#sumit_code

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1428248561874636820

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

on the sandbox test mode, i am getting this response :- {
access_token: 'sk_test_51SIiefO',
livemode: false,
refresh_token: 'rt_TFDJl1ZgCktWx',
token_type: 'bearer',
stripe_publishable_key: 'pk_test_51SWKjYZ',
stripe_user_id: 'acct_1SIisxSBFf53eSsG',
scope: 'read_write'
}
but in the docs access_token, token_type, refresh_token got Deprecated, but in sandbox mode it still return the response like above, https://docs.stripe.com/connect/oauth-reference#post-token-error-codes

Yes they are deprecated in favor of the Stripe Account header. That's a different thing

To clarify, why and which value do you use at

client_secret: this.clientSecret

?

business account stripe Client Id.

Could you say more? I don't see that parameter should be in this step: https://docs.stripe.com/connect/oauth-standard-accounts?lang=curl#token-request

curl https://connect.stripe.com/oauth/token
-u sk_test_51SF7xoQgCtrbTwa8Izbo8caP09bPguxiW7uFfKXOrZAgl9tAVbVYP4VpxNfpNDLqLdqBK1OqB6UZPcC4Oc47OgQv00RzUN4QP6:
-d "code"="ac_123456789"
-d "grant_type"="authorization_code"
i am using this curl
https://docs.stripe.com/connect/oauth-reference?lang=curl#post-token-error-codes

Alright that looks good. I was asking because your code above has

    const response = await axios.post(`${this.baseUrl}/oauth/token`,
      new URLSearchParams({
        code,
        grant_type: 'authorization_code',
        client_secret: this.clientSecret
      }), {
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded'
        }
      }
    );

And I don't recognize the client_secret here

but it works fine in sandbox mode, when i put it on production with live credenatials then the exchnage gives the 401 error, i tried multiple times with different strripe accounts but the same issues,

class StripeOAuthService extends BaseOAuthService {
constructor() {
super({
clientId: process.env.STRIPE_OAUTH_CLIENT_ID,
clientSecret: process.env.STRIPE_OAUTH_CLIENT_SECRET,
baseUrl: 'https://connect.stripe.com',
apiBaseUrl: 'https://api.stripe.com/v1'
});
this.stripe = new Stripe(this.clientSecret);
}
async exchangeCodeForToken(code) {
console.log('🔄 Exchanging code for Stripe token...');

const response = await this.stripe.oauth.token({
  grant_type: 'authorization_code',
  code
});

console.log('✅ Token exchange successful');
return response;

}
i use the stripe npm package for this, works on test, can you please check is this correct or am i missing anythinghhere

Okie can you give an example exact UTC timestamp when if failed, and the Stripe Account Id used? I will try to grab some log

time stamp is this - "time":"2025-10-15T11:15:37.690736087Z"
which stripe account id our business or user who tried to connect to our business??

Both of them if possible

i don't have user stripe account id as he was in remote location and we can't ask directly his account. but our business client Id works??

Yes okie!

Is this UTC? 2025-10-15T11:15:37.690736087Z

client id:- ca_JP6cN680DXRZPEQlW8zAsBdJkM8aKrKc

yes this was utc time

Ty

Umm sorry can't find any log from our side. What is the exact error message you got?

"request failed with status code: 401" this was the error message

Anything else? Error message?

And in Live mode, was their Stripe Account and your Account completely separated before they clicked to the OAuth link and you sent this API?

Yes , Our account and user account are completely separate and there's no link between user and business.

Any chance you can trigger a same error now?

using the same value you got from any earlier log

i just checked with git history, i was using this code for exchange token:-
async exchangeCodeForToken(code) {
console.log('🔄 Exchanging code for Stripe token...');
console.log('📤 Code:', code.substring(0, 20) + '...');

const response = await axios.post(`${this.baseUrl}/oauth/token`,
  new URLSearchParams({
    code,
    grant_type: 'authorization_code,
  }), {
    auth: {
      username: this.clientSecret,
      password: ''
    },
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    }
  }
);

That doesn't seem correct. Can you remove the auth path?

is this correct:- const response = await axios.post(${this.baseUrl}/oauth/token,
new URLSearchParams({
code,
grant_type: 'authorization_code',
client_secret: this.clientSecret
}), {
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}
}
);

here is full one:-
async exchangeCodeForToken(code) {
console.log('🔄 Exchanging code for Stripe token...');
console.log('📤 Code:', code.substring(0, 20) + '...');

const response = await axios.post(${this.baseUrl}/oauth/token,
  new URLSearchParams({
    code,
    grant_type: 'authorization_code',
    client_secret: this.clientSecret
  }), {
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    }
  }
);

console.log('✅ Token exchange successful');
console.log('📥 Response:', JSON.stringify(response.data, null, 2));
return response.data;

