Stripe
The Stripe connector is broad — it covers the core payments API, Connect (marketplace onboarding and payouts), and Issuing (cards). Because agents that move money are the most sensitive class of integration, every Stripe operation requires tool_decision.rego to approve it.
1. Stripe dashboard
Section titled “1. Stripe dashboard”- Developers → API keys — note restricted key for TapPass
- Create a restricted key scoped to only the resources you’ll let agents touch (read vs write per resource)
2. Configure TapPass
Section titled “2. Configure TapPass”STRIPE_API_KEY=rk_live_...# For Connect:STRIPE_CONNECT_CLIENT_ID=ca_...# For webhooks:STRIPE_WEBHOOK_SECRET=whsec_...Operation groups
Section titled “Operation groups”| Group | Operations | Default policy |
|---|---|---|
read | retrieve_charge, list_customers, get_invoice, … | Allowed |
payments.create | create_payment_intent, create_charge | Denied — requires explicit rule |
payments.refund | create_refund, cancel_payment_intent | Denied — requires explicit rule |
subscriptions.write | create_subscription, cancel_subscription | Denied — requires explicit rule |
connect.onboard | create_account, create_account_link | Allowed for onboarding agents |
issuing.create | create_card, approve_authorization | Denied |
Default-deny for write ops is deliberate: opt in explicitly.
# Readcustomers = agent.call_provider( provider="stripe", operation="list_customers", params={"limit": 10},)
# Write (will be denied unless a policy approves it)agent.call_provider( provider="stripe", operation="create_refund", params={"charge": "ch_123...", "amount": 500},)Policy example
Section titled “Policy example”Allow refunds up to €50 for tier-1 support agents only:
package tool_decision
allow { input.provider == "stripe" input.operation == "create_refund" input.agent.role == "support-tier-1" input.params.amount <= 5000 # cents}Idempotency
Section titled “Idempotency”TapPass automatically sets Idempotency-Key headers for Stripe write operations, derived from the audit event ID. Safe to retry — Stripe will return the original result.
Data residency
Section titled “Data residency”Stripe offers EU data residency (the request stays in EU regions) — enable it in your Stripe dashboard under Settings → Data residency.