#sinduri_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1318822442457890837

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

[access_token] => rk_test_51PSpz4Kz41T
[refresh_token] => rt_RQ6woLm
[stripe_user_id] => acct_1PSy7kLCBnbyvEki
[stripe_publishable_key] => pk_test_51PSy7****VZUjXmrw

this is the tokens I received when calling refresh token API, but when try payments received below error

What's the connected account iD?

acct_1PSy7kLCBnbyvEki - connected account

Ok, it looks like this account is disconnected from a platform

how it get disconnected, because when I checked the settings and installed app I see the webtoffee app

There are three possibilities

• The connected account explicitly revokes the platform access in their account settings.
• The platform explicitly revokes their access to the connected account via the API.
• The platform mistakenly re-uses the authorization code they get during the OAuth flow.

https://dashboard.stripe.com/test/events/evt_1QWu3vLCBnbyvEkipTXMAgqQ based on this event, the platform was recently disconnected

If it's unexpected, then it's likely that you use the same authorization code to call stripe's /oauth/token endpoint twice, which would revoke the access as per OAuth specification.

ok let me check and get back to you

Hi, you're right the same account is connected in another site thats why it get disconnected

I need to confirm one more thing

Our plugin customers reported they received error like this but instead of pk_test the error message saying rk_test

What's the exact error message? do you have the request ID?

the issue is in these cased there are no error log in both connected and platform account

the issue we discussed earlier also do not have any error log in both connected and platform account, so its difficult to identify.

But we could replicate this issue by connecting the same account in different site🙂 .
But our customers reported the same error, instead if pk_test its rk_test

Ok, do you have the full error message?

Hi

now I'm connected to acct_1PSy7kLCBnbyvEki in one of my site, but when I try payments I received the same error expired API key

i was not connected the same stripe account in any other sites after this, but still stripe throw the error

Again, can you share with me the exact error message?

Expired API Key provided: pk_test_*********************************************************************************************4D4n9p. Platform access may have been revoked.

for payments we user stripe js in client side and Stripe php sdk for server side. For OAuth we use curl stripw request

Ok, you mentioned that this account isn't connected to any platform. so did you this account's own API key in the integration?

Your misunderstood, I mean the account is recently connected to one of my site after the connection I received tokens from stripe by by using the same token stripe return the above error message.. what i meant is I am not using this same stripe account connected in any other site so why the connection expired?

No, as I said earlier, acct_1PSy7kLCBnbyvEki is not connected to any platform any this moment.

And I've also explained the possible scenarios when a platform access is revoked

• The connected account explicitly revokes the platform access in their account settings.
• The platform explicitly revokes their access to the connected account via the API.
• The platform mistakenly re-uses the authorization code they get during the OAuth flow.

Based on our discussion, it's likely caused by the re-use of auth code.

Did you get a chance to check with you developer to confirm about it?

then how I received these tokens from OAuth tokens API
[access_token] => rk_test_51PSy7kLCBnbyvEkipcX9sIIzjr72IeI2pGO6wtzoFYUlSV7U9sJno4GN5sjzGBXz8yfSWGHVXnyESxFAd868IvRE00WKxork2G
[refresh_token] => rt_RQ7hEULbO60YK4OlmROIie6wHycm0sougdDTwv5E8Z2FyoM2
[account_id] => acct_1PSy7kLCBnbyvEki
[stripe_publishable_key] => pk_test_51PSy7kLCBnbyvEki3CTbkL5oy6BZj3lATRbXPgIod4WIwPncuYNx3Ch4Px2mXqmYj4udr23uYWDWI3xLWbC8FG1i00ZA4D4n9p

It's not about how you receive the token, the key problem that you need to solve here is to make sure that the auth code is only used once.

auth code is used only once

I'd highly recommend you to put some logs in your application to confirm it's only used once. Because this is one of the most common mistakes that I've seen in OAuth integration.

If you are confident that the auth code is used once, then you need to check other two possibiliies

• The connected account explicitly revokes the platform access in their account settings.
• The platform explicitly revokes their access to the connected account via the API.

The connected account explicitly revokes the platform access in their account settings.
=> not done any actions in Stripe account, it still shows WebToffee app as installed in settings

The platform explicitly revokes their access to the connected account via the API.
=> our plugin only use 2 APIs one for token exchange - https://docs.stripe.com/stripe-apps/api-authentication/oauth#obtain-access-token and the other is for refresh the tokens - https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token

I've found two requests that platform made using the same auth code

https://dashboard.stripe.com/test/logs/req_1kuxn8GmikUgRj

https://dashboard.stripe.com/test/logs/req_o3fzryrklnP5qq

This explained why the access was revoked. You need to work with your developer to make sure that auth code is only used once.

this is yesterday's log,

We reconnected today dand get success response

No, I don't see this account connected to any platform today.

Can you share with me the ID of the request that you made to connect this account to a platform?

