Connect to Stripe

This guide will explain the different components that need to be configured when creating a connection in Skyflow Studio. By the end of this guide, you'll have used Skyflow Studio to create a connection with Stripe to create a payment method. You'll also learn more about the Skyflow connections features beyond this use case.

Let's assume that you are a subscription-based ecommerce service provider. You allow your customers to pay for your services using credit cards, and you're authorized to charge the card on a recurring monthly basis.

To prevent vendor lock-in and to offer multiple options for payment processing, it is in your best interest to securely store card information instead of relying on a single payment processor. To do so in a secure and compliant manner, you use Skyflow where all your customers' PII and credit card information is securely stored in a PCI compliant Skyflow data vault. In turn, your backend services store tokens that reference your customers' sensitive data in Skyflow vaults, thereby descoping the need for PCI compliance from your services. This allows you to focus on your core business and offload security and compliance requirements to Skyflow.

For this example, we'll assume that you have already collected and stored your customers' credit card information. We will now set up an outbound connection from your Skyflow vault to Stripe to create a new payment object using credit card information. Here is a link to the Stripe API reference for payment methods.

This is a sample request expected by Stripe to create a payment method using a card:

curl https://api.stripe.com/v1/payment_methods \
  -u $STRIPE_API_KEY \
  -d type=card \
  -d "card[number]"=4242424242424242 \
  -d "card[expiry_month]"=2 \
  -d "card[expiry_year]"=2023 \
  -d "card[cvc]"=314

To make this call, you need to send credit card information to Stripe. You don't want your backend services to store credit card information directly—as it falls under the purview of PCI compliance. This is where Skyflow connections come into the picture.

In this guide, you'll create a Skyflow connection that accepts an https request with credit card tokens, de-tokenize them from the vault, forward the credit card information to Stripe to create a payment method and then returns the response from Stripe.

Before you start,

Log in to your Skyflow account. If you don't have an account, you can sign up for a free trial account.
For trial accounts, log in to try.skyflow.com.For production accounts, log in to your dedicated sign in URL.
A Stripe developer account with test credentials.Complete the following guides:
Create a vaultAPI authentication(Optional) Postman collection setup (to use Postman to send API calls)Core APIs

In this guide, we'll use the Quickstart vault.

You can follow along with your own vault as well, but keep in mind that the example code may differ slightly from what you would use.

To proceed with the connections example, you first need to set up sample data for your vault.

Create a credit card record for your Quickstart vault using the script below:

bash
curl -i -X POST '$VAULT_URL/v1/vaults/$VAULT_ID/credit_cards' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer $BEARER_TOKEN' \
-d '{
    "quorum": false,
    "records": [
        {
            "fields": {
                "expiry_month": "2",
                "expiry_year": "2023",
                "card_number": "4242424242424242"
            }
        }
    ],
    "tokenization": true
}'

Replace the VAULT_URL, VAULT_ID, and BEARER_TOKEN parameters.

Send the request.

You should receive a response that looks similar to:

{
    "records": [
        {
            "skyflow_id": "5ad9d067-cdc5-4aea-b83e-72d6007e3097",
            "tokens": {
                "expiry_month": "b6b3c919-6be9-483f-a67b-57da6b246411",
                "expiry_year": "eab3ffe9-533d-4c2d-81af-965eb3c6a7e4",
                "card_number": "5e8e9cea-a33e-472c-9699-0aa1ddfd4bdf"
            }
        }
    ]
}

Keep the tokens for expiry_month, expiry_year, and card_number handy. You'll need them for the steps below.

Skyflow Studio simplifies the connection creation process by walking you through the set up for the connection components in three steps:

Configure the connectionConfigure the route Authenticate the connection-level service account

In the top menu, click the Settings tab > the Vault tab in the left menu > Connections > Create Connection as shown below.



Name the connection and provide a description.

Select Outbound Connection as the connection mode.

Set the Outbound Base URL to https://api.stripe.com.

Click Continue.

To tell the connection which fields should be tokenized or detokenized in the request and response, you'll use routes. Routes specify a combination of the relative path and the actions that need to be performed on the configured field. You can configure one or more routes for each connection.

Enter the route details including the name, description, path, method, and content type.

