Stripe Server
БесплатноНе проверенA local MCP server for Stripe payment operations with 52 tools across 8 domains, featuring built-in PII redaction and strict input validation for safe AI-assist
Описание
A local MCP server for Stripe payment operations with 52 tools across 8 domains, featuring built-in PII redaction and strict input validation for safe AI-assisted development workflows.
README
A local Model Context Protocol server for Stripe payment operations. 52 tools across 8 domains, with built-in PII redaction and input validation.
Built for AI-assisted development workflows where Stripe API access needs to be both comprehensive and safe by default.
Why this exists
Stripe's official remote MCP server (mcp.stripe.com) uses OAuth and includes doc search, but exposes a smaller toolset. This server runs locally, covers more of the Stripe API surface, and sanitises every response before it reaches the model context, so sensitive data never leaks into conversation history or logs.
| This server | Stripe official | |
|---|---|---|
| Transport | stdio (local) | HTTP (remote) |
| Auth | STRIPE_SECRET_KEY env |
OAuth |
| Tools | 52 | Smaller subset |
| PII redaction | Built-in | Stripe-managed |
| Doc search | No | Yes |
| Idempotency keys | All mutating tools | Varies |
| Input validation | Strict schemas (Zod) | Varies |
The two servers complement each other. Run both if you want operational tools plus doc search.
Tools (52)
Customers (6)
create_customer, retrieve_customer, update_customer, delete_customer, list_customers, search_customers
Payments (11)
create_payment_intent, retrieve_payment_intent, confirm_payment_intent, capture_payment_intent, cancel_payment_intent, list_payment_intents, list_payment_methods, attach_payment_method, detach_payment_method, retrieve_charge, list_charges
Subscriptions (9)
create_subscription, retrieve_subscription, update_subscription, cancel_subscription, list_subscriptions, create_product, list_products, create_price, list_prices
Invoices (8)
create_invoice, retrieve_invoice, finalize_invoice, pay_invoice, void_invoice, list_invoices, retrieve_upcoming_invoice, create_invoice_item
Checkout (5)
create_checkout_session, retrieve_checkout_session, list_checkout_sessions, create_coupon, list_coupons
Refunds (3)
create_refund, retrieve_refund, list_refunds
Balance (5)
retrieve_balance, list_balance_transactions, list_payouts, list_disputes, retrieve_dispute
Webhooks (5)
create_webhook_endpoint, delete_webhook_endpoint, list_webhook_endpoints, list_events, retrieve_event
Resources (4)
Exposed as MCP resources (read-only, sanitised):
stripe://account- current account detailsstripe://balance- balance by currencystripe://webhook-endpoints- registered webhook endpointsstripe://products- active product catalogue with default prices
Prompts (4)
Pre-built prompt templates for common integration tasks:
review_stripe_integration- security, error handling, and best-practice auditsetup_webhooks- end-to-end webhook implementation guide per frameworkdesign_pricing- pricing model design with Stripe Products and Pricestroubleshoot_payment- diagnose failed payments, declines, and disputes
Security posture
Every Stripe API response is sanitised before reaching MCP output:
- Secrets redacted: webhook signing secrets, PaymentIntent
client_secretvalues, including inside expanded nested objects - PII masked: email addresses (shows first 2 chars + domain), phone numbers (shows last 4 digits), billing/shipping addresses fully redacted
- URLs redacted: hosted invoice URLs and invoice PDF links (bearer-style access tokens)
- Metadata redacted: values stripped, keys preserved for operator context
- Unknown objects: unrecognised Stripe object types reduced to a minimal envelope (
id,object,status,redacted: true) instead of passed through raw - Input validation: Stripe IDs, currency codes, webhook event names, API versions, checkout payment method types, and balance transaction types validated against Zod schemas. Enum validators are derived from the installed Stripe SDK's type declarations at startup; if those files change shape in a future SDK version, validators degrade to allow-all with a stderr warning rather than crashing
- Idempotency: all mutating tools accept optional
idempotency_key(except deletions, which Stripe treats as inherently idempotent) - Pinned API version:
2026-05-27.dahlia, set insrc/stripe-client.ts - Bounded runtime: network retries capped at 0-5, timeout capped at 1-120 seconds
Setup
Prerequisites
- Node.js 18+ for runtime. Node ^20.19.0 or >=22.12.0 for running tests (Vite/Vitest dev dependency requirement)
- A Stripe account with API keys (dashboard.stripe.com/apikeys)
Install and build
git clone <repo-url>
cd stripe-mcp-server
npm install
npm run build
Environment
cp .env.example .env
# Edit .env with your Stripe secret key
| Variable | Required | Default | Description |
|---|---|---|---|
STRIPE_SECRET_KEY |
Yes | - | Secret key (sk_test_…, sk_live_…) or restricted key (rk_test_…, rk_live_…) |
STRIPE_MAX_NETWORK_RETRIES |
No | 2 |
Max retries on transient failures (0-5) |
STRIPE_TIMEOUT_MS |
No | 30000 |
Request timeout in milliseconds (1000-120000) |
Using restricted keys
For tighter security, use restricted keys (rk_*) instead of full secret keys. Minimum permissions per tool group:
| Tool group | Required permissions |
|---|---|
| Customers | Customers: Read/Write |
| Payments | PaymentIntents, PaymentMethods, Charges: Read/Write |
| Subscriptions | Subscriptions, Products, Prices: Read/Write |
| Invoices | Invoices: Read/Write |
| Checkout | Checkout Sessions: Read/Write; Coupons: Read/Write |
| Refunds | Refunds: Read/Write (also needs Charges or PaymentIntents: Read) |
| Balance | Balance: Read; Payouts: Read; Disputes: Read |
| Webhooks | Webhook Endpoints: Read/Write; Events: Read |
Grant only the groups you need. Read-only tools (list/retrieve) need only Read permission on their resource.
