Skip to content
Create account or Sign in
The Stripe Docs logo
/
Create accountSign in

Manage access and API keys

Manage who can access a sandbox.

Use the Stripe Dashboard to grant users access to your sandbox.

Manage access

You can manage access to your sandbox using Team management in your live account’s settings, your live organization’s settings, or directly from a sandbox or organization sandbox.

You can assign a role directly to give a user access to a specific sandbox. You can assign a different role in a sandbox than the one the user holds in other sandboxes or in your live account or organization.

To grant access to organization sandboxes, you must assign the user a role in your live organization.

Manage API keys

Stripe uses the API keys associated with a sandbox to authenticate API requests made to the applicable sandbox environment. We raise an invalid request error if you don’t include a key and an authentication error if the key is incorrect or outdated.

Use the Developer Dashboard within the sandbox to reveal, revoke, and create API keys. Learn more about API keys.

Grant users access to all sandboxes in an account

When you assign the Sandbox Administrator role to a team member in your live account, they gain access to every sandbox linked to that account.

To add more team members to all sandboxes connected to your live account:

  1. Navigate to your live account in the Dashboard.
  2. Click the account picker > Settings in the Dashboard.
  3. Click Team and security > + Add member, then enter one or more email addresses. Select the Sandbox Administrator role.
  4. Click Send invites.

Grant users access to all sandboxes in an organization

When you assign the Sandbox Administrator role to a team member in your live organization, they gain access to every organization sandbox linked to that organization, as well as every sandbox linked to the live accounts within your organization.

To add more team members to all sandboxes and organization sandboxes connected to your live organization:

  1. Navigate to your live organization in the Dashboard.
  2. Click the account picker > Settings in the Dashboard.
  3. Click Team and security > + Add member, then enter one or more email addresses. Select the Sandbox Administrator role.
  4. Click Send invites.

Grant users access for testing only

When you grant a team member the Sandbox User role, you’re granting them access to create sandboxes and delete sandboxes they’ve created.

To invite additional team members to only the sandboxes associated with your live account or organization, without granting access to any details of your live account or organization:

  1. Navigate to your live account or organization in the Dashboard.
  2. Click the account picker > Settings in the Dashboard.
  3. Click Team and security > + Add member, then enter one or more email addresses. Select the Sandbox User role.
  4. Click Send invites.

Grant users access to a specific sandbox

To invite additional team members to a specific sandbox or organization sandbox:

  1. Navigate to the sandbox or organization sandboxes in the Dashboard.
  2. Click the account picker > Settings in the Dashboard.
  3. Click Team and security > + Add member, then enter one or more email addresses and select a role.
  4. Click Send invites.

Note

Stripe automatically assigns the invited user the Sandbox User role in the live account or organization if they don’t already have a live role.

Revoke user access to sandboxes

To revoke a user’s access:

  1. Navigate to the live account, live organization, sandbox, or organization sandbox where that user has a role assignment in the Dashboard.
  2. Click the account picker > Settings in the Dashboard.
  3. Click Team and security, then click the overflow menu ().
  4. Click Remove member to revoke their access.

Manage user access to sandboxes with SSO

You can manage access to sandboxes through single sign-on (SSO) SAML assertion by updating the attribute statements to specify roles within a sandbox.

For a user to access a sandbox through SSO, they must have:

  • A role in the livemode parent (the live organization or live account)
  • A role that grants access to sandboxes, in either the specific sandbox or in the live account

The following roles in your live account automatically provide access to sandboxes:

  • Admin and Super Admin: Admin and Super Admin users can create, manage, and view all sandboxes under the account or organization.
  • Developer: Developer users can create new sandboxes and access any sandboxes they create themselves.
  • Sandbox Administrator: Sandbox Administrator users can create, manage, and view all sandboxes under the account or organization. However, this role doesn’t grant any livemode permissions.
  • Sandbox User: Sandbox User users can only access sandboxes. They have no permissions in the livemode account. Like Developers, they can create new sandboxes and access any sandboxes they create themselves.

For more information about these roles, see User roles.

SSO configuration examples

The following examples demonstrate how to configure your identity provider (IdP) to grant access to sandboxes using SAML attribute statements.

Grant access to a specific sandbox

To grant a user access to a specific sandbox, your IdP admin needs to send a role attribute with the sandbox account ID in the SAML assertion.

For example, to grant a user the analyst role in a specific sandbox account:

<Attribute Name="Stripe-Role-acct_SANDBOX_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
</Attribute>

Allow users to create and manage their own sandboxes

To grant users the ability to create their own sandboxes, assign the sandbox_user role in the live account:

<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        sandbox_user
    </AttributeValue>
</Attribute>

You can combine the sandbox_user role with other roles if you want the user to have additional permissions in the live account:

<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
    <AttributeValue>
        sandbox_user
    </AttributeValue>
</Attribute>

When users have the sandbox_user role, they can create sandboxes and access the sandboxes they’ve created. You don’t need to send a role statement for each individual sandbox.

Allow users to access all sandboxes

To grant a user access to all sandboxes under a live account or organization, assign the sandbox_admin role in the live account:

<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        sandbox_admin
    </AttributeValue>
</Attribute>

You can combine sandbox_admin with additional roles for the live account or organization:

<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
    <AttributeValue>
        sandbox_admin
    </AttributeValue>
</Attribute>

When a user has the sandbox_admin role, they can access all sandboxes. You don’t need to send role statements for individual sandboxes.