#jasontheadams - Connect

Hello again!

First question: I see that we're using the live refresh token combined with the test secret key to retrieve the test token. Is this correct?

I don't think refresh tokens are test or live, they exist at the account level. See the second paragraph under the code snippet in this section: https://stripe.com/docs/connect/oauth-reference#post-token-request

When using a refresh token to request an access token, you may use either a test or live API key to obtain a test or live access token respectively. Any existing access token with the same scope and mode—live or test—is revoked.

Yeah, I saw that. At first I thought that may be our problem, but it turns out that's perfectly valid.

Second question: In the data sent back to their website, we're providing the live and test tokens retrieved from oauth, but we're passing the platform live and test publishable keys. Is this correct?

Which "live and test tokens retrieved from oauth" are you referring to exactly? The ones starting with sk_test and sk_live?

What's weird about this whole thing is our problem (with Checkout, as described in the other thread) only occurs in test mode, not live.

Yes, exactly. The tokens returned from OAuth: an "authorization_code" grant type for the live token, and "refresh_code" grant type for the test token — in two respective requests.

Sorry, I'm not following. You said you're passing four total things to the connected account/website, right? Two of those things are your platform's live and test publishable keys. What are the other two things?

The other two things are the live and test access tokens:

        return redirect(URL::addQueryString($site->return_uri, [
            'stripe_access_token' => $site->stripe_access_token,
            'stripe_access_token_test' => $site->stripe_access_token_test,
            'stripe_publishable_key' => config('stripe.publishableKey'),
            'stripe_publishable_key_test' => config('stripe.testPublishableKey'),
            'stripe_user_id' => $site->stripe_user_id,
            'connected' => 1,
        ]));

Okay, so it sounds like you should be passing the publishable key you get back from OAuth, not your platform's publishable key, if I'm understanding correctly.

Yeah, I was wondering about that. What's strange is that this code has worked for years and only recently test stopped working (live still works). Perhaps we've been living on some kind of edge case that works in Stripe, but is being phased out?

I think that could very well be the case, yeah.

It's very unusual to use a secret key obtained from OAuth with a publishable key not obtained via OAuth.

Are you using the publishable key from the OAuth process for anything?

Not a thing. Hahah! Honestly, someone wrote this code 4ish years ago and it's "just worked" so we haven't touched it.

We use the access tokens and toss the publishable keys to the wind.

I'm sure it made sense at the time? 😅

Uh... okay. 😅

But yeah, you should use those. This is for a plugin, right? Something that runs on other people's infrastructure you don't control?

Exactly. It's a distributed, self-hosted product. Otherwise we'd be using the header like good kids.

In fact, exactly this from the Stripe docs:

For example, if your platform operates as a plugin for WordPress or other self-hosted software, you can make API requests directly from the plugin where your platform’s API keys are not available.

Yeah, so in that scenario you should be passing both the secret and publishable keys you get from OAuth for the plugin to use, not your platform's keys.

Got it. But we're still able to use those to apply our own fees, right?

What do you mean?

On the customer site, under certain conditions, we add a platform fee of 2% to the transaction. I'm just making sure switching the publishable keys won't somehow cause problems.

Switching the keys in the way we've been talking about should not impact fees in any way.

Awesome. Ok, I'm going to test this out now. Thanks so much for your help!