Stripe Connect - How do I use tokens in the most secure fashion to pass sensitive data?

Question

I am building a stripe backend where users will be able to create custom connect accounts with stripes api. I am using react as my frontend. I am trying to understand the most secure way to do this. Below is what I am doing, and I would like to know if someone can either corroborate that this is the proper way to use tokenization or if I am approaching this incorrectly?

React sends sensitive data (account numbers and ssn etc) to my node server -->

stripe.tokens.create in my node server produces a token -->

token is returned to react where I then send token to stripes api -->

stripe.accounts.create creates the account and onboarding finishes with some extra info if need be

Is this the proper use of tokenization? Stripe provides node examples to produce tokens so I assumed this was the correct way.

Answer 1

Assuming you're talking about account tokens for collecting PII without handling the data directly on your servers, you've got it a bit flipped around.

The expected flow is:

1. Load Stripe.js in your client application
2. Have your user provide their details in your form
3. Submit those details to Stripe via Stripe.js and createToken('account', {...}) to get an account token (or 'person' for a person token)
4. Use that account token to create or update a connected account with the tokenized PII (or a person).