#venkata-rohith-pesal_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1495881183072878616

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hello

We tried Stripe Connect with read_write scope, but users already connected to another platform cannot connect.
That's expected. This is enforced by CBSP change mentioned here: https://docs.stripe.com/connect/oauth-reference

We explored Extensions for read-only access, but they are deprecated.
Yes, you'd need to build a Stripe App if you need read-only access to the connected accounts' catalogue

Thanks for the clarification.

Our goal is to let users connect their Stripe accounts through our external web application, not through the Stripe Dashboard. We only need read-only access to data such as customers, products, invoices, and subscriptions.

Since Stripe Connect with read_write does not work for users already connected to another platform, and Extensions are deprecated, do we have any other supported option for this use case in an external web application?

If Stripe Apps are the only supported option, could you please confirm whether there is any supported way to use that access model with an external web application UI?

We are also considering an alternative approach where the user provides a restricted API key, and we use that key in the background for backfill and ongoing read-only access. Would that be a supported approach for this use case?

I don't believe there's another workaround other than building a Stripe App.

We are also considering an alternative approach where the user provides a restricted API key, and we use that key in the background for backfill and ongoing read-only access. Would that be a supported approach for this use case?
It's not something we actively recommend but if Stripe Apps is not an ideal solution to your usecase, this might work

Thanks — that helps.

We want to make sure we understand whether this alternative is reasonable for long-term production use for our external web application.

The flow we are considering is:

1. The user provides a restricted API key and their Stripe account ID
2. We use Stripe APIs in the background to backfill read-only data such as customers, products, invoices, and subscriptions
3. We create a webhook endpoint on their Stripe account so real-time events can be sent to our backend and kept in sync

Our reason for not using Stripe Apps is that our product is an external web application, while Stripe Apps are centered around embedding experiences in the Stripe Dashboard.

Since restricted API keys are supported by Stripe and can be used as drop-in replacements for secret keys with scoped permissions, and webhook endpoints can also be created through the API, we want to confirm whether this approach is acceptable as a long-term solution for our use case, even if it is not the primary recommended path.

We want to be sure this is a sound approach before we build it out fully and take it live.

👋 hanzo had to head out, but yes my understanding is that what you describe would be a viable option.

Thanks, that’s very helpful — I really appreciate the clarification.

We’ll proceed with this approach and ensure proper security and permission controls on our side.

I have one final question just to make sure I fully understand this correctly.

If we use OAuth with either read_write or read_only scope, and the user has already connected their Stripe account to another platform, will that user still be unable to connect to our application as described in the article? (https://support.stripe.com/questions/security-permissions-and-access-levels-when-connecting-your-stripe-account-to-a-third-party-platform)

The reason I’m asking again is that before posting here, I had spoken with Stripe support by phone, and I received mixed answers about whether read_only scope would change that behavior. I just want to make sure we have a clear and final understanding.

Please take your time — no rush.

Appreciate the patience, wanted to be thorough. The support agent was in correct, or rather his understanding was outdated as it depended on extensions which are deprecated. A user would not be able to connect to your application if they are already Connected to another platform.

So the path using restricted keys would still be the most viable option at this point.