}

Please remove the client_secret

Follow the Doc closely, there is only code and grant_type

look this curl :-
curl https://connect.stripe.com/oauth/token
-u sk_test_51SF7xoQgCtrbTwa8Izbo8caP09bPguxiW7uFfKXOrZAgl9tAVbVYP4VpxNfpNDLqLdqBK1OqB6UZPcC4Oc47OgQv00RzUN4QP6:
-d "code"="ac_123456789"
-d "grant_type"="authorization_code"

https://docs.stripe.com/connect/oauth-standard-accounts?lang=curl#token-request

hey there! taking over for my colleague

that curl request is correct as it doesn't contain a client_secret, which should not be passed in this POST request

then what paramter is this, isn't it a clinet secret :- sk_test_51SF7xoQgCtrbTwa8Izbo8caP09bPguxiW7uFfKXOrZAgl9tAVbVYP4VpxNfpNDLqLdqBK1OqB6UZPcC4Oc47OgQv00RzUN4QP6: \

that's the API key

how can i get this??

it should be the same API key your platform uses to make other API requests (i.e. that should be your platform's key, not the connected account's)

you can get your API key from your platform's dashboard, here: https://dashboard.stripe.com/test/apikeys

just for your clarification, i am using this restricted key as client_secret.

a client_secret is used when confirming PaymentIntents or SetupIntents on the client side - it is not relevant for this OAuth flow

can you clarify what you mean by 'i am using this restricted key as client_secret'

just for nomenclature in my code, this client secret value is the value of restricted key i have craeted class StripeOAuthService extends BaseOAuthService {
constructor() {
super({
clientId: process.env.STRIPE_OAUTH_CLIENT_ID,
clientSecret: process.env.STRIPE_OAUTH_CLIENT_SECRET,
baseUrl: 'https://connect.stripe.com',
apiBaseUrl: 'https://api.stripe.com/v1'
});
this.stripe = new Stripe(this.clientSecret);
}
async exchangeCodeForToken(code) {
console.log('🔄 Exchanging code for Stripe token...');

const response = await this.stripe.oauth.token({
  grant_type: 'authorization_code',
  code
});

console.log('✅ Token exchange successful');
return response;

}

ok, thanks for clarifying

I'm afraid the issue is still a little unclear

could you provide the request ID for the failed request?
https://support.stripe.com/questions/finding-the-id-for-an-api-request

to clarify, the issue sounds like you're getting an error at this step:
https://docs.stripe.com/connect/oauth-reference#post-token

it's not clear what the full error is, but your code contained a client_secret, which is not a supported parameter for that API request

in order to confirm what's going wrong, we need to confirm the full error message you're getting

only error i logs with messsge; "the request failed with status code 401"

i still don't able to understand, it works perfectly in sandbox credentials, where i can exchange token but when i shift to test mode, this gives error

ok, well that means you're likely not correctly setting the API key

401 Unauthorized No valid API key provided.

https://docs.stripe.com/api/errors

to authenticate a request to Stripe's API, you must set the API key:
https://docs.stripe.com/api/authentication

for production Stripe connect:- which api key needs to use, restricted api or Standard keys??

you should use the secret API key for this step

which looks like this :- "rk_live..." ??

"rk_live..." is a restricted key, the secret key looks like "sk_live..."

a restricted key is essentially the same as a secret key (both used for server-side requests), but is used for limiting access
https://docs.stripe.com/keys-best-practices#limit-access

Hey, taking over here. Let me know if there's any follow-up Qs I can answer!

I am stuck at Stripe connect, generate url and user entering the details and when redirect uri calls, in redirect uri, i get the code and i am exchanging code for toekn using this nodejs like this:- ,
async exchangeCodeForToken(code) {
console.log('🔄 Exchanging code for Stripe token...');

const response = await this.stripe.oauth.token({
  grant_type: 'authorization_code',
  code: code
});

console.log('✅ Token exchange successful');
return response;

}
it gives me error message "request failed with status code 401"
it works perfectly in sandbox test environment, but when i cahnge the credentails try with real stripe accounts then it gives gets stuck on token api,

It seems like my colleagues already answered you on this

Have you had a chance to double check the API key youare using ? You should use your platform secret key and not a restricted one

platform secret key ??? where to find this,

From your Stripe Dashboard

https://docs.stripe.com/keys#reveal-an-api-secret-key-live-mode

I am using the restricted api key, still it gives error. 401

You need to use the Secret Key and not the restricted.

oh, ok. But we also use Stripe as a merchant (for receiving payments from our users). We don't want to give access to our transactions...will the secret key open access to our transactions?

👋 Hey, taking over here, just taking a look

Secret key would be used server side for your API requests, so wouldn't be exposed

But we also use Stripe as a merchant (for receiving payments from our users). We don't want to give access to our transactions...will the secret key open access to our transactions to our connected accounts??

Can you share the ID (req_xxx) of the API request? https://support.stripe.com/questions/finding-the-id-for-an-api-request

Overall you shouldn't be building a new Connect integration using OAuth, instead you should be creating and onboarding accounts via the API: https://docs.stripe.com/connect/hosted-onboarding