How to create a Stripe restricted API key
A Stripe API key is a credential that lets another tool or a developer connect to your Stripe account and work with your data through the Stripe API, instead of someone logging in by hand. The safest kind to hand out is a restricted API key (a key that starts with rk_), because you choose exactly which parts of Stripe it can touch and you can set each one to read-only. That means a connected tool can pull your payments, payouts, invoices, or customer records to report on them, without being able to issue refunds, change settings, or move money. The older "secret key" (sk_) has unrestricted access to everything, so Stripe now recommends a restricted key for new connections. You can revoke a restricted key at any time from your dashboard, and doing so instantly cuts off whatever was using it. This guide walks through creating a read-only restricted key, copying it once, and deleting it when you no longer need it.
Keep this credential safe
A Stripe API key is like a password: anyone who has it can reach the data and actions it allows, with no further login. Protect it by scoping it tightly (use a restricted key set to Read for only the resources that are needed, and leave everything else at None), and by creating a sandbox or test-mode key before a live one. Share it only through a secure method such as a password-manager share link, never plain text email or chat, and never commit it to code or a public repository. Delete, expire, or rotate the key as soon as it is no longer needed or if you suspect it has been exposed. Stripe will never ask you for your secret key.
Access to grant
Restricted API key (rk_), with each required resource set to Read and everything else left at None. Create it in a sandbox or test mode first, then a matching live-mode key.
Who you're granting access to
- The developer, consultant, or tool that will read your data through the Stripe API.
Before you start
- A Stripe account, and an admin role on it (you may be prompted for two-step verification when you create the key).
- A clear idea of which data the connected tool needs to read, for example payments, payouts, invoices, or customers, so you only grant those.
- A secure way to hand the key over, such as a password manager that can share a single item, rather than email or chat.
Step by step
- 1
Open the API keys page
Sign in to the Stripe Dashboard. In the left menu open Developers, then choose API keys. On accounts using Stripe's newer Workbench developer view, the same page lives in the Workbench API keys tab instead. Either way, dashboard.stripe.com/apikeys takes you straight there. Build and test against a sandbox or test-mode key first, then repeat for a live key once you are happy, so a mistake never touches real money. The mode toggle is at the top of the page.
- 2
Start a new restricted key
On the API keys page, find the Restricted keys section and click "Create restricted key". Do not hand out the unrestricted "secret key" (sk_) listed in Standard keys, because it can do anything in your account.
- 3
Name the key so you remember what it is for
In the Key name field, type a name that explains who or what will use it, for example "reporting-tool-readonly" or "acme-consulting-read". A clear name makes it easy to spot and revoke the right key later.
- 4
Set the permissions you need to Read, and leave the rest at None
Every resource starts at None. For each resource the connected tool needs to read, such as Charges, PaymentIntents, Payouts, Invoices, or Customers, choose Read. Do not select Write unless the tool genuinely needs to create or change records, because Write also includes Read. Leaving everything you are unsure about at None is the safe default. If you use Stripe Connect, set the connected-accounts permission the same careful way.
- 5
Create the key and complete verification
Click "Create key". Stripe may ask you to confirm with two-step verification before it finishes. Once verified, the new restricted key value (rk_...) is shown.
- 6
Copy the key once and store it safely
Click the key value to copy it. Stripe shows a user-created key in full only at this point, so save it straight away into a password manager or your secrets vault, never a plain text file, email, or chat. You can add a note recording where you stored it, then click Done. To give it to a developer or tool, share it through a password-manager share link rather than pasting it into a message.
Removing access afterwards
- Sign in and open the API keys page: Developers, then API keys (or the API keys tab in Workbench). dashboard.stripe.com/apikeys goes straight there.
- Find the restricted key by its name in the Restricted keys list.
- Open the overflow menu (the three dots) next to it.
- Choose "Expire key" to revoke it immediately, or "Roll key" / "Rotate key" to replace it with a new value and retire the old one (you can set a short delay of up to 7 days so a running tool can swap over).
- Confirm in the dialog. An expired key stops working straight away.
If that option is not available
If you would rather not create a key yourself, most reporting and accounting tools can connect to Stripe with a one-click "Connect" or OAuth flow from inside their own setup screen, which signs you into Stripe and asks you to authorise the connection. That avoids handling a raw key at all, and you can disconnect it later from Settings, then Connected apps in your Stripe Dashboard. You should never need to share your Stripe login password.
Frequently Asked Questions
A secret key (sk_) has unrestricted access to your whole Stripe account, so it can read, change, refund, and configure anything. A restricted key (rk_) only does what you allow, resource by resource, and can be set to read-only. Stripe recommends a restricted key for new connections, so hand out a restricted key rather than your secret key.
When you create the restricted key, every resource defaults to None. Set only the resources the tool needs to Read, and leave the rest at None. Avoid Write unless it is genuinely required, because Write permission also grants Read. A key with only Read permissions cannot issue refunds, move money, or change settings.
Treat the key like a password. Store it in a password manager or secrets vault, and share it through a secure share link rather than pasting it into email or chat. Never put it in client-side code or a public repository. If a key is ever exposed, rotate it immediately. Stripe also monitors for leaked keys and may deactivate them automatically.
No. Stripe shows a key you created in full only once, at creation time. If you lose it, you cannot recover it. Roll or expire the old key and create a new one, then store it carefully this time.
Open the API keys page (Developers, then API keys, or the API keys tab in Workbench), find the restricted key by its name, open the three-dot menu, and choose Expire key to cut it off immediately, or Roll key to replace it with a new value. Because revoking is instant, it is good practice to create a key for a specific engagement and expire it as soon as the work is done.
Yes. Create and test against a sandbox or test-mode restricted key (rk_test_) before you make a live one. Test mode does not touch real payments, so you can confirm the connection works and the permissions are right before any live data is involved. Then create a matching live-mode key.
Related guides
Steps last checked against Stripe on 2026-06-10.
Based on official Stripe documentation: Stripe Docs: API keys, Stripe Docs: Restricted API keys, Stripe Docs: Best practices for managing secret API keys. Stripe is a trademark of its respective owner; this guide is independent and for instruction only.
Want this handled for you?
Clever Ops connects and automates the systems mid-market businesses already run. Book a free assessment and we will map your stack.