Using Connect with Standard accounts
Integrating with Standard accounts is the fastest and easiest way to get started using Connect, since you'll be offloading the majority of the user experience and user communication to Stripe.
A Standard Stripe account is a conventional Stripe account controlled directly by the account holder (i.e., your platform’s user). A user with a Standard account has a relationship with Stripe, is able to log in to the Dashboard, can process charges on their own, and can disconnect their account from your platform.
You can prompt your users to create Stripe accounts, or allow anyone with an existing Stripe account to connect to your platform.
The OAuth connection flow
A user connects to your platform using the following OAuth connection flow:
- Starting on a page at your site, the user clicks a link that takes them to Stripe, passing along your platform’s
client_id. - On Stripe’s website, the user provides the necessary information for connecting to your platform.
- The user is then redirected back to your site along with an authorization code.
- Your site then makes a request to Stripe’s OAuth token endpoint to complete the connection and fetch the user’s account ID.
When these steps are done, API requests can be made on behalf of the user with their account ID or authorization credentials.
Step 1: Create the OAuth link
To get started with your integration, you need two pieces of information from your platform settings:
- Your
client_id, a unique identifier for your platform, generated by Stripe - Your
redirect_uri, a page on your website to which the user is redirected after connecting their account (or failing to, should that be the case), set by you
Stripe also provides a development client_id to make testing easier.
With these two pieces of information in hand, you’re ready to create the OAuth link. We recommend showing a Connect button that sends users to our authorize_url endpoint:
https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7&scope=read_write
The Stripe endpoint should receive at least these three parameters:
response_type, with a value of code- Your
client_id scope, with a value of read_write
The scope parameter dictates what your platform can do on behalf of the connected account, with read_only being the default.
To prevent CSRF attacks, add the state parameter, passing along a unique token as the value. We’ll include the state you gave us when we redirect the user back to your site.
Here’s how the above URL can be presented to your user to begin the connection:
Step 2: User creates or connects their account
After the user clicks the link on your site, they'll be taken to Stripe's website where they'll be prompted to allow or deny the connection to your platform.
Unlike most OAuth implementations (like Facebook Connect or Sign In with Twitter), we've seamlessly added the process of creating a Stripe account right into our authorization flow. You don't have to worry about whether or not your users already have accounts!
The user is logged in and can connect directly.
The user needs to create an account.
Step 3: User is redirected back to your site
After the user connects their existing or newly created account to your platform, they are redirected back to your site, to the URL established as your platform’s redirect_uri.
For successful connections, we’ll pass along in the URL:
- The
scopegranted - The
statevalue, if provided - An authorization code
https://connect.stripe.com/connect/default/oauth/test?scope=read_write&code={AUTHORIZATION_CODE}
If the authorization was denied by the user, they'll still be redirected back to your site, but the URL includes an error instead of the authorization code:
https://connect.stripe.com/connect/default/oauth/test?error=access_denied&error_description=The%20user%20denied%20your%20request
Step 4: Fetch the user's credentials from Stripe
Assuming no error occurred, the last step is to use the provided code to make a POST request to our access_token_url endpoint to fetch the user’s Stripe credentials:
curl https://connect.stripe.com/oauth/token \ -u sk_test_4eC39HqLyjWDarjtT1zdp7dc: \ -d code=ac_123456789 \ -d grant_type=authorization_code
# Set your secret key: remember to change this to your live secret key in production # See your keys here: https://dashboard.stripe.com/account/apikeys Stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' response = Stripe::OAuth.token({ grant_type: 'authorization_code', code: 'ac_123456789', }) # Access the connected account id in the response connected_account_id = response.stripe_user_id
# Set your secret key: remember to change this to your live secret key in production # See your keys here: https://dashboard.stripe.com/account/apikeys stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' response = stripe.OAuth.token( grant_type='authorization_code', code='ac_123456789', ) # Access the connected account id in the response connected_account_id = response.stripe_user_id
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys \Stripe\Stripe::setApiKey('sk_test_4eC39HqLyjWDarjtT1zdp7dc'); $response = \Stripe\OAuth::token([ 'grant_type' => 'authorization_code', 'code' => 'ac_123456789', ]); // Access the connected account id in the response $connected_account_id = $response->stripe_user_id;
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys Stripe.apiKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"; Map<String, Object> params = new HashMap<>(); params.put("grant_type", "authorization_code"); params.put("code", "ac_123456789"); TokenResponse response = OAuth.token(params, null); // Access the connected account ID in the response String accountId = response.getStripeUserId();
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys const stripe = require('stripe')('sk_test_4eC39HqLyjWDarjtT1zdp7dc'); stripe.oauth.token({ grant_type: 'authorization_code', code: 'ac_123456789', }).then(function(response) { // asynchronously called var connected_account_id = response.stripe_user_id; });
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys stripe.Key = "sk_test_4eC39HqLyjWDarjtT1zdp7dc" params := &stripe.OAuthTokenParams{ GrantType: stripe.String("authorization_code"), Code: stripe.String("ac_123456789"), } token, _ := oauth.New(params) // Access the connected account id in the response connected_account_id = token.StripeUserID
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys StripeConfiguration.ApiKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"; var options = new OAuthTokenCreateOptions { GrantType = "authorization_code", Code = "ac_123456789", }; var service = new OAuthTokenService(); var response = service.Create(options); // Access the connected account id in the response connected_account_id = response.StripeUserId
Note that you’ll make the request with your live or test secret API key, depending on whether you want to get a live or test access token back.
