·5 min read

How to Create a Read-Only Stripe API Key

When connecting a third-party tool to your Stripe account, security is paramount. A full-access API key can read data, create charges, modify subscriptions, and even delete customers. A read-only restricted API keylimits access to only viewing data — no modifications allowed.

This guide walks through creating a read-only Stripe API key step by step.

Why Use a Read-Only Key?

  • Security — the connected tool can never modify your Stripe account, move money, or create charges
  • Principle of least privilege — only grant the access level that’s actually needed
  • Revocability — you can revoke the key anytime from your Stripe dashboard without affecting your main API key
  • Auditability — restricted keys are logged separately in Stripe, so you can see exactly what a tool accessed

Step-by-Step: Creating a Restricted API Key

  1. Log into your Stripe Dashboard
  2. Go to Developers → API keys
  3. Click Create restricted key
  4. Give it a name (e.g., “StripeReport - Read Only”)
  5. Set the following permissions to Read:
    • Customers
    • Subscriptions
    • Products
    • Prices
    • Charges
    • Invoices
  6. Leave all other permissions as None
  7. Click Create key
  8. Copy the key (it starts with rk_live_ or rk_test_)

That’s it. This key can read your subscription and revenue data but cannot create charges, modify subscriptions, or access payment methods.

Try StripeReport Free

Get the Stripe revenue reports you’ve been missing

MRR tracking, cash flow forecasts, churn analytics, and daily email reports — all from your Stripe data. 3-day free trial.

Start Your Free Trial →

What Can a Read-Only Key Do?

With the permissions above, the key can:

  • List and read customer records
  • List and read subscription details (amounts, intervals, statuses, renewal dates) — enough to power a real-time MRR dashboard
  • List and read product and pricing information
  • List and read charge and invoice history

It cannot:

  • Create, update, or cancel subscriptions (see our subscription management best practices for more)
  • Create charges or refunds
  • Access payment methods or card details
  • Modify customer records
  • Access your Stripe account settings

Revoking Access

If you ever want to disconnect a tool, simply delete the restricted key in your Stripe dashboard. The tool will immediately lose access. This doesn’t affect your main API key or any other integrations.

Using a Read-Only Key with StripeReport

StripeReportonly requires a read-only restricted API key. During onboarding, we provide a direct link to your Stripe dashboard with the correct permissions pre-selected — just click, name the key, and paste it in. Setup takes about 60 seconds.

Try StripeReport Free

Get the Stripe revenue reports you’ve been missing

MRR tracking, cash flow forecasts, churn analytics, and daily email reports — all from your Stripe data. 3-day free trial.

Start Your Free Trial →

Frequently Asked Questions

Is my data safe with a read-only key?

Yes. A read-only key cannot modify your Stripe account in any way. It can only view data. Additionally, it cannot access sensitive information like full card numbers or bank account details.

Can I use a test mode key first?

Yes. Stripe provides separate test and live mode keys. You can create a read-only test key to try a tool before connecting your live data. Note that test mode only has test data, so your metrics won’t reflect real business performance.

What happens if I delete the restricted key?

The connected tool immediately loses access to your Stripe data. You can create a new restricted key at any time to reconnect.