Homemadesteam58-connect | Stripe Developers | Page 1

thin oxide May 18, 2022, 10:33 AM

#

hi!

#

yep you can't use AccountLinks for that use case

#

you'd have to use https://stripe.com/docs/connect/oauth-standard-accounts but usually you don't do this

#

you should just create an entirely new account, use AccountLinks, and then when the user is in the hosted onboarding they can claim that new account and it gets linked to their Stripe login so they have access to both accounts(you only get access to the account you created)

#

overall if you want to connect to existing accounts and view their data you'd need to be an "Extension" and use OAuth, you should talk to our support team about your use case

empty jacinth May 18, 2022, 10:54 AM

#

Thanks for that. It worked!

#

Do you know if there is any way to limit the scopes that my app requests, instead of just full read-write?

#

@thin oxide

thin oxide May 18, 2022, 10:55 AM

#

yes, there's a scope URL parameter in the OAuth link you can use

#

https://stripe.com/docs/connect/oauth-reference#get-authorize

empty jacinth May 18, 2022, 10:56 AM

#

Thanks. I can see that read_write and read_only are available, but I was wondering if any others were available, other than those?

thin oxide May 18, 2022, 10:57 AM

#

nope, only those two. Out of interest what kind of other scope would you want?

empty jacinth May 18, 2022, 10:57 AM

#

I would like to be able to just create payment links and put charges through, but not be able to see their data.

#

I wouldn't want to be able to see their payment history.

#

Or other sensitive data

thin oxide May 18, 2022, 11:01 AM

#

makes sense, for now it's all or nothing. What we have today is not the final goal and there's a lot of work internally on changing this. For example last year we started locking it down so only certain platforms can get read_only access to other Stripe accounts, and read_write platforms can't access existing accounts and instead create new ones linked to the same user like I mentioned [0] (but that was then reverted earlier this year).

[0] - https://stripe.com/docs/connect/oauth-changes-for-standard-platforms

#

not really relevant but overall the point is that what we have today is far from the final vision of how this works and is not ideal and will change over time

empty jacinth May 18, 2022, 11:04 AM

#

Ah ok. Makes sense. A work in progress.

#

Also, how long do the oauth tokens last?

thin oxide May 18, 2022, 11:06 AM

#

what do you mean by the token specifically? If you mean how long the connection to the account exists after you submit the ac_xxx token in https://stripe.com/docs/connect/oauth-standard-accounts#token-request, it's forever, or until the connected account deauthorises(they can do that in their dashboard) or deletes their account or you deauthorise in the API; if it's for how long the ac_xxx code returned in https://stripe.com/docs/connect/oauth-standard-accounts#redirected lasts, I'm not sure, I think its maybe 5 minutes, but there's no reason to not use it immediately so shouldn't be an issue

empty jacinth May 18, 2022, 11:08 AM

#

So, from what you are saying, I have forever access to the account, via the account_id, until it is deauthorised?

#Homemadesteam58-connect