Accessing account info with the new restricted keys
491 views
Skip to first unread message
Bastien Petit
Sep 15, 2017, 3:41:20 AM9/15/17
to Stripe API Discussion
Hi, Stripe team!
I make CashNotify. We were excited to read about the new restricted access API keys yesterday and wanted to try them.
However, it seems that no matter the rights I give to a restricted key, I can't use it to access the account's information. We need: display_name, business_logo, default_currency, you can see why here.
Code sample:
stripe.setApiKey('rk_test_************************');stripe.account.retrieve(
function(err, account) {
// ...
}
);Error: The provided key 'rk_test_************************' does not have the required permissions for this endpoint on account 'acct_****************'. Having more permissions would allow this request to continue.
Am I doing this wrong? Is there another way to access the account's information with restricted keys?
I tried with API version 2017-08-15 and Node.js library v5.0.0. Please tell me if I should post here instead.
Thanks in advance,
Bastien
Remi J.
Sep 15, 2017, 3:54:28 AM9/15/17
to api-d...@lists.stripe.com
Hey Bastien,
Thanks for the report! Your own Account's resource is out of scope for Restricted API keys at the moment but I'll share this with the team as a potential improvement moving forward. For now, you'll need to access this with your main Secret API key to retrieve the account's information.
Best,
Remi
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss+unsubscribe@lists.stripe.com.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at https://groups.google.com/a/lists.stripe.com/group/api-discuss/.
Bastien Petit
Sep 15, 2017, 4:32:51 AM9/15/17
to Stripe API Discussion
Thanks Remi,
That would be awesome. We really like the idea of restricted scopes and we'd love be able to tell our clients to start using them.
Have a nice day,
Bastien
On Friday, September 15, 2017 at 9:54:28 AM UTC+2, Remi J. wrote:
Hey Bastien,Thanks for the report! Your own Account's resource is out of scope for Restricted API keys at the moment but I'll share this with the team as a potential improvement moving forward. For now, you'll need to access this with your main Secret API key to retrieve the account's information.Best,Remi
On Fri, Sep 15, 2017 at 9:39 AM, Bastien Petit <he...@bastienpetit.com> wrote:
Hi, Stripe team!I make CashNotify. We were excited to read about the new restricted access API keys yesterday and wanted to try them.However, it seems that no matter the rights I give to a restricted key, I can't use it to access the account's information. We need: display_name, business_logo, default_currency, you can see why here.Code sample:
function(err, account) {
// ...
}
);Error: The provided key 'rk_test_************************' does not have the required permissions for this endpoint on account 'acct_****************'. Having more permissions would allow this request to continue.Am I doing this wrong? Is there another way to access the account's information with restricted keys?I tried with API version 2017-08-15 and Node.js library v5.0.0. Please tell me if I should post here instead.Thanks in advance,Bastien
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
Bastien Petit
Sep 26, 2017, 7:39:02 AM9/26/17
to Stripe API Discussion
Hi Remi,
Any update on what your team thinks about this? Is there a chance that you will decide to extend the scope of Restricted API keys?
We do have customers who try to use them, for now we explain with a warning message linking to this page.
Best regards,
Bastien
Remi J.
Sep 26, 2017, 7:52:41 AM9/26/17
to api-d...@lists.stripe.com
Hey Bastien,
The team agrees that this would be a useful feature to add in the future. We don't have short term plans to implement this right now though. Adding support for this is related to supporting API requests made via Stripe Connect which was out of scope originally. We do hope to add this in the future but not in the coming days or weeks unfortunately.
Thinking about this a bit more, I have a feeling that the Restricted API Keys is potentially the wrong approach here. Those were designed with a different application in mind. The idea was that as a company you might have multiple systems accessing Stripe. Some are likely creating customers and charges and would need full access to the account. On the other hand, you likely have that one script that runs an automated reconciliation on a list of charges once a day or that other one that lets your own team refund charges. Those systems are less sensitive than the main integration(s) but they still need access to the main Secret API key with all permissions. Restricted API Keys allow you to create an API key with really specific permissions that protect you from a leak.
Based on what you are building, you might want to look into Stripe Connect instead. This would let users give you access to their Stripe account in read-only. From now on you can make any (read) API requests on their behalf without having to request their API keys. You can read more about this here: https://stripe.com/docs/building-integrations
I'll follow up on this thread once we released more features for Restricted API keys though!
All the best,
Remi
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss+unsubscribe@lists.stripe.com.
Bastien Petit
Oct 3, 2017, 10:41:04 AM10/3/17
to Stripe API Discussion
Thanks Remi,
I agree, Stripe Connect makes perfect sense for web applications.
But CashNotify is a desktop app. We like the idea that the app communicates directly with Stripe's servers, without involving an intermediate platform app on a server operated by us. That's also a great argument when customers ask about the confidentiality of their data.
In the short term, we'll keep using Standard API keys.
Best regards,
Bastien
Julien Ma
Oct 24, 2018, 10:24:21 AM10/24/18
to Stripe API Discussion, he...@bastienpetit.com
Hey Stripe Team,
Any chance to add an account scope to restricted keys?
We'd love to support restricted keys, but need access to some account data, at least these:
- display_name
- business_logo
- default_currency
Thanks!
Julien
Remi J.
Oct 24, 2018, 10:26:09 AM10/24/18
to api-d...@lists.stripe.com, he...@bastienpetit.com
Hey Julien,
It's something we want to ship in the future but we don't have a clear timeline as to when Restricted API Keys will work with the Account resource and/or Connect unfortunately. For now the best solution is to use Stripe Connect instead though I know it might not fit your use case.
Best,
Remi
Julien Ma
Oct 24, 2018, 12:54:18 PM10/24/18
to Stripe API Discussion
Ok, thanks for the update Remi.
Julien Ma
May 26, 2020, 11:16:20 AM5/26/20
to Stripe API Discussion, jul...@baguette.engineering
Hey Remi and team,
We tried one more time to get account info using a restricted key, but it seems it's still out of scope.
Could you let us know if this is still on the roadmap?
Thank you,
Julien
Remi J.
May 26, 2020, 11:20:50 AM5/26/20
to api-d...@lists.stripe.com, jul...@baguette.engineering
Hey Julien,
Unfortunately, we don't have any update yet for this feature, I'm sorry. It's something we would like to implement but we don't have any specific timeline for this for now. I'll raise this again with the team but I don't see this happening in the near future at least.
Sorry I don't have a better answer.
Best,
Remi
--
Julien | Baguette Engineering
May 26, 2020, 12:08:18 PM5/26/20
to Remi J., api-d...@lists.stripe.com
Ok, thanks for the update.
Reply all
Reply to author
Forward
0 new messages