[todsacerdoti]

I disagree with argument that any integration platform that requests your Stripe keys is a "ruse to harvest api secrets." At Pipedream, our Stripe integration requires the user to authenticate using their keys as well - https://pipedream.com/apps/stripe

[hundchenkatze]

Okay, Why can't you use the Stripe Connect[0] oauth api? It's generally considered bad practice to ask for and store passwords for other services.

[0] https://stripe.com/docs/connect

[yashmaistry]

Stripe Connect & OAuth was something we thought about. It's definitely recognised as a more secure method and it's also low friction to integrate. The only drawback comes into play with marketplace and platform apps. The platform itself may already be using OAuth with their customer.

We could offer our customers both options and let them choose which one is best.

[jamiesonbecker]

Stripe has dedicated application API keys for precisely this purpose. You are likely doing it wrong.