pix-apikey-permission | Stripe Developers | Page 1

raw sigilBOT Oct 25, 2023, 11:12 PM

#

Hello 1pix1, we'll be with you shortly! Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.
• 1pix1, 11 hours ago, 11 messages

runic marsh Oct 25, 2023, 11:12 PM

#

pix-apikey-permission

#

@odd geode correct if they have your real API key they can do ~anything on the account. You can create an API key with limited permissions but then that key can't do everything.
And at most companies the developers would be trusted or would only have access to the Test key and not the Live one for example.

odd geode Oct 25, 2023, 11:14 PM

#

Is this possible?

#

Set Up a Stripe Webhook:
- Head over to your Stripe Dashboard.
- Go to the "Webhooks" section and click "Add endpoint."
- Enter a URL where Stripe can send the webhook events. This should point to a server or service you control.
- Select to receive the charge.refunded event. This event is sent when a refund is created.
Develop a Webhook Receiver:
- Create an endpoint on your server or use a serverless function platform (e.g., AWS Lambda, Google Cloud Functions, Azure Functions) to receive POST requests from Stripe.
- Validate incoming events to ensure they're genuinely from Stripe. Stripe provides official libraries and documentation on how to verify webhook signatures.
- Once the event is validated and you've confirmed it's a charge.refunded event, proceed to the next step.
Roll the Secret API Key:
- Use the Stripe API to roll the key. The Stripe API allows you to create and revoke API keys programmatically.
- You can use Stripe's official libraries in various languages to interact with the API. Here's a pseudo-code example in Python to demonstrate the process:

import stripe

stripe.api_key = 'your_current_secret_key'

# Create a new API key
new_key = stripe.ApiKey.create()

# Now, replace your old secret key with this new one wherever you've stored it (e.g., environment variable, secret management tool, etc.)

# Optional: You might also want to revoke the old key after updating all your systems
# stripe.ApiKey.delete('old_key_id')

Handle Failures:
- Rolling an API key is a sensitive operation. If anything goes wrong (e.g., network issues, Stripe API errors), you should be notified immediately.
- Implement error handling and possibly a retry mechanism. Ensure you're alerted (e.g., through email, SMS, or a monitoring tool) if there's an issue.
Test the Setup:
- It's crucial to test this setup in a safe environment before deploying it to production. Stripe provides a test mode that allows you to simulate transactions and refunds without real money being involved. Use this to ensure your webhook receiver and API key rotation script work as expected.
Security Considerations:
- Always use HTTPS for your webhook endpoint to ensure data confidentiality and integrity.
- Store your API keys securely. Use environment variables, secret management tools, or dedicated configuration management systems.
- Limit the permissions of your API keys. For instance, if the sole purpose of this exercise is to roll keys, ensure the key used for this purpose doesn't have permissions to make charges or refunds.

This provides you with an automated mechanism to roll your secret API key when a refund is processed. Remember to monitor the system and periodically review its security.

runic marsh Oct 25, 2023, 11:14 PM

#

sorry why are you copy pasting a wall of text?

odd geode Oct 25, 2023, 11:14 PM

#

ChatGPT response, just wondering if that's actually something that is possible

runic marsh Oct 25, 2023, 11:14 PM

#

what's your question?

odd geode Oct 25, 2023, 11:14 PM

#

Is that possible?

#

I'm trying to create an automation that automatically rolls my secret API key whenever a refund is processed

runic marsh Oct 25, 2023, 11:16 PM

#

no that is impossible. There's no API for rolling API keys. If there were then your developer would need access to that API and such, so that doesn't make sense

odd geode Oct 25, 2023, 11:17 PM

#

Alright, would it be possible to implement payments without the use of an API key?

#

I just don't want my developer to see my API key, or have access to use it

runic marsh Oct 25, 2023, 11:18 PM

#

Your developer write the integration in Test mode with a Test API key and set everything up and then they build some flow for you to be able to enter the real API key
But ultimately... like if you don't trust your developer, you can't trust that they will build a UI to enter an API key that they won't log or email to themselves

odd geode Oct 25, 2023, 11:19 PM

#

I just am worried because I have extreme trust issues due to the industry that I am in, and I'm afraid of my developer doing something like this...


stripe.api_key = "YOUR_SECRET_KEY"

# Fetch the list of charges
charges = stripe.Charge.list(limit=100)  # Limit to the first 100 charges. You'll need to paginate if you have more.

for charge in charges:
    try:
        stripe.Refund.create(
            charge=charge.id,
            amount=charge.amount  # This refunds the full amount. Adjust if you want partial refunds.
        )
    except stripe.error.StripeError as e:
        # Handle exceptions, e.g., log them, retry, etc.
        print(f"Error refunding charge {charge.id}: {str(e)}")

runic marsh Oct 25, 2023, 11:20 PM

#

I understand but at some point you have to trust someone to write that code. Or you learn to do it all yourself

odd geode Oct 25, 2023, 11:20 PM

#

He has the power to hurt my business so much, I have processed hundreds of thousands of dollars of payments

#

I'll find out I guess, thanks for the help

#pix-apikey-permission