#bohjio

hello! Not really. The Stripe App must be granted with the relevant Object permissions (https://stripe.com/docs/stripe-apps/reference/permissions#object) in order to read or write. You also need need to specify the permission requests in the App manifest (https://stripe.com/docs/stripe-apps/reference/app-manifest#permissionrequest)

yes - assume that the manifest is updated to grant access

in that case a platform app can access on behalf of the user with just the account_id?

yep, pretty much. You can try it out

so stripe maintains a link between my STRIPE_API_KEY and the users account_id - knowing what to allow?

and when the user uninstalls the app - that permissions gets revoked?

if my understanding is correct, then its helpful because then I do not have to build separate authentication logic in my backend. I can just rely on stripe account_id, user_id, and signature to manage users in my application.