Starting 2024, Stripe will require the use of Restricted API Keys (RAK) on all gateway connections with Spreedly. This is in an effort to increase security and standardize permissions used across all Spreedly ←→ Stripe connections. RAK must replace Secret Key for all Stripe gateway connections with Spreedly. We've automated this process using a Spreedly application built on the Stripe App Marketplace. You can provision your new restricted keys using this application link.
This guide describes that automated process completed by the application, and provides the instructions on how to manually create or update RAK with Spreedly’s required permissions to meet these new security standards.
For all Stripe or Stripe Payment Intents gateways created in Default mode with Spreedly:
1. Login to your Stripe dashboard and visit the API keys area (dashboard.stripe.com/apikeys)
2. Select the "+ Create restricted key" button. If you already have a RAK provisioned for your Spreedly connection, you can edit that key instead and proceed to the next step.
3. Spreedly requires the following permissions on all RAK to facilitate transactions. They are found in the “All core resources section”, and one in the “All webhook resources” section. Ensure these permissions are set to Write to avoid disruption to transactions on your Stripe gateways.
- PERMISSIONS: Charges, Customers, PaymentIntents, PaymentMethods, SetupIntents, Tokens, Webhook Endpoints
- CONNECT PERMISSIONS: Charges, Customers, PaymentIntents, PaymentMethods, SetupIntents, Tokens
4. Save your new RAK using the "Create key" button below permissions, or save these updated permissions on your existing RAK using the "Apply changes" button.
5. Reveal the key in your list and copy your RAK to clipboard.
6. Run an Update call on your Stripe gateways with your RAK via Spreedly API. This will substitute any secret keys with your restricted API key under the login field. If you would prefer instead to add a new gateway connection using RAK, you can do so using the Create call with RAK in the login field, or via UI at app.spreedly.com/gateways, where you can paste RAK in the API key field.
7. Confirm all Stripe gateways have been updated with RAK instead of Secret Key, and continue running transactions as usual.
Spreedly will publish a Stripe marketplace app in the coming weeks to help automate this permission set selection on all RAK. Whether you manually set these permissions before that time, or use the RAK app once available, you will still need to run an Update call on all stripe gateways to use RAK instead of Secret Keys. Please reach out to Spreedly for any questions around the permission set. We suggest reaching out to Stripe if you are concerned with making these updates.