How to give a SaaS tool read-only Stripe access safely
Most billing tools ask for your full secret key or broad OAuth scopes. Here is how restricted keys actually work, what scopes to grant, and how to verify a vendor can't touch your billing.
Most billing tools ask for your full secret key or broad OAuth scopes. Here is how restricted keys actually work, what scopes to grant, and how to verify a vendor can't touch your billing.
Every tool that plugs into Stripe asks for credentials, and most ask for far more than they need. A full secret key (sk_live_...) can charge cards, issue refunds, cancel subscriptions, and delete customers. Handing that to an analytics or recovery vendor means their bug — or their breach — becomes your billing incident.
Stripe has shipped the fix for years: restricted API keys. Almost nobody insists on them. You should.
A restricted key (rk_live_... or rk_test_...) is a Stripe API key where you choose permissions per resource: Customers, Subscriptions, Invoices, Charges, and so on, each set to None, Read, or Write.
Stripe enforces those scopes server-side on every request. A key with read-only scopes cannot create a charge no matter what the vendor's code does — the enforcement lives with Stripe, not with the vendor's promises.
For failed-payment and churn monitoring, read access to Customers, Subscriptions, and Invoices covers the core. Products, Prices, and Payment Methods (for card-expiry warnings) round it out. Everything else — Charges, Refunds, Payouts, Balance, Connect — should stay at None.
If a vendor says it needs write access 'just in case', that is the moment to ask exactly which API calls it makes. Retrying payments and sending billing portal links require write access; observing and alerting never do.
First: a trustworthy tool should reject secret keys outright at the connect step — accepting an sk_ key silently is a red flag by itself.
Second: Stripe logs every request a restricted key makes (Developers → Logs, filterable per key), so you can audit exactly what a vendor read and when. Third: you can revoke the key in Stripe at any moment and the vendor's access dies instantly — no support ticket required.
MRRdue goes one step further and probes its own key at connect time with a write-shaped request that cannot succeed: a 403 proves Stripe will refuse writes, and that verdict is shown as a 'Verified read-only' badge. A key that turns out to be over-permissioned triggers a warning with instructions to narrow it.
Create a dedicated restricted key per vendor (never share keys between tools). Grant Read only on the resources the tool names, None everywhere else. Confirm the tool rejects secret keys. Skim Stripe's request logs after the first sync. Note where to revoke.
Five minutes of setup, and the worst-case blast radius of any vendor incident drops to 'they read my billing metadata' — never 'they charged my customers'.
Explore the demo dashboard or estimate recoverable dollars with the free calculator. No Stripe connection required to start.