Stripe Connect | Account id safe to expose?

Question

I have a current setup with Stripe and Laravel as a backend. Everything is working perfectly and as expected but I have a question regarding security.

As I have a React frontend to take payments, I am using the package @stripe/react-stripe-js which is Stripes official package.

With the package you obviously have to load in Stripe and pass in you public key and in this scenario the connected accounts id. I've done this thus far, but the frontend uses a API call to see what the order is and the price etc, with that call sits the connected accounts id so I can append it into the load stripe method.

const stripePromise = loadStripe(
  'xxxxx',
  {
    stripeAccount: 'xxxxx',
  }
)

As this has to return in plain text so Stripe can read it, I wanted to know other peoples opinions on whether or not this is safe to expose the connected accounts id.

I can't really see any other way around it, I could encrypt / decrypt somehow but even still, that's accessible to the client side version so it is still visible.

I've read the Stripe documentation which can be found here https://stripe.com/docs/connect/authentication#adding-the-connected-account-id-to-a-client-side-application and it seems as though they hold it in plain text.

With all this mentioned, the secret key is obviously never exposed to the frontend and all of that creating the Payment Intent is handled in the backend.

hmunoz · Accepted Answer

Yes, it is fine to keep the Connect account ID public.

A Stripe account ID (e.g. acct_123) is intended to be used client-side as well as server-side, with your respective Stripe API keys.

The Account ID will only work if your Platform is "connected" to that existing Stripe account, otherwise the account ID is useless if used with an unrelated Platform's API key (the Stripe API validates that and returns an error).

Stripe Connect | Account id safe to expose?

Answers (2)

Related Questions