#pez_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1219277528783388673

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

As you can see the first step is

Once the user installs the app it generates a link to this onboarding tool that the business owner can put on their website

The logic is similar to building a stripe app in the marketplace for a store

Only difference is this is for onboarding

Hi 👋 can you tell me more about the permission error you're running into? What request are you trying to make and what permission are you being told is missing?

@nimble dagger apologies for the delay, I wanted to see if you were still around to share more context?

It’s the identity verification request

invalid_request_error
Connected account impersonation is not allowed on this endpoint.

{
 "return_url": "http://stripey.localhost:3000",
 "metadata": {
   "user_id": "test_id"
 },
 "type": "document"
}
Response body
{
 "error": {
   "message": "Connected account impersonation is not allowed on this endpoint.",
   "request_log_url": "https://dashboard.stripe.com/acct_1Osu2fQ7oUnrnvkE/test/logs/req_xCS7i8zUb9q7jz?t=1710631166",
   "type": "invalid_request_error"
 }
}
Request POST body
{
 "return_url": "http://stripey.localhost:3000",
 "metadata": {
   "user_id": "test_id"
 },
 "type": "document"
}

Hm, I see. You're making a request to try to create a Verification Session, and that's erroring because we don't allow you to do that for a Connected Account.

But if a user installs the application.

Can they not do an identity check through my application

The only thing coming to mind to try, is to try to create those Verification Sessions without using the stripeAccount header.

Because essentially it is the same as installing an app for creating a store

The connected account accepts payments so should also be able to do verification some how

I need to find a way to test this

If I take verification header that would mean the id check is being processed on the platform account rather than connected account

Is it because the connected account does not have verification set up. How can I do this

I do not think this is because Identity is not set up for the Connected Account, instead I think the cause aligns with the error being returned indicating that we don't allow impersonation of Connected Accounts for that endpoint.

What if a user installs my app through the market place

I only created a connected account to test it

But I presume it is different if the user actually installs through the app

It’s because I am struggling to find a way to test the capabilities of someone installing the app

How can I test the stripe app as a user. My app is not public as I am still building but I need to find a way to test it

I may not be understanding what you're describing correctly, but it's my understanding that the request to create a Verification Session would still come from your server regardless of who has the app installed.

I think this is the flow you're looking for to let other accounts test your app:
https://docs.stripe.com/stripe-apps/test-app

No because with payments for example, even though it is on my server, the installer of the application accepts the payments. It doesn’t come to the application server owner

The test only works in public apps that are completed and revised by stripe but my app is private on local environment

👋 if you want to test your app, you do have to upload a test version as noted in those docs

Let me reiterate. The verification needs to go through the installer of the app. Stripe charges for verifications so I should not be doing verifications for all these installed applications

In the docs it does not show clearly how to do this. It just says the app has to be public

Okay sorry jumped in before had a full understanding. What you are trying to do here is not possible. You can't make "grandfather" requests as a Stripe App (or as any Connect Platform). There are security vulnerabilities with this so we prevent you from doing this at all.

But you allow grandfather requests for payments?

Setting up a store

If an account installs your app, you can't interact with that account's Connected Accounts.

You certainly can make payments on that account

That works just fine

And this is not through connect

It’s through stripe apps

A Stripe App is basically just another version of a Connect Platform

Same idea really

What if the connect account has identity permissions

The issue with the connected test ones

They do not have identity verification permissions

You can't have permissions on a specific Custom Connected Account to begin with. If the account that installs the app has Identity permissions then that would indicate you could use Stripe Identity on that specific account. So you could use it for instance to verify the identity of customers that you are collecting payments for on that account. But you can't use it to perform Identity checks on that account's Connected Accounts

What is the way around this?

There isn't really, unfortunately. I'll file feedback internally but right now this type of interaction is simply blocked, which is why you are getting the Connected account impersonation is not allowed on this endpoint error

But if it is connected their are doing it and not me. They receive the verification so it doesn’t make sense

As it’s an app I am just a bridge

I am not collecting verification. I am convinced there should be a way because payments work and verifications are just another option

Are you using a Restricted Key app here?

https://docs.stripe.com/stripe-apps/api-authentication/rak is what I'm referring to

No I am not using this. I have just followed the basic tutorial on YouTube

https://m.youtube.com/watch?v=0Ha5NRIs49o&list=PLy1nL-pvL2M5a4QnZYXfzZSdHC9EO8kS1&index=1&pp=iAQB

Right so it is your app's backend that is trying to create the Identity Session here

Like the account installs your app. Your app then makes the API request to trigger the Identity Session, and that is attempted to be done on the Connected Account itself as it is for the onboarding flow.

Yes,

This is my server side code on the controller.

[HttpPost]
 [Route("create-verification-session")]
 public async Task<IActionResult> CreateVerify()
 {

const string Tenant = "tenant";
     Request.Headers.TryGetValue(Tenant, out var TennantValue);

const string Uname = "username";
     Request.Headers.TryGetValue(Uname, out var UserValue);

const string Connected = "connected_ac";
     Request.Headers.TryGetValue(Connected, out var ConnectedValue);

StripeConfiguration.ApiKey = _configuration["Stripe:PrivateKey"];

var options = new VerificationSessionCreateOptions
     {
         Type = "document",
         Metadata = new Dictionary<string, string> { { "user_id", $"{UserValue}" } },
         ReturnUrl = "http://stripey.localhost:3000",
     };

var requestOptions = new RequestOptions
     {
         StripeAccount = $"{ConnectedValue}",
     };

var service = new VerificationSessionService();
     var verificationSession = await service.CreateAsync(options, requestOptions);

var clientSecret = verificationSession.ClientSecret;

return Ok(clientSecret);

}

I am using .net

Yes but no one has downloaded my app yet as it is private. I only tried to test it using a manually created connect account

The app is on your own account right now

That is as-if your account installed it

But I know whit identity each account needs to sign up for identity but this cannot be done in test connect account

Sorry I don't know what you mean by that. I've already told you the limitation here -- you can't create Identity Sessions on Connected Accounts via a Stripe App.

It just isn't possible

Happy to file feedback internally that this is desired.

But from my understanding it has to do with security issues for why we prevent this.

But you suggested rak

No I was asking if that is what you were doing.

Could this be an option

Because if I am getting a key with permissions could this work as willing to try it

No we don't permit the necesary permissions for RAK either -- you can only read from Connected Accounts. Not write to them. Also we don't even have Identity as a RAK permission for Stripe Apps it looks like: https://docs.stripe.com/stripe-apps/reference/permissions#object

RAK Apps are relatively new still

So you have asked the stripe senior developers and they said it’s not possible

I'm telling you it isn't possible, yes.

And I've confirmed by finding a recent internal ticket that states:

due to the difficulties with branding, data privacy, and data ownership, there is no supported path today for a Platform to used Stripe Identity on behalf of their Connected Accounts. We do, however, support accounts directly using Stripe Identity themselves.

Ok, so that would mean the app does the identity check?

No as that would still be a request performed on the "connected account" which is the account that installed your Stripe App.

Ok it seems hypocritical as it is essentially the same thing as making a payment request through the connected account

Yeah I understand that you want this functionality. I'll file feedback internally indicating that.