#bensontrent_best-practices

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1222359014675841064

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hi there!

what's your question?

I'

I'm about 2 weeks from attempting to publishing an app. Which API Key do I use when I perform API actions on behalf of a user of my app?

this is covered here: https://docs.stripe.com/stripe-apps/api-authentication

I have plaform selected, yet my API key from my company Stripe secret API key does not work for multiple company accounts.

what do you mean by "does not work"? do you get an error message? can you share a specific Request ID (req_xxx) that failed?

When attempting to use the standard VerifyCaller from the StripeApI docs the verifcation fails for company accounts outside the selected company account secret API key and app secret key.

what is "VerifyCaller"? and can you provide a Stripe Request ID that failed?

Verify caller is from the example apps. For example, Let's say we don't require a Stripe Apps User to crate an account outside the Stripe login universe; we piggy-back upon their aleady authenticated Stripe login. so we (as defined in the Stripe apps docs, verify they are who they are who they say they are using

Which secret key do we use in this case?

Verify caller is from the example apps
can you share a link to the example app you are talking about?

See verifyCaller at https://github.com/stripe/stripe-apps/blob/main/examples/basic-auth/backend/src/index.ts

We can make this work on an individual app (or company basis) but how do we publish this app to the pubic)

if your goal is to make API request on behalf of a connected account, then you should use the Stripe-Account header as explained here: https://docs.stripe.com/stripe-apps/build-backend#using-stripe-apis
And when you want to publish your app, you should follow the steps listed here: https://docs.stripe.com/stripe-apps/publish-app

We are about a week away from being bug-free and ready to publish to the public. Is there some understanding among the app reviewers that the app in-review is really in-review? There seems to be no middle ground in between stripe apps upload and stripe apps publish or does the middle ground exist between those commands?

How do we test the endpoints that exist when an app has been published and when it is in review?

I recommend testing your app befor epublishing it. and how to do so is explained here: https://docs.stripe.com/stripe-apps/test-app

The documentation for the lifecycle of publishing an app is lacking. Can you update the documentation for a typical app's stages of publishing to be more clear? I feel lost here.

which part isn't clear exactly? can you share some specific links?

Specifically, we are provided an app secret and a Stripe Secret Key which is used to verify the caller of a stripe app. But these keys don't seem to apply to multiple callers across multiple Stripe company accounts. At what stage do these keys work?

I'm sorry I don't understand your question. I already asked a few times for Request ID that failed so I can better understand the issue, but you provided none so far.

For example, for a user who has installed our app, we want to verify that they are authorized to access our backend api with the signatures of the ueer's account id and user id by the Stripe-provided example of

 stripe.webhooks.signature.verifyHeader(
    JSON.stringify({
      user_id: userId,
      account_id: accountId,
    }),
    sig,
    // The app's secret in your app settings page in the Developers Dashboard
    process.env.APP_SECRET!

Our app secret does not work for accounts not connected to our account.

what do you mean by "not work"? you made an API call and got an error from Stripe? if so can you share the Request ID?

Let me work with my backend developer and I will provide you with a request ID. Please stand by....

By not work, I mean the verify signature request fails.

oh, so you are talking about webhook events?

can you share an Event ID (evt_xxx) that is failing the signature verification?

also can you share the exact error message you see on your backend?

{
"message": "Network Error",
"name": "AxiosError",
"stack": "AxiosError: Network Error\n at XMLHttpRequest.handleError3 (https://cdn.stripeextensions.com/com.shipping.parcel-craft-alpha1/0.3.3/ext.js:39801:16)\n at Axios.<anonymous> (https://cdn.stripeextensions.com/com.shipping.parcel-craft-alpha1/0.3.3/ext.js:40124:45)\n at Generator.throw (<anonymous>)\n at rejected (https://cdn.stripeextensions.com/com.shipping.parcel-craft-alpha1/0.3.3/ext.js:65:31)",
"config": {
"transitional": {
"silentJSONParsing": true,
"forcedJSONParsing": true,
"clarifyTimeoutError": false
},
"adapter": [
"xhr",
"http"
],
"transformRequest": [
null
],
"transformResponse": [
null
],
"timeout": 0,
"xsrfCookieName": "XSRF-TOKEN",
"xsrfHeaderName": "X-XSRF-TOKEN",
"maxContentLength": -1,
"maxBodyLength": null,
"env": {},
"headers": {
"Accept": "application/json, text/plain, /",
"stripe-user-id": "usr_BT2F8iqc4mZM6U",
"stripe-account-id": "acct_1OyjeRFIDb1AHhOt",
"stripe-signature": "t=1711508618,v1=7f44993c27f124ffc5a29b4a1584d70d90ef3f0a742627022e79c955f58a12ea",
"stripe-email": "bensontrent@gmail.com",
"stripe-mode": "live"
},
"method": "get",
"url": "https://dev2api.parcelcraft.com/api/settings/acct_1OyjeRFIDb1AHhOt/acct_1OyjeRFIDb1AHhOtusr_BT2F8iqc4mZM6U?state=966b7196-a2d8-49c8-a429-858e80cf9dff"
},
"code": "ERR_NETWORK",
"status": null
}

It's not a webhook event. We're using verifyCaller as defined as an example in the Stripe Apps Basic Auth example.

that doesn't look like an error related to Stripe, but something related to Axios and network errors. so not sure I can help with this.

I know it's a bit nebulous. The verifyCaller function works if the App Secret ID matches the App Secret of the App Installed as a preview app of the specific app installed as part of the Stripe company in question. No problems there. The question is, this app secret doesn't work for any other Stripe Company installation. How can we possibly test it for other Stripe company ids?

Hi @undone fulcrum I'm Jack, and I'm also an engineer at Stripe

Is the problem about your backend verifying requests sent from your Stripe app? https://docs.stripe.com/stripe-apps/build-backend#send-a-signed-request