The ‘Charging Cards with Server Authentication’ goes about showing the user how to create a Stripe token on the server, once the credit card details have been passed from the HTML form to the server.
It should be noted that this is actually strongly discouraged because it does create a PCI compliance issue, and it not recommended unless you have taken strong precautions for making sure that your server does not log any credit card details in any way.
I’m not sure why Stripe don’t make this more clear - Braintree call this issue out with a nice big alert box in their documentation: https://developers.braintreepayments.com/reference/request/credit-card/create/ruby
I understand why you would use this as a learning example before introducing client side payment collection, but I think if you’re going to keep this section, you owe a duty to your readers to be very, very explicit about this PCI compliance issue, and also demonstrate how to keep the server scrubbed of any credit card details.
Might be worth contacting someone at Stripe to confirm all of this, because my fear would be that even though subsequent chapters show client side collection, someone out there is sure to use the information in this chapter and get into trouble.