#diydog_docs

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1478573412828971009

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• diydog_code, 16 hours ago, 27 messages
• diydog_code, 4 days ago, 72 messages

hi, will be here soon

Once you have the access token, you already can send Stripe API , ypu dont need to redirect back to Stripe again

Do you mean I can directly view Stripe user data on my website? Then what's the point of creating a Stripe app?

But my functionality is on the stripe app.

Shouldn't I be using OAuth 2.0?

Once you received the access token from step 6, you already have your user authorized OAuth 2 via a redirection: https://docs.stripe.com/stripe-apps/api-authentication/oauth#obtain-access-token

You mentioned you already got the refresh token and access token, correct?

The Access Token has expiration and only configured with a limited set of permissions

This step

In step six, since the backend has already obtained ACCESS_TOKEN and REFRESH_TOKEN, do I not need to return to the stripe app?

No you don't. You can save the tokens to your backend

How do I access my Stripe app?

My interface is built into the Stripe app.

Let me break it down: 1. I install the application. 2. The application redirects to a redirect URL. 3. On the redirect URL page, I retrieve the address bar parameters and request the ACCESS_TOKEN and REFRESH_TOKEN from the backend.

The problem is that I need to redirect to the Stripe app. My functionality is all implemented in the Stripe app. How should I redirect, and how do I know if the user is already verified after the redirect?

Normally you can redirect to your site if you want. The user using your Stripe Apps would need to open in their Dashboard anyway

I went back to my site, and there I made a request to the backend. How does the backend know that I am the same user from before?

Is it possible to use fetchStripeSignature to retrieve credentials, send them to the backend during the request, and then parse them and compare them with the ACCESS_TOKEN and REFRESH_TOKEN stored during the previous redirection?

You site and your backend should have an auth mechanism, any kind of token to indetify each other. It'ts just that your backend now has a token which can query user's data

Nope you should keep all things related to customer data on Backend, safe with the token.

I'd like to know how the backend verifies the request sent from the Stripe app to the backend.

When I install the application, I'm redirected to a link. On the redirect page, I retrieve the ACCESS_TOKEN and REFRESH_TOKEN. Is the ACCESS_TOKEN required when calling the Stripe API? When I return to the application and send a request, what should I send to the backend, and how does the backend know I own the ACCESS_TOKEN?

Hi! Stepping in for my colleague. Give me a moment to catch up.

I'd like to know how the backend verifies the request sent from the Stripe app to the backend.

• The access token is unique to the specific connection between your application and the user's Stripe account
• Stripe uses this token to identify both your application as the requester and which user's account you're accessing
• The token represents the authorization that the user granted to your application with specific permissions

When I install the application, I'm redirected to a link. On the redirect page, I retrieve the ACCESS_TOKEN and REFRESH_TOKEN. Is the ACCESS_TOKEN required when calling the Stripe API? When I return to the application and send a request, what should I send to the backend, and how does the backend know I own the ACCESS_TOKEN?

• You can only receive the access token and refresh token when you provide and authorization token.
• When you do this step: https://docs.stripe.com/stripe-apps/api-authentication/oauth#obtain-access-token, you get the access token and refresh token.
  *And then when you send a request, you need to pass the access token: https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token:~:text=You can verify the access token by making a request to the Stripe API. For example%3A

how does the backend know I own the ACCESS_TOKEN?

• The access token is unique to the specific connection between your application and the user's Stripe account
• Stripe uses this token to identify both your application as the requester and which user's account you're accessing
• The token represents the authorization that the user granted to your application with specific permissions

You said that sending requests to the backend requires an access token, but I obtained the access token from the redirecting website; I don't have it in the application.

How can I determine if I've already logged in within the application?

Based on this document can you tell me at which step did you get the access token: https://docs.stripe.com/stripe-apps/api-authentication/oauth ?

I obtained it in step six, but step six was obtained from the redirected website.

I'm unable to retrieve the returned ACCESS_TOKEN and REFRESH_TOKEN in the Stripe app.

Can you confirm if you obtain the access token from the redirected website or the authorization code which starts with ac_?

