Making API calls for connected accounts

You can make API calls for your connected accounts:

• Server-side with the Stripe-Account header and the connected account ID, per request
• Client-side by passing the connected account ID as an argument to the client application
• Server-side with the connected account API keys (legacy, not recommended)

Adding the Stripe-Account header server-side

Server-side API calls should include the platform account secret key and pass a Stripe-Account header with the ID of the connected account the call is for. This curl request performs a refund of a charge on a connected account:

curl https://api.stripe.com/v1/charges/{{CHARGE_ID}}/refunds \
  -u {{PLATFORM_SECRET_KEY}}: \
  -H "Stripe-Account: {{CONNECTED_STRIPE_ACCOUNT_ID}}" \
  -d amount=1000

The Stripe-Account header approach is implied in any API request that includes the Stripe account ID in the URL:

curl https://api.stripe.com/v1/accounts/{{CONNECTED_STRIPE_ACCOUNT_ID}} \
  -u {{PLATFORM_SECRET_KEY}}:

All of Stripe’s server-side libraries support this approach on a per-request basis:

Stripe.api_key = "{{PLATFORM_SECRET_KEY}}"
Stripe::Customer.create(
  {email: 'person@example.edu'},
  {stripe_account: '{{CONNECTED_STRIPE_ACCOUNT_ID}}'}
)

# Fetching an account just needs the ID as a parameter
Stripe::Account.retrieve('{{CONNECTED_STRIPE_ACCOUNT_ID}}')

Adding the connected account ID to a client-side application

Client-side libraries set the connected account ID as an argument to the client application:

var stripe = Stripe("{{PLATFORM_PUBLISHABLE_KEY }}", { stripeAccount: "{{CONNECTED_STRIPE_ACCOUNT_ID}}"});

Using connected account API keys

This option makes API calls using the secret and publishable keys obtained during the OAuth flow for Standard and Express accounts. Those keys are specifically created for your platform to make API requests on this connected account. The secret key is returned in the access_token property and the publishable key in the stripe_publishable_key property provided in the response from the /oauth/token OAuth endpoint. API keys are provided only when the account is first connected. You cannot retrieve a connected account’s API keys after a connection has been established.

API keys grant broad permissions, including the ability to read and write sensitive data and move money. If your platform was compromised, leaked API keys could cause serious issues. For this reason, we strongly recommend using the Stripe-Account header as outlined above, which should work for most platforms. In general, API keys are only necessary when a central server is not used to make API requests. For example, if your platform operates as a plugin for WordPress or other self-hosted software, you can make API requests directly from the plugin where your platform’s API keys are not available.

This code performs the same refund request as the example that shows the Stripe-Account header:

curl https://api.stripe.com/v1/charges/{{CHARGE_ID}}/refunds \
  -u {{CONNECTED_ACCOUNT_SECRET_KEY}}: \
  -d amount=1000

If you are using this method, we recommend that you perform authentication with every request, instead of setting the API key globally. All of Stripe’s libraries support this style of authentication on a per-request basis:

# Not recommended: setting global API key state
Stripe.api_key = '{{CONNECTED_ACCOUNT_SECRET_KEY}}'
Stripe::Customer.create({
  email: 'person@example.edu'
})

# Recommended: sending API key with every request
Stripe::Customer.create({
  email: 'person@example.edu',
}, {
  api_key: '{{CONNECTED_ACCOUNT_SECRET_KEY}}', # account's access token from the Connect flow
})

Protect your API keys. They should remain internal to your systems and never be accessible in a browser. Don’t expose connected account API keys through your own API endpoints.