This post is to lobby for OAuth Integration with Stripe.
The primary reason is for Security and Control
Here is my logic flow:
- Stripe is one of the most (if not the most) sensitive APIs that a 3rd party can tie in to.
Stripe processes charges on real customers with real money
Their API is fully functional, meaning that many sensitive tasks can be accomplished using the API - Stripe does not have the ability to make multiple API keys
- If the Stripe API Keys are given to 3rd parties (As Klipfolio is asking), the safety of that key is now only as good as the weakest player
- If, it is determined that a 3rd party has a "Trust" issue down the road, users must roll the API key in Stripe that is used by ALL applications (internal and 3rd party)
- The act of having to roll and modify keys in multiple places is a lot of work and prone to errors.
- Again, given the sensitive nature of payment processing, these errors can be devastating.
The Solution:
- Klipfolio can implement OAuth (like they have with many other services)
- By using OAuth, if there is a trust situation with Klipfolio (or any other internal or 3rd party application), the "blast radius" is limited to the one bad actor.
- Klipfolio customers can quickly remove authorization or take the appropriate action - problem solved.
My 2 cents: Creating a new OAuth Flow should be easy since you have done this many times before and will provide an immense amount of value to your customers (perhaps the most of any OAuth integration written to date)
