Three read permissions
The key needs read access to Accounts, Balance, and Balance Transaction Sources — nothing else.
VerifiedMRR never asks for your secret Stripe key. You create a restricted key (rk_…) with three read-only permissions, paste it once, and we validate then encrypt it. Here is the exact flow — about two minutes.
The key needs read access to Accounts, Balance, and Balance Transaction Sources — nothing else.
A restricted key with read scopes cannot charge, refund, or change settings, even if it were exposed.
Roll or delete the key in your Stripe dashboard whenever you want; disconnecting in VerifiedMRR deletes our copy.
In your Stripe Dashboard, go to Developers → API keys, then choose Create restricted key. A restricted key starts with rk_ and lets you grant only specific read permissions — unlike your secret key (sk_…), which can do everything.
Name the key something like 'VerifiedMRR (read-only)'. Then set these three permissions to Read, and leave everything else as None:
Connect › Accounts — Read. This lets VerifiedMRR confirm which account it is reading.
Balance — Read. Balance Transaction Sources — Read. Together these are what it uses to reconcile your revenue.
That is the complete list. With only these read scopes, the key cannot move money, refund, or change any setting.
Create the key and copy the rk_… value — Stripe shows it once. In VerifiedMRR, choose Connect Stripe and paste it. We validate it by reading a single balance transaction, confirm the permissions, then encrypt the key with AES-GCM before storing it.
The in-app onboarding shows a live, copyable checklist of these same steps, so you can follow along there too.
That is it. VerifiedMRR syncs your balance transactions daily and shows net revenue, refunds, fees, and trend — and never has the ability to touch your money. If you run more than one Stripe account, repeat with a restricted key per account; each stays in its own currency.
Disconnect the account in VerifiedMRR and the stored key is deleted. You can also roll or revoke the restricted key from Stripe's dashboard at any time, which cuts off access immediately regardless of anything on our side.
A secret key (sk_…) can do everything, including move money. A restricted key (rk_…) grants only the read permissions you choose, so VerifiedMRR gets exactly what it needs and nothing more.
Read access to three scopes: Connect › Accounts, Balance, and Balance Transaction Sources. Everything else stays None.
No. With read-only scopes it physically cannot charge, refund, or change settings, even if the key were exposed.
Create one restricted key per account and connect each. VerifiedMRR shows them side by side and keeps each in its own currency.
Disconnect in VerifiedMRR to delete the stored key, or roll/delete the restricted key in your Stripe dashboard to cut access immediately.
Create a restricted key with three read permissions, paste it once, and see your revenue reconciled — read-only.