how I’m adding it to the user data:
var stripe_customer = stripe.customers.retrieve(user.app_metadata.stripe_customer_id, {expand: ['subscriptions']}).then(function(result){
var subscriptions = [];
for (var subscription in result.subscriptions.data) {
subscriptions.push({"id" : result.subscriptions.data[0].plan.id, "active": result.subscriptions.data[0].plan.active});
}
context.idToken['https://analogjoe.com/subscriptions'] = subscriptions;
if (context.request.geoip) {
context.idToken['https://analogjoe.com/country'] = context.request.geoip.country_name;
context.idToken['https://analogjoe.com/timezone'] = context.request.geoip.time_zone;
}
return callback(null, user, context);
});
And then I’m checking it on the client side like so:
webAuth.checkSession({
responseType: 'token',
scope: "openid profile",
redirectUri: 'https://' + window.location.hostname
},
function(err, result) {
console.log(err);
if (result) {
console.log(result);
webAuth.client.userInfo(result.accessToken, function(err, user) {
if (user["https://analogjoe.com/subscriptions"]) {
var accessGranted = false;
var subscriptions = user["https://analogjoe.com/subscriptions"];
subscriptions.forEach(function(subscription){
if (subscription["active"]) {
$('.protected-notice').hide();
$('.protected').addClass('accessGranted');
accessGranted = true;
$('#login-button').hide();
$('#user-avatar img').attr('src', user['picture']);
$('#user-avatar').show();
}
});
if (!accessGranted) {
protectedContent();
};
} else {
protectedContent();
}
});
}
else {
protectedContent();
}
}
);
The protectedContent() function is where I remove all the pieces that require payment.
Are there ways to subvert this and clean it all up? Certainly.
Do I see it as an issue worth the time to prevent? Nope. 
If you want to see the site itself, you can find it here: https://analogjoe.com