Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in
Overview
Versioning
Upgrade your API version
Developer tools
Stripe health alertsBuild with LLMsStripe for Visual Studio CodeFile uploads
Security
Extend Stripe
Partners
Partner certification

Restricted API key authentication

Generate a permissioned restricted API key (RAK) when a user installs your app.

Copy page

Stripe Apps can use restricted API keys (RAKs) for authenticating with Stripe APIs. These apps provide users with a RAK with specific permissions after they install the app.

If your integration previously relied on users to provide their secret key, you might be able to use a RAK Stripe App as a replacement. Because RAKs work in the same manner as secret keys, using them for authorization might require no changes to your back-end code.

RAK authentication benefits

  • The key generated by the app contains only the necessary permissions for the app to function, which gives users more secure control of their account’s data.
  • Because the app already has defined permissions, installing users don’t need to manually select permissions to add it to the restricted key. Users only need to install the app and click a button to generate the key.

RAK authentication limitations

  • Using RAK authentication requires at least some user interaction. Users must generate the key through the app and provide it to a partner or an integration.
  • When using RAK authentication for your app, UI extensions might not function properly. It supports the app settings page, but UI Extensions won’t have access to additional Dashboard context.

Installation

A user installing a Stripe App that uses RAK authentication follows these steps:

  1. From the App Marketplace or through an install link, the user selects the appropriate account and accepts permissions for installing the app.
  2. After installing the app, we redirect the user to the settings page for the app to generate a restricted API key, provisioned with the proper permissions.
The "View API Keys" button on the settings page for a RAK app
  1. The user copies the generated key and provides the key to your site.
Copying the app keys from settings page

Develop your app

  1. Install the Stripe Apps CLI plugin (if you haven’t already done so).

  2. Create your app using our template.

    Command Line
    stripe apps create <app-name> --template restricted-api-key-app

    If you have an existing app, run this command in Stripe CLI:

    Command Line
    stripe apps set api-access-type restricted_api_key

  3. Add all the permissions that your app requires.

  4. Edit your app settings page. If you use the template above, a settings view is automatically created. We recommend adding instructions or links to your own documentation on this page for users to reference when setting up your app.

    The install link page showing app permissions

    Example app settings page

  5. Upload your app to Stripe.

    Note

    After you upload your RAK app, you can’t change the API authentication method.

    Command Line
    stripe apps upload

Test your app

You can test the RAK authentication on your own account.

  1. Install your app in test mode on your account. You can also configure the app manifest to enable installation in sandbox environments.
  2. Go to your installed apps page in settings and click your recently installed app.
  3. From the app settings page, click View API keys. Copy this secret key to test your integration.

To test your app on a different Stripe account than the one used to develop your app, use external testing.

Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our changelog.
Questions? Contact Sales.
LLM? Read llms.txt.
Powered by Markdoc