Back to Blog
Security

Why We Only Accept Restricted API Keys

Billy Team·March 5, 2026·5 min read

The Problem With Stripe's Secret Key

Your Stripe secret key — the one that starts with sk_live_ — can do everything. Create charges, issue refunds, delete customers, modify your account settings, even change your bank account. It's the master key to your revenue infrastructure.

And yet, we see teams paste it into Slack channels, store it in .env files synced to GitHub, and share it with every third-party integration that asks for "Stripe access."

This is the billing equivalent of giving every employee the root password to your production database.

What a Restricted Key Actually Is

Stripe's restricted API keys let you create credentials with granular permissions. You pick exactly which resources the key can access, and whether it gets read-only or read-write access.

For example, a key can be scoped to:

  • Read customers and subscriptions
  • Read invoices and charges
  • Write nothing

That's exactly the kind of key Agent Billy needs for most roles. Your Viewer role team members can see billing data without any ability to modify it — enforced at the Stripe API level, not just in our UI.

How We Use Restricted Keys

When you connect Agent Billy to your Stripe account, we guide you through creating a restricted key with the minimum permissions needed for your use case:

  1. Sync Engine — needs read access to customers, subscriptions, invoices, charges, and products so we can mirror your data locally for fast dashboard loads.
  2. Manager Role — needs write access to refunds and subscription updates, but nothing else.
  3. Viewer Role — needs zero write permissions. The restricted key itself prevents any modifications.

If someone compromises a Viewer-scoped key, the worst they can do is read billing data. They can't issue refunds, can't cancel subscriptions, can't touch your bank details.

Why This Matters for Teams

The whole point of Agent Billy is giving your team safe billing access. "Safe" means:

  • Defense in depth. Our RBAC system enforces permissions in the application layer. The restricted key enforces them at the API layer. Both have to agree before any action succeeds.
  • Blast radius control. If a key leaks, the damage is limited to what that key can do — not everything Stripe supports.
  • Auditability. Each key maps to a specific permission set, so you know exactly what access was granted.

The Bottom Line

We will never ask for your Stripe secret key. Period. If an integration demands sk_live_* with full access, that's a red flag. Restricted keys exist for a reason, and every responsible Stripe integration should use them.

When you set up Agent Billy, you'll create a restricted key in your own Stripe dashboard, with permissions you choose. We document the exact scopes we need, and we never ask for more.

Next

How Per-Customer Container Isolation Works

Why We Only Accept Restricted API Keys | Agent Billy Blog