Path: The path value is a required parameter for a route configuration. It uniquely identifies a route and needs to map to the third party service's API that is being invoked. For this Stripe API example, use the path “/v1/payment_methods”. In combination with the outbound base URL, this maps to Stripe's API with the full path URL as “https://api.stripe.com/v1/payment_methods”. Method: Skyflow connections support the following http methods: PUT, POST, PATCH, GET, DELETE. For this Stripe API example, use the POST method. Content Type: Skyflow Connections support the following content types: JSON, XML, X_WWW_FORM_URLENCODED. For this Stripe API example, use the X_WWW_FORM_URLENCODED content type.

Scroll down the page and complete the route mappings for the request body.

The request body is where you configure the specific fields in the request that Skyflow will process. Currently, Skyflow supports two actions that can be performed on a field: Tokenization and Detokenization.

For this example, configure the connection to Detokenize the request and extract the values associated with three fields: card.number, card.expiry_month, and card.expiry_year.

For detokenization, the assumption is that the extracted fields will be provided as tokens. The connection will use these tokens to extract the card information and forward it to the Stripe API.

For this example, a response body will not be added. Click Continue.

For this example, we need only one route. Click Create Connection.

To authenticate to a connection endpoint and invoke it, Skyflow requires you to create a dedicated service account with the Connection Invoker role assigned to it. This keeps the identity of the client consuming the connection endpoint different from the identity of the service account or the user creating the connection.

The Connection Invoker role allows the service account to make requests only to the specified connection. It has no direct read or write access to the data in the vault. This service account is meant to be used in your environment (for example, the backend service for your customer-facing web app) to invoke the connection endpoint that is running in Skyflow's secure and compliant environment.

Enter a name and description for your new service account, then select the Connection Invoker role.

Click Finish.

This service account shouldn't be given access to connect to the vault directly through any other vault role.

Now that you have created a connection, let's invoke it.

In the Connections section of the Settings tab, click the connection you just created to expand it.

Click Sample Request to view the URLs and request structure that will be sent to the connection endpoint.

Construct the following http POST request to the connection endpoint:

bash
curl -i -X POST '$VAULT_URL/v1/gateway/outboundRoutes/$CONNECTION_ID/v1/payment_methods' \
-H 'X-Skyflow-Authorization: $BEARER_TOKEN' \
-H 'Authorization: Basic $BASE64_ENCODED_VALUE_OF_YOUR_STRIPE_TEST_CREDENTIALS' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'type=card' \
-d 'card[number]=$TOKEN_FOR_CARD_NUMBER' \
-d 'card[expiry_month]=$TOKEN_FOR_CARD_EXPIRY_MONTH' \
-d 'card[expiry_year]=$TOKEN_FOR_CARD_EXPIRY_YEAR' \
-d 'card[cvc]=314'

Generate the Skyflow API bearer token required for the X-Skyflow-Authorization header using the service account credentials from Step 3 and paste it into the BEARER_TOKEN parameter. Alternatively, if you are in a Skyflow trial environment, you may use the bearer token retrieved from the profile section in Skyflow Studio.

For more information on how to generate a Skyflow API bearer token, check out API Authentication. Because you've already created a service account, you'll skip to Step 2 of that guide.

Paste the tokens you received from the Vault Sample Data Setup section into the three TOKEN_FOR parameters. For this example, we assume that the CVV number is not stored in Skyflow and is passed from your front end client with each connection request.

Update the other parameters, including the VAULT_URL and VAULT_ID.

Send the request.

You should receive a response from Stripe similar to the following:

{
"billing_details": {
    "address": {
        "city": null,
        "country": null,
        "line1": null,
        "line2": null,
        "postal_code": null,
        "state": null
    },
    "email": null,
    "name": null,
    "phone": null
},
"card": {
    "brand": "visa",
    "checks": {
        "address_line1_check": null,
        "address_postal_code_check": null,
        "cvc_check": "unchecked"
    },
    "country": "US",
    "expiry_month": 2,
    "expiry_year": 2023,
    "fingerprint": "NE67JNvrzhRB0iFO",
    "funding": "credit",
    "generated_from": null,
    "last4": "4242",
    "networks": {
        "available": [
            "visa"
        ],
        "preferred": null
    },
    "three_d_secure_usage": {
        "supported": true
    },
    "wallet": null
},
"created": 1645226859,
"customer": null,
"id": "pm_1KUfrTJIQDD8wENnpMF2qVX7",
"livemode": false,
"metadata": {},
"object": "payment_method",
"type": "card"
}

Learn connections tips and best practices or how to create another connection:

PlaidVISA DPS