With all other web-hooks one can use an account's stripe access token to retrieve the event and then update based on the response of the API call, thus preventing possible spoofing. But with account deactivated, one is no longer able to use that account's stripe access token since the account is deactivated. Any other suggestions? Basic auth is a no-go since each account can see the webhook url.
Stripe returns an error when you attempt to retrieve that event but that error is specific to this situation. You'll get an authentication_error if you attempt to retrieve it while if your weren't connected before you'd get invalid_request_error.
You can see an example in Ruby in this connect app here
Related
Working with Stripe Connect and making :
\Stripe\Charge::create
I got error :
Stripe \ Exception \ PermissionException
The provided key 'sk_test_51*************************************************
********************************************AE7z' does not have access to account 'acct_NNNN'
(or that account does not exist). Application access may have been revoke
My code worked with different stripe account, but I need to set api keys of my client
After logtin into stripe with credentials of my client I just activated the the Stripe connect,
but looks like not all settings are set: https://prnt.sc/10vfict
Which steps have I to take next ?
I wrote to support under my client credentials, but my client not
alwaysa available and as I have no acccess to his email account I ask if there is a
way to read messages from support in stripe dashboard? I did not find such possibility...
Thanks!
So I have created a link for my partners to connect their accounts to my Stripe. This will allow me to do payouts, as I am doing an automation service, and my mission is to:
Take payments on behalf of my partners
keep a processing fee
Send the remainder to the partners acccount
I cant seem to see any of the people I am using as a test to sign up as connected accounts. They have went to the url, filled out the info, but they wont pop up in my account?
I believe my issue is the last step of authentication, where Stripe says in Stripe Express Docs section "The last step is to use the provided authorization code to make a POST request to Stripe’s token endpoint to complete the connection and fetch the user’s account ID:"
How do I implement this so i can proceed with my system? and if i need to code this into something how is this supposed to get accomplished? I just need the accounts to be connected into my account.
When the user has finished signing up, they get redirected to a URL you provide in redirect_url. In that URL's parameters is the authorization code:
https://yoursite.com/path/to/connect/flow?code={CODE_GOES_HERE}
To complete the flow, you then need to make a request to the Stripe oauth end point to confirm the user. Make sure that this request is made server side as the response you get contains sensitive information for your new connected account. The docs show a curl request but you could do this with any request API you have at your disposal:
curl https://connect.stripe.com/oauth/token \
-d client_secret=sk_123 \
-d code="{AUTHORIZATION_CODE}" \
-d grant_type=authorization_code
Where the AUTHORIZATION_CODE is the code found in the URL your users got redirected to.
Once the request completes, you should get a response with the new connected account details, provided everything went well:
{
"access_token": "{ACCESS_TOKEN}",
"livemode": false,
"refresh_token": "{REFRESH_TOKEN}",
"token_type": "bearer",
"stripe_publishable_key": "{PUBLISHABLE_KEY}",
"stripe_user_id": "{ACCOUNT_ID}",
"scope": "express"
}
You should save the account unique values (e.g. access_token) in your own database so you can easily retrieve it later rather than fetch it from the Stripe API every time.
Just came across this answer after having a similar issue due to missing out the second step of the authorisation process. Incase anyone else is still having issues I thought I would share another tip:
You can also manually create a link for testing or incase of a low volume of new connections. This does not require making a request to the Stripe oauth end point so less coding - this option is in de stripe dashboard under Connected Accounts > Create
screenshot of 'create' option
I have some stripe custom connect accounts that need updating.
We create these stripe connected accounts when a user signs up on our platform, but we don't ask for all of the information until later.
Here's the rub: We need a social security number. (We will be doing taxes later) I know that this goes into legal_entity, but the only way to update connected custom accounts is using the secret_key on the back end....but I can't let a SSN touch the back end!....Well, I guess that I could, but I didn't want ANY dangerous information to touch our server, EVER. I definitely wouldn't store it, but I worry about that making me liable.
So if I can't use the secret key in the browser, and I can't let the SSN touch the server....what is the correct way to update a connected account?
Using Stripe.js, you can generate Account Tokens that your server can reference when making API calls, just like you would get a card token when making payments.
There are directions on how to get the token and use it to update legal information in the documentation here:
https://stripe.com/docs/connect/account-tokens#updating
I have liked a online bank with plaid API to stripe. i have created a stripe customer with source bank token. But later I couldn't get bank information from source. It is showing
An uncaught Exception was encountered
Type: Stripe\Error\InvalidRequest
Message: No such source: btok_1BOiMhGnklINT0gr7TYCRuvO
This error means that the API key you used to make the second API call is not from the Stripe account you linked to your Plaid account and also not the same you used when creating the customer. I'd recommend checking the API keys in both of your scripts.
Also once you fix this part, you should not reuse the token in subsequent calls as it would have been consumed by the customer creation call. You need to use the bank account id that was created instead (ba_xxx).
Use Case: A user has supplied Plaid with credentials to "amex". For some reason, that user changes their password. Plaid can no longer access Amex on behalf of the user.
Problem: I believe that right now, the information flow for bad credentials is that an error message is received when the Plaid client checks for updated information (e.g. new transactions). However, Plaid probably knows about the incorrect credentials prior to that request. Relying on a synchronous event (requesting new transactions from the PlaidAPI, e.g.) to communicate the error potentially leaves Plaid customers in a bad state.
It would be nice to see something like
"code"=>"49","message"=>"Credentials Invalid","access_token"=>"XYZAAAA"
Great point - we have been working on more far reaching webhooks for situations where credentials have changed, accounts are locked, etc. I'll keep you posted as we add this functionality.
In the meantime, you are now able to use the PATCH endpoint to update credentials for existing users. Check it out in the docs here: https://plaid.com/docs#Docs_Update_Credentials
Thanks again for the input and let me know if you have any other questions!
Carl