#nickdnk_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1338867971933605899

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• nickdnk_code, 3 days ago, 118 messages

Account session being used here for Connected Components: https://docs.stripe.com/api/account_sessions and https://docs.stripe.com/connect/get-started-connect-embedded-components

Maybe I could add just IP restrictions to a secret key?

That means that you will need to use both Secret key and Restricted key within the same system. Perhaps it doesn't make much sense when you just have 1 system, but if you have multiple, it might allow you to grant the restricted key access to sensitive fields just to the one system that needs it.

You wouldn't say that adding the option to add the required capabilities to the restricted key would be something you should do?

You being Stripe

Not sure what you mean by this.

I mean that I would suggest you (Stripe) add the required capabilities for Account Sessions to restricted keys

it seems it is currently just not supported/available as an access level for a key

I understand

You can only select this:

So my feedback here is: Add "Account Sessions" under this section to avoid this particular problem for others

In the meantime, I will try to add IP restrictions to our secret key which is something we have been unable to do previously due to our architecture

I guess since Embedded Components is a new feature it has not been added yet. However, there might have been some security considerations that I'm not aware of.
Feel free to report it to Stripe Support: https://support.stripe.com/?contact=true

Well now you know. You are welcome to take my feedback but I won't spend time going through support as well.

I don't think this will change anything, unfortunately. Secret keys don't have access to the sensitive fields.

Both points are talking about Restricted keys, not Secret keys.

I am going to just try it

If it doesn't work, I guess I'll have to deploy two different keys

You are right, it didn't work, unfortunately.

But I guess having IP restrictions enabled anyway is still good

Hmm. I can't roll a key without selecting expiration

Is that intended?

I don't want it to expire 😄

Ah, I'm dumb, that's of course the previous version