Migrate or build a plugin using Stripe Apps
Use OAuth 2.0 or RAK to authenticate your plugin's users.
Previously, Stripe allowed third-party plugins to request the standard API keys of a user to integrate with their products. Since January 2024, Stripe requires plugins to leverage Stripe Apps. All new and existing plugins must use a Stripe App to authenticate users for their service using Oauth 2.0 or a restricted API key.
If you have an existing plugin, migrate to the standard Stripe Apps integration path for security and compliance purposes. Migrating an existing plugin to a Stripe App integration only requires you to change your plugin’s authentication method.
Note
Reasons to migrate![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
Authentication through a Stripe App is the new default and standard integration path for all new plugins, extensions, and partner connectors. The following are the benefits of the new integration path:
- More efficient onboarding: Your users don’t have to manually create API keys.
- Improved security: Restricted API keys protect users if their keys are exposed.
- Analytics: Get visibility on your app’s adoption and performance.
- Discoverability: Stripe Apps give broad visibility to your product through the Stripe Dashboard, Stripe App Marketplace, and our partner program.
- Verified Partner: Join the Apps track in Stripe Partner Ecosystem to get co-sell, marketing, and technical benefits.
What happens if you don’t migrate![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
If you don’t migrate your authentication to a Stripe App, it will continue to work as it does today, without impact to users until 2024. We’ll continue to support plugins on our backend until the end of 2024.
Impact on your users after you migrate![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
If you choose to migrate, your users must re-onboard and re-authenticate their plugin. To migrate or build a plugin, choose either OAuth 2.0 (recommended) or Restricted API Key (RAK) authentication. OAuth is the least complex way for users to securely authenticate a plugin. RAK doesn’t require any additional backend setup from you. However, users must still copy and paste generated Stripe API keys to your third-party plugin. This method increases the complexity of the authentication process for your users.
Before you begin![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
- Review and complete the Before you begin section of Getting started with Stripe Apps. Ensure you’ve installed the latest version of the Stripe CLI.
- Choose your authentication type (OAuth or RAK). After you upload your app, you can’t change the authentication method. For more information about authentication, see API authentication.
- If you use Stripe Connect and want to migrate an existing plugin through Stripe Apps, you must create a new Stripe account. Currently, a Stripe account with Connect enabled can’t publish an app.
- You can only create one public app per account. If your account already has a public app and you want to publish another one, you must create a new Stripe account. You can still create multiple private apps in tandem with the public app on the same account.
Choose an authentication method to migrate or build your plugin:
Develop your app![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
Create your Stripe App by running
stripe apps create <app-name>
in the CLI.- Make sure your app name doesn’t exceed 35 characters.
- When naming your app, don’t use the following terms:
- Authenticator
- RAK
- Generator
- RAK Auth
- App
- Generator App
- Here are some examples of acceptable names: Analytics Pro by DataWiz, Invoice Manager by PayFlow.
- If you’re developing an app for a 3rd party service, follow this naming convention: [App Functionality] by [Developer Name]. For example, Hubspot Sync by Boomi.
Edit the following fields in the app manifest:
- Set
stripe_
toapi_ access_ type oauth
. - Set
distribution_
totype public
. - Set your
allowed_
. These are the URLs that users are redirected to after installing your app using OAuth. The first one in the list is used as the default redirect.redirect_ uris
Your app manifest should look like this:
stripe-app.json{ "id": "com.example.my-app", "version": "0.0.1", "name": "Your Stripe App", "icon": "./[YOUR_APP]_icon_32.png", "permissions": [ // Your app permissions here ], "stripe_api_access_type": "oauth", "distribution_type": "public", "allowed_redirect_uris": [ // Your redirect URIs here ] }
- Set
Add all the permissions that your app requires.
(Optional) Add UI extensions to your app. We recommend adding a settings view to allow your users to configure settings or to link to your app’s documentation. If your app’s only purpose is for authentication such as RAK or OAuth, make sure to remove any unnecessary UI or UX code. This helps reduce confusion and keeps the app focused on its primary function.
Upload your app to Stripe.
Command Linestripe apps upload
Test your app![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
- Navigate to your app’s details page.
- Open the External test tab and click Get started to set up an external test.
- Access the authorize links in the Test OAuth section. You can use this link to test with your own account.
Configure OAuth 2.0![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
Make sure you’ve configured OAuth 2.0 correctly. To learn how to save and refresh access tokens, see OAuth setup.
Publish and distribute your app![](https://b.stripecdn.com/docs-statics-srv/assets/fcc3a1c24df6fcffface6110ca4963de.svg)
When you’re ready to distribute your app to users:
- Submit your app for review.
- After your app is approved, publish your app to Stripe App Marketplace.
- From the app details page, click the Settings tab.
- Copy the Install link. Users can use this link to install your app.