kelley_oauth-apikeys | Stripe Developers | Page 1

calm harnessBOT Sep 11, 2024, 5:34 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1283480817880006736

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

#

toxic sage Sep 11, 2024, 5:41 PM

#

kelley_oauth-apikeys

#

Hey @cedar elbow ! I'm sorry but I don't really understand what that question could mean. What OAuth are you referring to (there are more than one)? What are you really trying to do?

cedar elbow Sep 11, 2024, 5:43 PM

#

Where do I find those api keys? Or those just standard keys in the developers area or are those special api keys for oauth? They seem shorter than standard keys.

toxic sage Sep 11, 2024, 5:44 PM

#

Sorry but you just dumped a wall of text of code with no context and then you shared your Live Secret API key that anyone in this server could have seen and abuse.
Please focus on rolling your API keys as fast as possible first

cedar elbow Sep 11, 2024, 5:45 PM

#

Those keys are expired I had wrote in ( ) but all good.

#

What do you mean rolling my api keys?

#

I guess my question is :

What keys do I need for my oauth flow?
What is best practices for exposing or hiding those keys in the wordpress plugin?

toxic sage Sep 11, 2024, 5:49 PM

#

You had a real sk_live_12345 in the code you shared, you need to make sure that key is rolled entirely and I think it was your platform's API key

cedar elbow Sep 11, 2024, 5:49 PM

#

Where do I find that in my Stripe account?

toxic sage Sep 11, 2024, 5:50 PM

#

In theory you know where you found your own API keys that you used in your own code as a developer. If you aren't familiar with it, did someone else help you and give you all those keys?

#

Unfortunately I'm still really struggling to follow what you are asking right now sadly. You aren't really providing enough context on what you are doing, what you are building, etc.

cedar elbow Sep 11, 2024, 5:53 PM

#

I have an ecommerce plugin for WordPress.

We have a stripe integration.

People can connect their Stripe account via our oAuth integration and connect account to the plugin.

There was recently a card test on my account so Stripe support expired my keys and I think it was the keys used for oAuth so now people can't connect their Stripes via oAuth in the plugin.

So I am trying to find out what api keys I use for that. Originally my other developer implemented this but he is in a different country so he is away from his keyboard so I am trying to find out what keys I need to use for the oauth flow.

toxic sage Sep 11, 2024, 5:54 PM

#

Okay that helps but barely. What do you call "for the OAuth flow"?
Are you just asking which API key to use when making the call to ```$response = \Stripe\OAuth::token([
'grant_type' => 'authorization_code',
'code' => 'ac_123456789',
]);

cedar elbow Sep 11, 2024, 5:56 PM

#

I still use:

                'grant_type' => 'authorization_code',
                'code' => $_GET['code'],
            ] );```

I get from the query param in the url.

toxic sage Sep 11, 2024, 5:57 PM

#

Okay but what is your question. The API key to use for that specific call? Or something else?

cedar elbow Sep 11, 2024, 5:59 PM

#

I dont understand how else to explain my question.

I need to use my Stripe secret keys to Authenticate my application with Stripe's API to make API calls on behalf of my plugin.

Those keys I have had originally are now expired. So I need new ones.

Do I just go here and use these keys?

#

I thought these secret keys were used for processing payments and shouldn't be exposed. I thoguth there was different secret keys for oauth.

#

Am I mistaken? I am just trying to solve this problem quickly.

toxic sage Sep 11, 2024, 6:00 PM

#

Yeah sadly you are mistaken in some ways. And I get you're lost since you didn't build this but it's really hard to help if you don't completely know this part of your code

cedar elbow Sep 11, 2024, 6:01 PM

#

Wtf

#

In your platform, where do I find the oauth secret keys I need?

#

Just send me the link to where I find the keys.

toxic sage Sep 11, 2024, 6:02 PM

#

You as a Connect platform have your own API keys for your own calls. This is true if you accept payments on your own account. But it's also used for other things such as that specific OAuth call you mentioned.

But you absolutely do not want to have those keys shared with the person who installs your plugin. IF you do they can do everything they want with those keys (including refunding all payments)
And the way you are framing your ask is worrying me

cedar elbow Sep 11, 2024, 6:02 PM

#

I'm so confused.

#

Want me to authenticate and ask support so you know I am the account owner?

toxic sage Sep 11, 2024, 6:05 PM

#

No that's unrelated. I see you're confused and clearly frustrated. But you also just blindly leaked a real Live API key in a public forum that anyone can use. Which doesn't reassure me that you understand how sensitive this is.

You also clearly know where to find your API keys since you shared a picture of the Dashboard where to share those API keys. So yes those are the keys you want specifically for the OAuth Token creation. If you know what you're doing, that's your answer. If you don't I would highly recommend talking to your developer who built this

cedar elbow Sep 11, 2024, 6:06 PM

#

Those keys are expired. I mentioned that in my original message. I'm not that dumb.

#

Ok thank you.

#kelley_oauth-apikeys