Multiple links to the same account

[Lee Jensen]

We recently uncovered something that somewhat violated our expectations surrounding the Stripe API and I wanted to discuss it with the list.

A number of users of Big Cartel have linked more than one Big Cartel account to the same Stripe account. Our initial assumption was that upon doing so we would get back a unique set of Stripe credentials and the user would see in their account settings multiple links to Big Cartel (likely without the ability to differentiate them). In reality Stripe sends back the same set of credentials to Big Cartel regardless of the underlying store the user is linking. In retrospect this makes sense, given there are no ‘facets’ other than the client_id to key off of when requesting credentials. So Stripe would have no way of knowing that this request was actually a different account on Big Cartel’s side.

It seems I’m faced with two scenarios. Either I disallow this kind of duplicate linking or I allow it and upon receiving an account.deauthorized webhook I remove those credentials from all account instances, not just the first one as we are doing now.

Based on actual usage it seems that around 2% of our users connect a multiple stores to a single Stripe account. Some as many as 6 BC accounts. Is this something that’s come up in the past? Is there any possibility or interest in adding a faceted approach to Connect? I’m leaning towards forcing the relationship to be 1:1 for simplicity sake but wondering what others are doing. Clearly some users want to link to the same Stripe account and I hesitate to prevent them.

Lee

[mbu...@jestro.com]

We ran into this problem ourselves and opted to only allow a Stripe account to be connected to one site in our app. It's much easier to manage, especially when the user wants to revoke Stripe access from one specific store.

It's a lot easier to manage this nowadays as Stripe recently added support for creating multiple 'accounts' using one set of credentials (the link's under the account dropdown in the top right). It's very little hassle to setup and means your customer can use a company name that's specific to the store for credit card statements, and that they can clearly see where funds are going from their Stripe dashboard.

The only downside is that users need to switch to the right Stripe account before they connect with BC. Stripe don't ask the user which account they want to connect to, so it's possible you'll get the wrong credentials.

Matt

[Amber Feng]

Hi Lee,

We indeed only create one access token / refresh token per Stripe
account and scope, so when you reconnect the same account to the same
application, you'll get the same credentials back. (The OAuth spec[0]
doesn't have any provision for this, so we opted to do it to prevent
many dangling access tokens in the case someone reconnected to an
application multiple times. We also didn't think there was any
compelling reason for needing multiple tokens per scope.)

I'd be curious to hear if Matt's solution works for you. In general,
we recommend that for users that have multiple businesses or stores,
they have multiple Stripe accounts (better for accounting and
reconciliation, like Matt mentioned, and for various fraud detection
reasons as well). As for the bug re: switching accounts on the Connect
screen, we've been working on that and hope to have a fix out later
this week!

Amber

0: http://tools.ietf.org/html/rfc6749

> --
> You received this message because you are subscribed to the Google Groups
> "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to api-discuss...@lists.stripe.com.