Contrib.social

Using Restricted API keys

Open on Drupal.org β†’
Created on 8 February 2024, over 1 year ago

If anyone wants to use a restricted API key for some reason, see my research below on what permissions need to be granted to make it work for the Stripe Payment Element.
Documentation on using API keys can be found here.
Follow the instructions to create a restricted key and grant the following permissions (see screenshot β†’ ):
All core resources
Balance - Read
Charges - Write
Customers - Write
PaymentIntents - Write
All other permissions should be set to None.

I don't really understand why we need "Balance - Read" but if I set it to None I get "Invalid secret key." message when saving payment gateway configurations (maybe we need to ask about this Stripe support). For other permissions like Charges, Customers, PaymentIntents we do use them in the code.
Please report any issues with restricted API keys here so we can update the README.md with the necessary instructions.

πŸ“Œ Task
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡¦Ukraine marchuk.vitaliy Rivne, UA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @marchuk.vitaliy
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand davidwhthomas

    Firstly, thanks for the useful module.

    I tried to add a restricted key but the commerce_stripe payment gateway configuration requires the "Publishable key" as well. The restricted key _is_ the secret key and is not a publishable key.

    I tried a placeholder "restricted_key" for the publishable key, just to test, and set to test mode.

    On saving the restricted key, there is an error "The provided secret key is not for the selected mode (test)."

  • Comment 19 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom newaytech

    I thought using restricted keys would be a security improvement - so gave it a try. I used the same key for both fields - but then got the following error in the JS console:

    Uncaught IntegrationError: You should not use a restricted key with Stripe.js.
    Please pass a publishable key instead.

    I'll revert to using a Publishable key - and lock down by IP...

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024