Stripe returns a response containing the authentication credentials for the user:
{ "token_type": "bearer", "stripe_publishable_key": "{PUBLISHABLE_KEY}", "scope": "read_write", "livemode": false, "stripe_user_id": "{ACCOUNT_ID}", "refresh_token": "{REFRESH_TOKEN}", "access_token": "{ACCESS_TOKEN}" }
If there was a problem, we instead return an error:
{ "error": "invalid_grant", "error_description": "Authorization code does not exist: {AUTHORIZATION_CODE}" }
You’re done! The user is now connected to your platform. Store the stripe_user_id in your database; this is the Stripe account ID for the new account. You’ll use this value to authenticate as the connected account by passing it into requests in the Stripe-Account header. (It’s also possible to authenticate with the secret key returned here, but it’s more secure to store and use only the account ID instead.)
In your application, you might want to consider using a dedicated OAuth client library to simplify these steps. To find an OAuth library for your language or framework, you can refer to the list of client libraries on the OAuth website.
The refresh_token can be used to generate test access tokens for a production client_id or to roll your access token. You should hold on to this value, too, as you’re only able to get it after this initial POST request.
Revoked and revoking access
An account.application.deauthorized event occurs when a user disconnects your platform from
their account. By watching for this event via webhooks, you can perform any necessary cleanup on your
servers.
To disconnect a Standard account from your platform, POST your client_id and the connected account’s ID to
https://connect.stripe.com/oauth/deauthorize:
curl https://connect.stripe.com/oauth/deauthorize \ -u sk_test_4eC39HqLyjWDarjtT1zdp7dc: \ -d client_id=ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7 \ -d stripe_user_id=acct_nc26ZQaVI6jon9
# Set your secret key: remember to change this to your live secret key in production # See your keys here: https://dashboard.stripe.com/account/apikeys Stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' Stripe::OAuth.deauthorize({ client_id: 'ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7', stripe_user_id: 'acct_kRHf6PhqfToq1L', })
# Set your secret key: remember to change this to your live secret key in production # See your keys here: https://dashboard.stripe.com/account/apikeys stripe.api_key = 'sk_test_4eC39HqLyjWDarjtT1zdp7dc' stripe.OAuth.deauthorize( client_id='ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7', stripe_user_id='acct_T631pzhzTYF0az' )
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys \Stripe\Stripe::setApiKey('sk_test_4eC39HqLyjWDarjtT1zdp7dc'); \Stripe\OAuth::deauthorize([ 'client_id' => 'ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7', 'stripe_user_id' => 'acct_rejfp2NYjztzCz', ]);
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys Stripe.apiKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"; Map<String, Object> params = new HashMap<>(); params.put("client_id", "ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7"); params.put("stripe_user_id", "acct_6BwIkHMY8xt34b"); OAuth.deauthorize(params, null);
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys const stripe = require('stripe')('sk_test_4eC39HqLyjWDarjtT1zdp7dc'); stripe.oauth.deauthorize({ client_id: 'ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7', stripe_user_id: 'acct_SwYt3Cfzp6vCBY', }).then(function(response) { // asynchronously called });
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys stripe.Key = "sk_test_4eC39HqLyjWDarjtT1zdp7dc" params := &stripe.DeauthorizeParams{ ClientID: stripe.String("ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7"), StripeUserID: stripe.String("acct_ozegu5OsCD0x1m"), } oauth.Del(params)
// Set your secret key: remember to change this to your live secret key in production // See your keys here: https://dashboard.stripe.com/account/apikeys StripeConfiguration.ApiKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"; var options = new OAuthDeauthorizeOptions { ClientId = "ca_32D88BD1qLklliziD7gYQvctJIhWBSQ7", StripeUserId = "acct_kQJ7bG9gIz6gtX", }; var service = new OAuthTokenService(); service.Deauthorize(options);
Next steps
Now you can use the API on your user's behalf to accept payments, set up recurring billing, fetch account data, and more:
Join the Stripe Partner Program to get best practices across a range of topics like how to optimize your Stripe integrations, effectively go to market, and answer frequently asked questions about Stripe and payments.