Stripe983333-accounts-keys | Stripe Developers | Page 1

hybrid eagle Dec 27, 2021, 7:50 PM

#

Hi there 👋 can you help me understand why you're looking to have multiple keys?

copper forum Dec 27, 2021, 7:51 PM

#

Yes - to configure separately for each application we are connecting Stripe to

#

Just wanted to understand what the best practice is

hybrid eagle Dec 27, 2021, 7:54 PM

#

It is expected to only have one publishable and secret key per mode (total of 4, 2 test mode, 2 live mode):
https://stripe.com/docs/keys#obtain-api-keys

If you want to use a different key for each app then you will need multiple accounts.

copper forum Dec 27, 2021, 7:56 PM

#

And it's OK to have multiple accounts tied to the same business name?

final idol Dec 27, 2021, 7:57 PM

#

what's the underlying thing you're trying to do here? isolate access of data (so app 1 can't access the data for app 2)? allow rotating the credentials for the various apps independently?

#

both? something else?

copper forum Dec 27, 2021, 7:58 PM

#

Data does not necessarily need to be isolated, but I know these apps are separate and configured differently. When we went to configure our second app, the stripe integration for the first one broke

#

(Leading us to believe we might need separate keys)

final idol Dec 27, 2021, 7:59 PM

#

could you say more about what happened to the 1st integration?

copper forum Dec 27, 2021, 8:00 PM

#

A team member worked on that so I can't say for certain. If you don't think that should've happened, I can ask them to re-visit if re-using a key between apps is OK

final idol Dec 27, 2021, 8:01 PM

#

I guess like - backing up a bit

#

you can have >1 secret key per account

#

or >1 restricted key

#

you can't have >1 publishable key, but there shouldn't really be a reason to. there's essentially no reason you'd ever want to rotate your publishable key

copper forum Dec 27, 2021, 8:02 PM

#

Why is it that in "Test Mode", it only allows 1 secret key

final idol Dec 27, 2021, 8:02 PM

#

mm, interesting

#

I suspect it's because you can reveal your test key after creating it, but not so with live keys

#

fundamentally, though, restricted keys & secret keys are the same thing

#

it's just that a secret key has all the permissions by default, whereas you have to specifically opt restricted keys into each individual permission

copper forum Dec 27, 2021, 8:04 PM

#

So can a restricted key ultimately have all the same permissions as a standard secret key?

final idol Dec 27, 2021, 8:04 PM

#

yeah

#

it's not totally clear to me what happened to break the 1st app when setting up the 2nd, or whether it had anything to do with the api keys. you'd need to get a bit more colour on what happened to decide whether >1 api key would actually help. one thing that might have happened is if the secret or publishable key given to the 1st app was inadvertently rotated while setting up the 2nd app. I'm not entirely sure that having >1 key really helps a lot there, if that's what happened - it's still possible to inadvertently expire a key, or expire the wrong key. it really just boils down to being careful with key management.

in general, it's totally possible to have two different bits of code using the same api key. there's nothing wrong with that.

#

there's a separate question re: are these two apps really two separate lines of business, with separate risk profiles, etc. if they are, stripe requires that you have an account for each. if they're not, you can have either one account for both, or a separate account for each. cf https://stripe.com/docs/multiple-accounts

Multiple accounts

Learn how to create and manage multiple Stripe accounts.

copper forum Dec 27, 2021, 8:17 PM

#

Got it, that's helpful thank you.

#Stripe983333-accounts-keys