Install links allow users to install public apps outside of the Stripe App Marketplace. With one integrated flow, you can pass state from your application, complete the installation of the Stripe App, and redirect to your application or site.
With the following steps, a user can install an app using an install link:
- On your site, the user clicks a link that redirects them to Stripe, passing along the
- On Stripe, the user selects the appropriate account and accepts permissions for installing the app.
- After installation, the user redirects to your site, along with the Stripe account for the given user.
- Your app can now make authenticated account requests.
Customize links with URL parameters
You can change the behavior of the app installation by including additional URL parameters in the install link.
Supported URL parameters
|The URL that users are redirected to after installing your app. If provided, this must exactly match one of the comma-separated |
|Recommended||An arbitrary string value we pass back to you, which is recommended for CSRF protection.|
Prevent CSRF attacks with the state parameter
To prevent cross-site request forgery (CSRF) attacks, you can use the
state parameter. This parameter accepts any string value and returns it unmodified upon redirecting the installer back to your application or platform. To use this parameter, pass a unique and non-guessable value when you initiate an install using an install link. Save the value to use it for verification later.
After the user installs and is redirected back to your application, verify whether the value of the state parameter provided matches the value present in the initial install link. This verification process provides a high-level of confidence to confirm that the
stripe_user_id returned belongs to the user who initiated the install and safeguard against potential forgeries.