I saw another post by liu'c (https://docs.stripe.com/stripe-apps/pkce-oauth-flow) that shows how to redirect within the Stripe app and then back again, making another request to the backend, which then returns a token.

What you have in the screenshot is the authorization code (ac_) and not the access token. You need to make the API call you see in step 6 by passing the authorization code in the code parameter to get your access token and the refresh token. To make that API call you need to use your own Stripe account's secret key.

Also please delete the screenshot. Thank you!

I know there's a code in the address bar.

That's what I want to ask, not how to obtain the token.

Sorry, I’m a bit confused about the question. Could you clarify what you are asking?

this

If I use a platform key, can I simply use the workflow described at https://docs.stripe.com/stripe-apps/pkce-oauth-flow?

The screenshot you provided shows 3 options. What you described at the start of the chat was OAuth 2.0. But you have highlighted Platform key. Can I check which method are you using?

I'm currently using OAuth 2.0.

My question is, if I use '"stripe_api_access_type": "platform"', will I directly use this workflow 'https://docs.stripe.com/stripe-apps/pkce-oauth-flow'?

If this access_token is sent to the backend, can the backend also call the Stripe API to retrieve user data?

If you pass "stripe_api_access_type": "platform" to your app manifest you cannot use this flow: https://docs.stripe.com/stripe-apps/pkce-oauth-flow

"stripe_api_access_type": "oauth"
I obtained the access token on the redirected page, but how do I know if I've successfully logged in within the application?

If you are referring to the ac_ object in the URL it is not the access token, it is the authorization code. Can I check if you are asking from the app owner or the Stripe user who is connecting to a Stripe app point of view?

Because the Stripe user who is connecting to a Stripe app doesn't need to do anything with the the authorization code.

The app owner must take the authorization code, pass it to this API call (https://docs.stripe.com/stripe-apps/api-authentication/oauth#obtain-access-token) and then get the access token.

Please clarify whose point of view are you working from?

I'm using OAuth 2.0. When a user installs an application, they are redirected to my website, where I obtain the token. However, the application doesn't know this.

Do you understand what I mean?

The application and the redirection location are isolated.

Isn't this easy to understand? The problem is that once the process reaches the redirected website, they don't know what to do next.

I just tested your app store's app, Mate. During installation, it doesn't redirect; it follows this process in the dashboard: https://docs.stripe.com/stripe-apps/pkce-oauth-flow. Why does mine redirect?

I'm using OAuth 2.0. When a user installs an application, they are redirected to my website, where I obtain the token. However, the application doesn't know this.
Do you understand what I mean?

So here is where you take the authorization code and exchange it for the access token so you can create relevant API requests using the access token.

The application and the redirection location are isolated.
Isn't this easy to understand? The problem is that once the process reaches the redirected website, they don't know what to do next.

When the user is redirected to your defined URI after installing your app, you have complete control over what happens next. This redirect URI is your webpage. So you can inform them what you think is necessary.

I just tested your app store's app, Mate. During installation, it doesn't redirect; it follows this process in the dashboard: https://docs.stripe.com/stripe-apps/pkce-oauth-flow. Why does mine redirect?

Did you pass a redirect URI?

https://docs.stripe.com/stripe-apps/api-authentication/oauth#obtain-access-token:~:text=Set your allowed_redirect_uris. These are the URLs that users are redirected to after installing your app using OAuth. The first one in the list is used as the default redirect.

So does it need to log in again on the Stripe app?

It refers to your user? If yes, they will just need to log into their Stripe account.

When uploading applications, allowed_redirect_uris must be set.

I have full control over the redirected website, but how do I integrate it with the Stripe app since the access token and refresh token are stored on my website?

When users install the app, are they redirected to my website? I send parameters from the address bar to the backend, which then uses these parameters to request your API to obtain a token. The backend then returns the token to me. However, all of this happens on my website; the application runs on your website, and the application request doesn't include a token.

Lets take a step back. Give me a moment to write my reply.

So there are 2 parts to this:

Part 1: User installs the app and authorization
a.User clicks the OAuth link → they are redirected to Stripe → installs the app → redirected back to your website's redirect_uri with an authorization code
b. Your backend exchanges the code for an access_token + refresh_token and stores them on your end

Part 2: Using the app
Can I check does your app have a custom user interfaces that operates in the Stripe Dashboard or is it backend only?

