What api permissions does the plugin require?

  • I’m trying to connect the plugin using a restricted api key (as using the main standard key is a big security risk – it gives permission for everything)

    Can you confirm which resource/permissions are required for the plugin to work?

    So far I’m just getting this error:-
    IntegrationError: You should not use a restricted key with Stripe.js. Please pass a publishable key instead.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Hi, our plugin uses the standard API keys mentioned in the following documentation.

    https://s-plugins.com/general-settings-configuration-of-stripe-payments-plugin/

    We currently don’t have any other option unfortunately. The current API is secure enough. If it wasn’t, then they would not advertise the API at all. If you don’t mind me asking, can you share why you need such a strict API in your site? And, why the current API recommended by Strike is not safe for you?

    Kind regards.

    Thread Starter smartyp

    (@smartyp)

    It’s not the api that’s insecure – it’s the use of keys that have unlimited access to everything. No app should ever have more permissions than it needs. That’s basic security. ?? This is why Stripe introduced restricted api keys in 2017:-
    https://stripe.com/blog/u2f-restricted-keys

    The main api key has permissions to do pretty much anything on a Stripe account – so if those keys are compromised that’s big trouble. It only takes one plugin/theme to ever have a security hole.

    E.g. see the recent case where someone had their keys stolen, probably from a mysql injection attack – those keys were then used to create a new Stripe sub account with different bank details and make large volumes of charges that ended up in the hackers account. Stripe are pursuing the real owner of that account for the refunds (around $70,000)!

    Using a restricted key makes this kind of thing impossible. Nobody should be using the main api key on a website.

    Plugin Support mbrsolution

    (@mbrsolution)

    Thank you for providing more information regarding the use of restricted API Keys. I have submitted a message to the developers to investigate further your issue/request.

    Kind regards.

    Plugin Author mra13

    (@mra13)

    Hi,
    The permissions required will vary based on the features of the plugin and any potential add-ons utilized on your website. Currently, we do not possess a comprehensive list of these permissions. Therefore, determining the appropriate permissions may involve an iterative process of trial and error.

    If you are using just the core plugin (mainly one time transactions), the following permissions on a restricted key will do the job:

    • Charges
    • Customers
    • PaymentIntents
    • PaymentMethods
    • Checkout Sessions
    • Webhook Endpoints

    Let me know if that works for you.

    Thread Starter smartyp

    (@smartyp)

    Thanks.

    Are write permissions required for all of those? I tried with write anyway just in case, but it looks like more permissions are required as I get the same error as above.

    This is for the basic core plugin, no addons, just one-time transactions.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘What api permissions does the plugin require?’ is closed to new replies.