Stripe Payments - Using a Restricted API Key

Modified on Tue, 23 Jul at 10:25 AM

RollCall are thankful for the contributions our clients openly share with us to improve our product and training resources.

The following information is courtesy of our collaboration with Wilson Cheng - ICT Director and Technologies Teacher at St George Christian School.

RollCall encourage our clients to exercise caution when granting permissions to their systems via API connections. The Stripe payment facility allows clients to set up Restricted Keys which limit the permissions to your payment facility to only those that are necessary for the thrid-party processing to be successful.

Below are the specific permissions RollCall needs:

Charges:
- Create and capture charges
- View and refund charges
Customers:
- Create and update customer data
- View customer data
Payment Methods:
- View and manage payment methods associated with customers
Payment Intents:
- Create and confirm payment intents
- View payment intent details
Webhooks:
- Create and manage webhook endpoints
- Receive event notifications
Balance:
- View account balance and transactions (for reconciliation purposes)
Reporting:
- Access basic reporting features for transaction history

We do not require permissions for:

Managing your Stripe account settings
Viewing or managing your payout schedule
Accessing other Stripe products not related to payment processing

And here is how this looks in your Stripe Admin console when you Create a Restricted API Key

Change the following Permissions in the core resources list

And the Reporting resources list

All other API resources can remain as permission = None

Instead of your full Admin rights Secret key, you can then provide us with the Publishable Key and the Restricted key created specifically for your RollCall payment gateway.

If you have any questions about these permissions or need assistance with setting them up, please don't hesitate to contact us via support@rollcall.com.au