Stripe MCP
Official Stripe MCP server for managing customers, products, payments, invoices, subscriptions, and more via the Stripe API.
Score Breakdown
Server Info
- Package
- @stripe/mcp
- Registry
- npm
- Repository
- stripe/ai
- Maintainer
- StripeVendor
- Category
- Finance & Payments
- Tags
- paymentsbillingsubscriptions
- Last Scanned
- 7 Apr 2026
Findings
4 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
The local @stripe/mcp package is a stdio-to-StreamableHTTP proxy that forwards all MCP messages to mcp.stripe.com. Auth uses a Bearer header with the Stripe API key (sk_* or rk_*). The server actively warns users to use restricted keys (rk_*) instead of secret keys (sk_*) and validates key prefixes. The remote server at mcp.stripe.com also supports OAuth (confirmed via gemini-extension.json and server.json). Permission scoping is delegated to Stripe's Restricted API Key (RAK) system, which is a strong model: tool availability is server-side filtered based on what the RAK permits.
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMOnly 0 of 23 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
Data Exposure
MEDIUM10 list operations lack pagination
The 10 list_* tools (list_customers, list_products, list_prices, list_invoices, list_payment_intents, list_subscriptions, list_coupons, list_disputes, plus retrieve_balance and search_documentation) likely support Stripe's standard pagination parameters (limit, starting_after) since the remote server wraps the Stripe API, but this cannot be confirmed from source code alone. The proxy passes all arguments through to mcp.stripe.com without modification. Field selection is not evident in the proxy layer.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Tools
23 total| Name | Description | Risk |
|---|---|---|
| search_documentation | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| get_stripe_account_in | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_customer | Dynamically proxied from mcp.stripe.com; test mock shows: 'Create a new customer'. | write |
| list_customers | Dynamically proxied from mcp.stripe.com; test mock shows: 'List all customers'. | read |
| create_product | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_products | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_price | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_prices | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_payment_link | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| create_invoice | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_invoices | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_invoice_item | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| finalize_invoice | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| retrieve_balance | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_refund | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_payment_intents | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| list_subscriptions | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| cancel_subscription | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| update_subscription | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_coupons | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
| create_coupon | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| update_dispute | Dynamically proxied from mcp.stripe.com; description not available in source code. | write |
| list_disputes | Dynamically proxied from mcp.stripe.com; description not available in source code. | read |
Deploy Stripe MCP securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow