Storing each customer's Stripe configuration in SaaS application

Question

The website builder SaaS application has a feature that lets customers connect their Stripe accounts to their website and receive money. Each user (website owner) of this SaaS application has a Stripe account.

During the development phase of the application, we were just storing Stripe public/private keys of each customer in the internal database in an encrypted way. But even if it's encrypted, this is not the way to go in a Production environment for us.

What would be the proper approach to store sensitive Stripe configuration for each account in the database securely?

Answer 1

Use Stripe's restricted API keys

Stripe has restricted API keys that allow Stripe's customers to give a subset of the permissions to a key that it can then share with a 3rd party service.

From Stripe's documentation https://stripe.com/docs/keys#limit-access

Limiting access with restricted API keys A restricted API key allows only the minimum level of access that you specify. Restricted keys cannot interact with many parts of Stripe’s API and are intended to reduce risk when using or building microservices. They should not be used as an alternative to your account’s API keys during development of your Stripe integration.

Use restricted API keys if you’re working with microservices that interact with the Stripe API on your behalf. You can create restricted API keys that limit access to, and permissions to specific account data. For example, you can create a restricted key that grants read-only access to dispute data, then use it with a dispute monitoring service.

STORE RESTRICTED API KEYS / ENCOURAGE KEY ROTATION

These restricted keys are much less of a security risk than a full API key which is akin to "root" access. Encrypted storage of these restricted keys could meet your security needs. Also educating your customers of best practices including API key rotation would help reduce and share risk with your customers.

Answer 2

What you're describing seems to imply you are using (or should be using) Stripe Connect. This lets you build a platform where other businesses can connect their Stripe account to your platform, giving you read/write access on their account.

You can use the OAuth flow documented here if your users already have a Stripe account, or you can simply create one yourself for them via the API and then redirect them to Stripe onboard as documented here.

Once the account is connected, you can write code that uses your own platform's Secret API key and the connected account's id acct_123456 passed in the Stripe-Account header when making requests on their behalf. This is something Stripe documents cleanly here. In this world you never have to store their API key, encrypt them or roll them. All you need is your own API key kept securely on your server and their account id obtained during the connection.