If it is backend only API calls: Your server already has the tokens from the install flow (Part 1). You can use the access_token directly to call the Stripe API on behalf of your user based on what your app is designed for.

If there is a UI then you need the UI extension. You can either use the Secret Store API (https://docs.stripe.com/stripe-apps/store-secrets) to securely pass tokens between your backend and the UI extension OR make fetch calls to your own backend, which already has the token and can perform operations on your user's behalf.

I have a custom user interface that runs in the Stripe control panel. The problem is how to associate the requests I send through the custom user interface with the token stored on the redirect page.

👋 taking over for my colleague. Let me catch up.

Is redirection only possible for OAuth links? If I don't use an OAuth link, should I follow the workflow outlined at https://docs.stripe.com/stripe-apps/pkce-oauth-flow?

Isn't there a complete official project reference?

Yes, the redirect-to-your-website behavior is specific to the OAuth (stripe_api_access_type: "oauth") flow. When allowed_redirect_uris is set in the app manifest, users get redirected to the developer's site after installing.

The PKCE flow (https://docs.stripe.com/stripe-apps/pkce-oauth-flow) is a different thing — it's for authenticating your app's users with a third-party OAuth provider (like Dropbox, GitHub, etc.) from within the Stripe Dashboard UI extension itself. Importantly:

The PKCE flow uses Stripe's built-in OAuth redirect URL (dashboard.stripe.com/apps-oauth/com.example.your-app) that redirects back into the app in the Dashboard — not to an external site.
It's for when your app needs to connect to a third-party service, not for authenticating with Stripe's own API.
So the PKCE doc is not a replacement for their OAuth flow. It solves a different problem. The customer seems to be conflating the two.

https://github.com/stripe/stripe-apps/tree/main/examples/basic-auth

The PKCE flow verifies user identity and returns {

account_id: string;

access_token: string;

expires_in: number;

}. Therefore, can I use the access_token and account_id to provide to the backend, and can the backend call the Stripe API using these two parameters?

as I meantioned you can't use the PKCE flow to authenticate with your API

The access_token the PKCE flow returns comes from the third-party provider — it is not a Stripe API token and cannot be used to call the Stripe API.

Your backend already has the Stripe access_token and refresh_token from the OAuth install flow — that's the right token for calling the Stripe API.

How does the user's stripe app relate to the Accecc token obtained through redirection?

The piece you're missing is how to connect your UI extension (running in the Dashboard) to your backend (which has the tokens). Here's how:

1- In your UI extension, use fetchStripeSignature() to send authenticated requests to your backend:

import {fetchStripeSignature} from '@stripe/ui-extension-sdk/utils';

const response = await fetch('https://your-backend.com/api/data', {
  method: 'POST',
  headers: {
    'Stripe-Signature': await fetchStripeSignature(),
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    user_id: userContext?.id,
    account_id: userContext?.account.id,
  }),
});

2- Your backend verifies the signature using your app's signing secret, then uses the account_id from the request to look up the stored OAuth access_token for that account and make Stripe API calls.
This way, your backend knows the request is legitimate and knows which user's tokens to use.
you can read more about it here: https://docs.stripe.com/stripe-apps/build-backend

the short answer is through the 'Stripe-Signature' that we will construct for you

Okay, I'll try it.

here's more info https://docs.stripe.com/stripe-apps/build-backend#send-a-signed-request-with-additional-data

and if you're asking where you're getting the user_id and account_id from, we inject that info to your app through the userContext

const App = ({ userContext, environment }: ExtensionContextValue) => {

https://docs.stripe.com/stripe-apps/build-backend#send-a-signed-request

Therefore, using OAuth 2.0 means that PKCE and OAuth workflows are not required.

OAuth2.0 is an OAuth flow.

unless I'm missing something here

Does that mean this process is no longer needed?
https://docs.stripe.com/stripe-apps/pkce-oauth-flow

this is only needed if you want to use 3rd-party OAuth flows (like google, meta, github, etc.)

Okay, I understand.

Thank you

sure let me know if you need any more help