The Complete Guide to Requesting Stripe Restricted API Keys for Agencies

The Complete Guide to Requesting Stripe Restricted API Keys for Agencies

Stripe is the financial backbone of modern SaaS and e-commerce. Because it handles live credit card processing, payouts, and customer banking data, it is the most tightly guarded asset a client possesses.

When a development agency is hired to build a web application, integrate a billing portal, or set up a Zapier automation, they need Stripe API access.

The cardinal sin of agency onboarding is asking a client to copy and paste their global "Secret Key" into an email. In this guide, we cover the exact protocols for requesting Stripe access compliantly using Restricted Keys.

The Danger of the Global Secret Key

Every Stripe account has two primary keys out of the box: a Publishable Key (safe to expose in frontend code) and a Secret Key (keep absolutely hidden).

Historically, lazy developers would simply ask the client for the Secret Key to connect an integration. If an agency employee leaves with that Secret Key, or if it is accidentally committed to a GitHub repository, a malicious actor has the ability to refund every customer, alter payout routing to steal funds, and destroy the business overnight.

The Solution: Restricted API Keys (RAKs)

Stripe engineered Restricted API Keys to solve this exact problem. A Restricted Key allows the client to generate an API token that can *only* perform heavily specific actions.

For example, if your agency is building a dashboard to display weekly revenue, you can be granted a Restricted Key that only possesses "Read" access to 'Charges'. If a hacker steals that key, they cannot execute refunds or alter payouts—the key simply refuses to compute those commands.

How to Guide Your Client (The UI Method)

The matrix for creating a Restricted Key is incredibly dense. You cannot simply ask a non-technical founder to "go make a Restricted Key." You must provide them with the exact permissions matrix.

Send the client this exact SOP, but update Step 6 to reflect only the permissions your agency actually needs:

Action Required: Stripe Restricted API Key To connect your billing infrastructure without compromising your core financial security, please generate a Restricted API Key. 1. Log into your Stripe Dashboard. 2. Look at the top-right menu and click the Developers button. 3. In the left-hand developer menu, click API keys. 4. In the "Standard keys" section, locate the Create restricted key button and click it. 5. Give the key a clear name (e.g., "[Agency Name] Integration Key"). 6. Scroll through the permissions matrix and grant ONLY these specific permissions: - Customers: Write - Charges: Read - Subscriptions: Write 7. Scroll to the bottom and click Create key. (Stripe will likely ask for an SMS verification code). 8. A pop-up will reveal the token starting with rk_live_.... Click to copy it. 9. Paste this key into our secure onboarding portal. *(Do NOT email it).*

Developer Team Access

If your agency is fully managing the Stripe architecture—including configuring Webhooks, Products, and Pricing schemas—a Restricted Key is not enough. You need UI access to the dashboard.

Instead of sharing passwords, instruct the client to add your developer as a specific Team Member: 1. Go to Settings > Team > + New member 2. Enter the developer's email address. 3. Assign the Developer role. *(This grants code/settings access but fundamentally blocks access to the business's bank account routing and full payout history).*

The Enterprise Standard

Managing the secure transfer of rk_live tokens via email chains or Slack messages is a massive PCI compliance liability.

Elite development and RevOps agencies utilize automated onboarding platforms like OneClick Onboard to establish end-to-end encrypted tunnels for credential collection, ensuring sensitive API strings are captured, masked, and forwarded securely without ever hitting an inbox.