When We tried to connect yesterday we received an error from Stripe side which causing this issue
this is yesterdays case

Currently we are not keeping the request IDs anywhere, and we are not able to filter the request based on the account id in our platform account because too many request s are there from different users

Anyway, tried reinitiate the OAuth flow and check the request ID, please wait

https://dashboard.stripe.com/test/workbench/logs?success=true&filtered=true&selected=req_WJKpxGXtmiGdC6

this is the recent connection we made just few minutes ago

and see the error message it shows the latest public key as expired

Hey! Taking over for my colleague. Let me catch up.

When inspecting the API endpoints you called

I see that you call /v1/oauth/token multiple times with the same code.

First of all, you need to make sure that your integration don't call the same endpoint twice using the same code.

can you send the multiple request ids

You can find the multiple API calls from your Dashboard actually:
https://dashboard.stripe.com/logs?method[0]=post&method[1]=delete&path=%2Fv1%2Foauth%2Ftoken&direction[0]=self&direction[1]=connect_in&showIP=false

You can find for example these two requests.
req_1kuxn8GmikUgRj and req_o3fzryrklnP5qq

https://dashboard.stripe.com/test/workbench/logs?filtered=true&selected=req_WJKpxGXtmiGdC6
this is the API call to exchange the auth code to get access token

But you shared the request IDs of refresh token API call

As per your response there would be multiple calls with same authorisation code

One more case is, there so many users try to connect to their own account so each log represent different users actions. I am here talking about the account id - acct_1PSy7kLCBnbyvEki

Sorry, but no. The two requestId are for /v1/oauth/token

thats not related to this account!! its related to some other connected account

Yes those are differents accounts but the root issue seems the same.

But where is the multiple call for exchanging auth code to get tokens for the speicifc account - acct_1PSy7kLCBnbyvEki
there is only one API call - https://dashboard.stripe.com/test/workbench/logs?filtered=true&selected=req_WJKpxGXtmiGdC6

The Account acct_1PSy7kLCBnbyvEki is no more connected to your Platform Account.

The access was revoked, checking why ...

okay

#1318822442457890837 message

for reference, previous message from your folk regarding an event. We didn't do any actions from our end to de authorise the app

And what about the Connected Account ?

this event is from connected account

not sure why it happened

FYI, few of our customers also reported similar kind of issue but not for public key, its for access token. One of the error message shared by the custoner Expired API Key provided: rk_test_***************************E8CGau.

Just added here to let you know similar kind if issues happened fo few customers but we dont have any other data.

But this issue is happened in our own development site so we have all the relevant data

Ok, could you please try conducting another test case from scratch and share with us the reproduction steps ?

This issue happens only with this particular account - acct_1PSy7kLCBnbyvEki

Yes I understand that... but I'm affraid that we need to have a clear reproduction step in order to understand what happened behind.

ok

https://demo26.wtdev.xyz/shop/
here you can add product to cart, go to checkout and pay using Stripe

Unfortunately, this is not enough, as we don't see what happens behind that webiste.

let me share the site access and screen recording

The reproduction steps should looks like:

• Create a Connected Account
• Generate access token
• Make action A...
• Make action B...
• Refresh token is expired

I'm not sure that helps too sorry. You need to provide a clear API calls one by one that leads to the issue at the end.

With what Stripe API and what requestId for each step

this is the api call to connect stripe account

thats already shared

you can check that

Are you able to reproduce the issue with another account ?

no

this is the latest call
https://dashboard.stripe.com/test/workbench/logs?object=req_X68y7MvfUbR7Jy&filtered=true

We need a clear reproduction steps in order to understand the issue.

I invite you to conduct ther tests and try to reproduce the issue by tracing all actions made by your integrations.

this is the API call only this step is involved in this issue

what else do you want?

Nope there must be other steps. If that's the case, you should be able to reproduce the same issue on other accounts I think.

By just calling that API, I wasn't able to disconnect a test Connected Account.

First there is a connect URL - https://marketplace.stripe.com/oauth/v2/authorize?client_id=ca_Pl5sdRX9ZIbMhFni2PDjsnkMEERxD3Ye&redirect_uri=https://verify-stripe.webtoffee.com/wp-json/wt-stripe/v1/oauth&state=aHR0cHM6Ly9kZW1vMjYud3RkZXYueHl6Lz93Yy1hcGk9d3Rfc3RyaXBlX29hdXRoX3VwZGF0ZSZtb2RlPXRlc3QmbmFtZT1laF9zdHJpcGVfcGF5bWVudF9nYXRld2F5

click this from our Stripe plugin settings page -> redirect to stripe -> login to stripe -> then Stripe return authorisation code to the apps redirect URL - these steps not include any API calls only redirection

then we pass the authorisation code to stripe this is what I already shared - this is the latest call
https://dashboard.stripe.com/test/workbench/logs?object=req_X68y7MvfUbR7Jy&filtered=true

then we make payment and stripe return the error as shown in the screenshot - this expired API key error is not logged anywhere both in platform and connected account

So only one API included in this step is the one I shared, no other APIs are there!!

Hi! I'm taking over from my colleague. Please, give me a moment to catch up.

This seems like it will require a lot of context to resolve this. I suggest you to write to us and we will turn this into a support case. This will give us enough time to reproduce and properly understand the issue.