Stripe Apps and Stripe Secret Store

[Dan Massey]

Hi there,

The Stripe Apps docs describe the capabilities of the Secret Store.

The Secret Store API enables your app to:

• Securely store and retrieve authentication credentials
• Keep users authenticated with third-party services, even if they sign out of stripe.com and sign in again
• Securely pass secrets between your UI extension and backend

I want to use the Secret Store API in a Stripe App to store an API key for each Stripe account my App is installed in. I want my backend to receive a webhook event from a particular account and then retrieve the secret for that account. 

Is this possible? The API docs for finding a secret seem to suggest I can't provide an account ID? Does this mean I can only retrieve the secret from the Stripe hosted frontend?

Thanks in advance for your hlpe

Dan

[Ryan Manzer]

Hi Dan,

The flows you describe are indeed possible.  

The Secrets API reference does not explicitly reference using the Stripe Account header but I tested this myself end-to-end and can confirm that you can

1. set a secret in your app and then 

2. retrieve it on your back-end by including the ID for each account that installs your app.  

Here is my code for finding a secret for an installed account (I use Python on my back-end).

stripe.apps.Secret.find(

  name="super_sneaky_secret",

  scope={"type": "account"},

  stripe_account="acct_XXXXXXX"

)

These secrets are also scoped to your platform account.  This means that the accounts who install your app will not be able to access these secrets themselves.

If you have any follow up questions, I recommend reaching out to our support team for 1:1 support directly: https://support.stripe.com/contact

I hope this helps!

Ryan