Wire into your MCP client
Claude Code (.mcp.json)
{
"mcpServers": {
"stripe": {
"command": "node",
"args": ["/absolute/path/to/stripe-mcp-server/dist/index.js"],
"env": {
"STRIPE_SECRET_KEY": "sk_test_..."
}
}
}
}
VS Code (.vscode/mcp.json)
{
"servers": {
"stripe": {
"command": "node",
"args": ["/absolute/path/to/stripe-mcp-server/dist/index.js"],
"env": {
"STRIPE_SECRET_KEY": "sk_test_..."
}
}
}
}
Other MCP clients
Any client that supports stdio transport can run this server. Point it at dist/index.js with STRIPE_SECRET_KEY in the environment.
Verification
npm test # 42 tests (sanitisation, config validation, schema checks)
npm run build # TypeScript compilation to dist/
Project structure
src/
index.ts # Server entry point, tool/resource/prompt registration
stripe-client.ts # Stripe SDK singleton with pinned version and bounded config
tools/
balance.ts # Balance and payout tools
checkout.ts # Checkout Session and coupon tools
customers.ts # Customer CRUD and search
invoices.ts # Invoice lifecycle tools
payments.ts # PaymentIntent and PaymentMethod tools
refunds.ts # Refund tools
subscriptions.ts # Subscription, Product, and Price tools
webhooks.ts # Webhook endpoint and event tools
resources/index.ts # MCP resources (account, balance, webhooks, products)
prompts/index.ts # MCP prompt templates
utils/stripe-toolkit.ts # Sanitisation, validation schemas, error formatting
tests/
stripe-toolkit.test.ts # Sanitisation and masking tests
stripe-config-and-schemas.test.ts # Config validation and schema tests
Design decisions
Sanitise by default, not by opt-in. Every Stripe object type has an explicit sanitisation path. Unknown object types are reduced rather than passed through. This means new Stripe object types added in future API versions are safe by default (they show id, status, and redacted: true until an explicit handler is added).
Validate from Stripe's own type definitions. Checkout payment method types, webhook event names, and API versions are loaded at startup from the installed Stripe SDK's TypeScript declaration files. When you upgrade the Stripe SDK, the validators update automatically. If the SDK restructures its type files in a future major version, validators degrade to allow-all with a stderr warning rather than crashing. The wildcard * webhook event is always rejected regardless of validator state.
No stored state. The server holds no data between requests beyond the Stripe SDK client singleton. All state lives in Stripe's API.
Licence
MIT
Установка Stripe Server
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/udaykapur/stripe-mcp-serverFAQ
Stripe Server MCP бесплатный?
Да, Stripe Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Stripe Server?
Нет, Stripe Server работает без API-ключей и переменных окружения.
Stripe Server — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Stripe Server в Claude Desktop, Claude Code или Cursor?
Открой Stripe Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Stripe
Payments, customers, subscriptions
автор: Stripemalamutemayhem/unclick-agent-native-endpoints
110+ tools for AI agents spanning social media, finance, gaming, music, AU-specific services, and utilities. Zero-config local tools plus platform connectors. n
автор: malamutemayhemwhiteknightonhorse/APIbase
Unified API hub for AI agents with 56+ tools across travel (Amadeus, Sabre), prediction markets (Polymarket), crypto, and weather. Pay-per-call via x402 micropa
автор: whiteknightonhorsetrackerfitness729-jpg/sitelauncher-mcp-server
Deploy live HTTPS websites in seconds. Instant subdomains ($1 USDC) or custom .xyz domains ($10 USDC) on Base chain. Templates for crypto tokens and AI agent pr
Compare Stripe Server with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории finance
