Title: What api permissions does the plugin require? Last modified: June 20, 2023 --- # What api permissions does the plugin require? * Resolved [smartyp](https://wordpress.org/support/users/smartyp/) * (@smartyp) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/) * I’m trying to connect the plugin using a restricted api key (as using the main standard key is a big security risk – it gives permission for everything) * Can you confirm which resource/permissions are required for the plugin to work? * So far I’m just getting this error:- _IntegrationError: You should not use a restricted key with Stripe.js. Please pass a publishable key instead._ Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Support [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16832491) * Hi, our plugin uses the standard API keys mentioned in the following documentation. * [https://s-plugins.com/general-settings-configuration-of-stripe-payments-plugin/](https://s-plugins.com/general-settings-configuration-of-stripe-payments-plugin/) * We currently don’t have any other option unfortunately. The current API is secure enough. If it wasn’t, then they would not advertise the API at all. If you don’t mind me asking, can you share why you need such a strict API in your site? And, why the current API recommended by Strike is not safe for you? * Kind regards. * Thread Starter [smartyp](https://wordpress.org/support/users/smartyp/) * (@smartyp) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16835139) * It’s not the api that’s insecure – it’s the use of keys that have unlimited access to everything. No app should ever have more permissions than it needs. That’s basic security. 🙂 This is why Stripe introduced restricted api keys in 2017:- [https://stripe.com/blog/u2f-restricted-keys](https://stripe.com/blog/u2f-restricted-keys) * The main api key has permissions to do pretty much anything on a Stripe account– so if those keys are compromised that’s big trouble. It only takes one plugin/ theme to ever have a security hole. * E.g. see the recent case where someone had their keys stolen, probably from a mysql injection attack – those keys were then used to create a new Stripe sub account with different bank details and make large volumes of charges that ended up in the hackers account. Stripe are pursuing the real owner of that account for the refunds (around $70,000)! * Using a restricted key makes this kind of thing impossible. Nobody should be using the main api key on a website. * Plugin Support [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16835384) * Thank you for providing more information regarding the use of restricted API Keys. I have submitted a message to the developers to investigate further your issue/request. * Kind regards. * Plugin Author [mra13 / Team Tips and Tricks HQ](https://wordpress.org/support/users/mra13/) * (@mra13) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16838671) * Hi, The permissions required will vary based on the features of the plugin and any potential add-ons utilized on your website. Currently, we do not possess a comprehensive list of these permissions. Therefore, determining the appropriate permissions may involve an iterative process of trial and error. * If you are using just the core plugin (mainly one time transactions), the following permissions on a restricted key will do the job: - Charges - Customers - PaymentIntents - PaymentMethods - Checkout Sessions - Webhook Endpoints * Let me know if that works for you. * Thread Starter [smartyp](https://wordpress.org/support/users/smartyp/) * (@smartyp) * [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16838731) * Thanks. * Are write permissions required for all of those? I tried with write anyway just in case, but it looks like more permissions are required as I get the same error as above. * This is for the basic core plugin, no addons, just one-time transactions. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘What api permissions does the plugin require?’ is closed to new replies. * ![](https://ps.w.org/stripe-payments/assets/icon-128x128.png?rev=2705524) * [Accept Stripe Payments](https://wordpress.org/plugins/stripe-payments/) * [Frequently Asked Questions](https://wordpress.org/plugins/stripe-payments/#faq) * [Support Threads](https://wordpress.org/support/plugin/stripe-payments/) * [Active Topics](https://wordpress.org/support/plugin/stripe-payments/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/stripe-payments/unresolved/) * [Reviews](https://wordpress.org/support/plugin/stripe-payments/reviews/) * 5 replies * 3 participants * Last reply from: [smartyp](https://wordpress.org/support/users/smartyp/) * Last activity: [2 years, 11 months ago](https://wordpress.org/support/topic/what-api-permissions-does-the-plugin-require/#post-16838731) * Status: resolved