In my desktop app, I use Stripe, connected to my RevenueCat account, to display a web page with a Stripe paywall (I use a Payment Link to keep it simple), and then call the RevenueCat REST API to:
- list my offerings
- purchase a product through Stripe
- check if a user has purchased my one-time payment product or not
- recover a one-time payment purchase
I want to interact with those APIs directly from my app, since I don’t have any back-end.
So in order to test that, I tried for example to call the following endpoint, in order to get my offerings, using Postman:
https://api.revenuecat.com/v2/projects/{project_id}/offerings
As described in the documentation, I use the “Authorization” header.
And here is my problem:
- if I use my secret API key (that I created with the right authorization) as a value, it works
- but if I use my Stripe public API key, I got an error: “Invalid API key”
Which I don’t understand since I can use the public API keys in a mobile app to achieve the same actions above.
So I have two questions:
- why can’t I use the Stripe public API key to achieve that action when calling the REST API endpoint?
- if I create a secret key, but only with the minimum required authorizations, in read only, that I store in my app, to achieve the actions above, would that be safe or not?