When integrating Stripe into your application, it’s important to follow the principle of least privilege. That means granting only the exact permissions your app needs to operate—nothing more. This keeps your integration secure, compliant, and efficient.
Below is a table outlining the minimum recommended permissions and the reasons behind them.
Minimum Stripe API Permissions
Name | Permission | Reason |
Apple Pay Domains | Read | Retrieve information about Apple Pay domains for checkout compatibility. |
Customers | Write | Create new customers when users register or subscribe. |
Payment Intents | Write | Create Payment Intents to process transactions. |
Payment Methods | Read | Fetch and validate customer payment methods. |
Payment Method Domains | Read | Confirm that your domains are authorized for payment methods. |
Products | Read | Retrieve product data to display plans or items. |
Setup Intents | Write | Save customer payment details for future use. |
Checkout | Write | Create Checkout Sessions for Stripe-hosted checkout flows. |
Coupons | Read | Retrieve and validate discounts during checkout. |
Invoices | Read | Fetch and display customer invoice information. |
Prices | Read | Retrieve current pricing for products and subscriptions. |
Subscriptions | Write | Create and manage recurring billing subscriptions. |
Connect | Read | Read account information to properly connect your keys. |
All Webhooks | Read | Receive Stripe event notifications (e.g., payment succeeded, subscription renewed). |