Plugin User Migration Guide

Who does this apply to?

This applies to any merchant that has authenticated with a third party integration with their Stripe secret API key. These integrations are typically called plugins, but can also have other names. Stripe defines a plugin as any integration between a third party solution and Stripe that requires a user to authenticate with their secret API keys. A plugin typically interacts with Stripe APIs either by making API calls or reacting to Stripe API events on behalf of its users. Often, plugins run code so Stripe can interact with other software (e.g. accept payments on Wordpress), but they may take other shapes too, like open-source libraries.

What changes are happening and why?

Stripe is improving our security requirements for plugin developers and their users. Secret API keys can be used for any kind of API request without limitation, and give third-parties all-access to a user’s Stripe account. They are a form of account credentials, like a username and password. If bad actors obtain a secret key, they can use it to harm a merchant’s business and other parties in the Stripe ecosystem. Stripe users own the responsibility of keeping secret API keys safe. At Stripe, we take many precautions to ensure secret API keys are protected.

Most plugins do not need all access permissions, but rather a limited set. In today’s world, risk is introduced when developers require users to manually copy their account credentials onto a third-party platform. In order to reduce fraud risk to users, developers, and Stripe, we are requiring developers to use restricted API keys or OAuth for plugin authentication.

On January 1, 2024, Stripe added support for restricted API key and OAuth 2.0 authentication to Stripe Apps, enabling plugins to operate more securely in the ecosystem. Not only does this security update help comply with Stripe’s latest security standards, it also enables merchants on these third party integrations to have more control over their business and data.

When are the changes happening?

On September 30, 2024, Stripe is requiring all plugin developers to adopt new secure authentication methods (restricted API Key, OAuth 2.0, or Stripe Connect) to protect users against fraud. All existing and new plugin developers must use one of these new secure authorization methods. For those developers electing to use restricted API key or OAuth 2.0 via a Stripe app, their app must be reviewed and approved by Stripe prior to being published in the Stripe App Marketplace.

On October 29, 2024, Stripe will begin requiring that all merchants using plugins upgrade the security of their connections by authenticating with either restricted API keys or OAuth 2.0. This is a planned upgrade to enhance the overall security of Stripe third-party integrations and comply with Stripe's latest standards. Stripe will charge a fee starting June 2025 for businesses that do not comply with this security requirement.

Why use restricted API keys or OAuth?

For better security and control, it is essential to use restricted API keys or OAuth 2.0 instead of secret keys when authenticating with third-party services. Restricted API keys improve security by offering businesses precise control over the permissions they are granting to third-parties, ensuring third-party services access only the necessary data and actions. OAuth 2.0 is a one-click tokenized authorization that businesses provide to third-parties to integrate. Similar to restricted API keys, OAuth 2.0 offers you more control and protection over the permissions you grant third-parties. These options not only bolster protection against unauthorized access and fraud, but also streamline operations, making integrations more efficient and reliable for you to use.

Stripe Apps and secure authorization

On January 1, 2024, Stripe introduced additional capabilities for Stripe Apps that made plugin authorization easier and more secure. Stripe Apps sync data seamlessly between systems, simplify authentication, and optionally display relevant UI in the Stripe dashboard. All new and existing plugin developers must build OAuth 2.0 or restricted API key authorization via a Stripe App. All Stripe Apps are reviewed for accurate permissions before being published in the Stripe App Marketplace. Following the install steps and installing the app created by the third party ensures access only to necessary parts of your Stripe data.

Authentication with OAuth

Authentication with OAuth

Authentication with RAK

Authentication with RAK

How merchants can self-serve update their security

If your plugin developer has not updated to a Stripe App, you can generate a restricted API key for your integration on your own. Follow the steps below to set up and integrate the new key:

  1. Navigate to the API keys section in Stripe Dashboard.
  2. Initiate a new restricted key or clone an existing one.
    1. Click "Create restricted key" to start fresh. By default, all permissions are set to "None."
    2. Select "Duplicate key" from the options of the key you wish to clone. The cloned key's permissions are pre-set as the default for the new key.
  3. Name your key clearly after the plugin that you’re using. For example, if you’re on rocketrides.com, you would name your key “RocketRides Restricted Key.”
  4. Adjust permissions for each resource, choosing from "None," "Read," or "Write." Specify permissions for connected accounts if using Stripe Connect.
  5. Click "Create key" to generate your new restricted API key.
  6. Verify your action via email or SMS, then input your code to finalize the process.
  7. Copy the newly displayed key value—remember, this is your only chance to copy it.
  8. Note where you've saved this key and click "Done."

By following these steps, you ensure a secure integration with third-party services, leveraging Stripe's capabilities to the fullest.

New API key journey

Some users may experience a different API key creation journey. Follow these steps if applicable:

  1. Navigate to the API keys section in your Dashboard.
  2. Click "Create restricted key."
  3. Select "Providing this key to another website" and click “continue.”
  4. Enter the name and URL of the third-party application or plugin.
  5. Leave “Customize permissions for this key” unchecked unless instructed otherwise.
  6. Click “Create restricted key.”
  7. Verify your action via email or SMS, then input your code to finalize the process.
  8. Copy the newly displayed key value.
  9. Integrate the key by placing it in the appropriate fields in your third-party settings.

Re-authenticate using Stripe Connect Onboarding

Alternatively, your plugin may let you connect to your Stripe account using Stripe Connect onboarding. Here’s how to do that, if available:

  1. Go to the plugin’s website or dashboard that you want to link with your Stripe account.
  2. Look for a payments or integrations section. You’re aiming to find an option that says “Connect with Stripe.”
  3. Click the “Connect with Stripe” button. You’ll be redirected to a secure Stripe login page.
  4. Sign in to your Stripe account with your credentials.
  5. If available, review the permissions you’re about to grant to the plugin. It will outline what the plugin can do with your Stripe account.
  6. To give the plugin access, click “Authorize access.”
  7. After granting authorization, Stripe will confirm that the plugin is now connected to your account.
  8. Finally, you’ll be redirected to the plugin’s site or dashboard.

Updating your WooCommerce Stripe plugin

Stripe and WooCommerce are working together to ensure that our shared customers are using enhanced security measures and have access to the latest features of the WooCommerce Stripe plugin, such as buy now pay later.

All merchants using the WooCommerce Stripe plugin are required to complete the following by October 29, 2024:

  1. Update the WooCommerce Stripe plugin to the latest version 8.6.1
  2. Re-authenticate your site’s connection to the Stripe platform.
  3. Turn on the new checkout experience.

Some WooCommerce Stripe plugin customers are using the Sources API to accept payment methods, which is an old integration that will be shutting down. In order to continue securely accepting payments and avoid customer-facing breakages, these customers must complete the steps above by October 29, 2024.

Please see WooCommerce’s documentation to follow the steps. WooCommerce has also provided answers to the most common questions in the pinned posts on the public support forum for WooCommerce’s Stripe plugin.