XF 2.2 Stripe restricted API key

sub_ubi

sub_ubi

Well-known member
I'd like to use a restricted API key from Stripe on Xenforo. Does anyone know which exact keys Xenforo needs for customers to make a purchase?

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.
dashboard.stripe.com dashboard.stripe.com

stripe.com

API keys

Use API keys to authenticate API requests.
stripe.com stripe.com
 
Sort by date Sort by votes
I'm actually not sure you can use restricted keys.

It seems as though across the JS and PHP we touch upon these areas:

Read:
  • Account
  • Invoice
Read/Write:
  • Subscription
  • Payment Method
  • Charge
  • Payment Intent
  • Product
  • Plan
  • Customer
The main issue I think is I'm not sure what permission you need to grant for "account". It may be that you get it automatically. Or it may be that it will only work with an account-level key. If that's the case then it's not currently possible to use a restricted key as we require an account object, though we may be able to workaround that requirement.

Hopefully that helps.
 
Upvote 1 Downvote
Chris D said:
The main issue I think is I'm not sure what permission you need to grant for "account".
Click to expand...
I tested it out and found that Stripe gives the permission ID in the error logs when it returns a 403 response. Unfortunately, there's no obvious way to map those permission IDs to the settings in the API key GUI, but some searching seemed to indicate rak_connected_account_read--the permission needed for GET account--can be granted by setting "All Connect resources" to "Read". In my testing, that worked, but I'm not sure whether it's possible to set something more restrictive.
 
Upvote 0 Downvote
Here's what seems to be working for me on a test site. If a checkmark is next to a permission, it means I've verified that the permission is necessary--API calls were failing without it. Permissions without checkmarks mean I didn't verify they were necessary and just assumed they would need to be set.
  • All core resources
    • Charges: Write
    • Customers: Write
    • PaymentIntents: Write
    • PaymentMethods: Write
    • Products: Write
  • All Billing resources
    • Credit notes: Read ✅
    • Plans: Write
    • Subscriptions: Write ✅
  • All Connect Resources: Read ✅
I don't plan to test this on a live site yet. If anyone else tests it, let me know how it goes.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

welington
  • Question Question
XF 2.3 Add API key configuration
Replies
0
Views
17
welington
welington
K
  • Suggestion Suggestion
Add API Key and OAuth2 client restrictions
Replies
2
Views
617
Kirby
K
frankdavis
XF 2.2 API Key Working?
Replies
0
Views
126
frankdavis
frankdavis
SAB
Fixed Stripe no longer supports the statement_descriptor parameter on the PaymentIntent API for PaymentIntents
Replies
17
Views
2K
vadimmartinvadimmartin
vadimmartinvadimmartin
GW2
  • Locked
  • Question Question
XF 2.2 Tapatalk API key
Replies
1
Views
823
Paul B
P
Back
Top Bottom