How to send Stripe's secret key when making a raw HTTP POST request to Stripe

Question

Because the Stripe .NET nuget package / library is built on v1 of the Stripe API, and since then a few things have changed, I am making a raw HTTP request to a Stripe endpoint to add a new credit card to an existing customer's account.

My question is: how do I send the Stripe secret key? Looking at this CURL request, I assumed that it is sent as a basic authentication header.

So, here's what I did:

var createCardUrl = string.Format(
   "https://api.stripe.com/v1/customers/{0}/sources", 
   stripeCustomerId);

dynamic headers = new ExpandoObject();
headers.Authorization = string.Format("Basic {0}", Constants.StripeSecretKey);

dynamic body = new ExpandoObject();
body.source = stripeToken;

dynamic cardAdditionResult = Http.MakePostRequest(
                              createCardUrl, 
                              headers, 
                              body)
                            .ObjectFromJson();

Where my MakePostRequest is as follows.

public static string MakePostRequest(string url, 
                IEnumerable<KeyValuePair<string, object>> headers = null, 
                string body = null)
{
    var request = (HttpWebRequest)WebRequest.Create(url);
    request.Method = "POST";

    if (headers != null)
    {
        AddHeaders(request, headers);
    }

    if (!string.IsNullOrEmpty(body))
    {
        var data = Encoding.ASCII.GetBytes(body);
        request.ContentType = "application/x-www-form-urlencoded";
        request.ContentLength = data.Length;

        using (var stream = request.GetRequestStream())
        {
            stream.Write(data, 0, data.Length);
        }
    }

    var response = (HttpWebResponse)request.GetResponse();

    var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();

    return responseString;
}

I receive a 400 (Bad Request) from Stripe. Obviously, I am not sending the Stripe secret key the way I must.

Also,are you sure about thecontet type.? – Amit Kumar Ghosh Dec 17 '15 at 07:37 — Amit Kumar Ghosh, Dec 17 '15 at 07:37

score 6 · Accepted Answer · answered Dec 17 '15 at 07:26

6

If you're using basic authentication, the Stripe secret api key should be base 64 encoded and then have a : after it (since it would divide the username and the password)

answered Dec 17 '15 at 07:26

Matthew Arkin

4,460
2
27
28

I realize that's the basic authentication scheme but I didn't do it because I have, in the past, seen OAuth clients send bearer tokens in the clear (without base64 encoding) using this scheme. Trying out what you said just now. – Water Cooler v2 Dec 17 '15 at 07:51
for bearer you'd set the authorization header to "Bearer sk_test_restOfAPIKey" – Matthew Arkin Dec 17 '15 at 07:54
Thank you. The basic authentication scheme worked after base64 encoding and the appendage of the full colon. :-) – Water Cooler v2 Dec 17 '15 at 07:56
You're right about the bearer. My memory is a bit fogged. – Water Cooler v2 Dec 17 '15 at 07:57

How to send Stripe's secret key when making a raw HTTP POST request to Stripe

1 Answers1