Tutorial

How to Add Stripe to an AI Agent with MCP

You can let a coding agent create payment links, issue refunds, and read invoices in plain language. The trick is doing it with a key that can barely do anything and a guardrail that catches the rest. Here is the wiring, the safe scope, and the first operations to try.

Illustration of an AI agent wiring a payment module into its toolkit through an MCP socket, with a restricted-key lock glyph and a checkout card appearing
Wire the tool in, scope the key down, add the guardrail — then let the agent transact.

Get the latest on AI, LLMs & developer tools

New MCP servers, model updates, and guides like this one — delivered weekly.

The Short Version

To add Stripe to an AI coding agent, you connect Stripe's remote MCP server, hand the agent a restricted API key scoped to only the operations it needs, and then ask for payment actions in plain language. That is the whole shape of it: wire the tool in, scope the key down, add a guardrail.

The steps are the same across Claude Code, Codex, Cursor, and Gemini CLI, because they all speak MCP (the Model Context Protocol), and Stripe ships one remote server they can all share. If you want the wider map of what else is out there, we compare the options in payment MCP servers for AI agents. Do all of this in test mode first.

Prerequisites

Three things, and none of them take long:

  • A Stripe account with test mode on. You will move to live only after the guardrails are in place.
  • A restricted API key (it starts with rk_test_ for now). We scope it in Step 2, so create the account first and come back for the exact permissions.
  • An MCP-capable agent: Claude Code, Cursor, VS Code, Codex, or Gemini CLI. Any client that can add a remote MCP server works.

Step 1: Add the Stripe MCP Server

Stripe hosts a remote MCP server at https://mcp.stripe.com. There is nothing to run locally — you register the URL with your agent and approve access. OAuth is the default: the first time the agent connects, you approve it in the browser, which is the more secure path because it grants scoped, user-based access rather than embedding a raw key.

Most clients read a JSON block like this. It is illustrative — field names differ slightly per client, so check yours — but the shape is consistent:

{
  "mcpServers": {
    "stripe": {
      "url": "https://mcp.stripe.com"
    }
  }
}

Claude Code has a one-line registration for remote HTTP servers, verified against Stripe's docs as of 2026:

# Claude Code: register the remote Stripe MCP server over HTTP,
# then approve OAuth in the browser on first connect.
claude mcp add --transport http stripe https://mcp.stripe.com/

# Check the connection (and finish OAuth) from inside a session:
# /mcp

For an autonomous agent that cannot do the interactive OAuth dance, pass a restricted key as a bearer token instead. This is where scoping matters most, since the key is doing all the authorization:

{
  "mcpServers": {
    "stripe": {
      "url": "https://mcp.stripe.com",
      "headers": {
        "Authorization": "Bearer rk_live_..."
      }
    }
  }
}

The MCP server is the right tool for interactive and IDE use. If you are shipping a production agent inside a framework, there is a second, sturdier path — the @stripe/agent-toolkit package — which we cover in the production notes below. And if you are curious what else belongs in an agent's toolbelt, see our roundup of the best MCP servers for Claude Code.

Step 2: Scope the Key

This is the step people skip, and it is the one that matters. A standard secret key (sk_) has full access to your account; a restricted key (rk_) does only what you allow. When you create one in the Stripe dashboard, you choose a permission for every resource: Read, Write, or None. Stripe recommends restricted keys always, and calls it out specifically for AI agents.

The rule is simple: a refund-only agent gets a refund-only key. Match the scope to the job, not to convenience. A few common shapes:

Agent jobScope the restricted key toWhy
Refund-desk agentRefunds: Write · Charges + PaymentIntents: Read · everything else: NoneIt can issue refunds and look up the charge it is refunding, and nothing else.
Billing assistantInvoices + Subscriptions: Write · Customers: ReadIt can draft invoices and manage plans, but cannot touch payouts, keys, or Connect.
Reporting agentCharges, Invoices, Balance: Read · no Write anywhereA leaked key or a hostile prompt can read numbers but cannot move a cent.
Payment-link creatorPayment Links + Prices + Products: Write · Charges: ReadIt can spin up checkout links for approved products without full account access.

Store the key in an environment variable or a secrets manager, never in code or a prompt. If it leaks, the blast radius is whatever you scoped — which is the entire point of using one.

Step 3: Run Your First Operations

With the server connected and the key scoped, you talk to Stripe in plain English and the agent picks the right tool call. As of 2026 the server maps roughly two dozen payment operations — refunds, subscriptions, invoices, payment links, and reads across charges, payment intents, and balance — onto agent tools. Start with low-stakes reads and one small write:

# Example prompts you type to the agent once Stripe is connected.
# Do this in TEST mode first — each one runs a real Stripe API call.

"Create a payment link for a one-time $20 charge labeled 'Design review'."

"Refund charge ch_3P... in full and give me the refund id."

"List this month's invoices with status uncollectible."

"Show the 10 most recent failed payment intents with their decline codes."

Every one of these hits the real Stripe API, so keep test mode on until you trust the flow, and verify each result in the Stripe dashboard. If the agent asks for an operation your key does not permit, it fails cleanly at Stripe — which is exactly the safety you scoped for.

Step 4: Add Guardrails Before Real Money

The restricted key controls which operations run. It does not control how much the agent spends or who it pays. A refund-scoped agent can still refund the wrong charge; a payment-link agent can still misprice something. Before you flip to live, add a layer that enforces the parts the key cannot.

That layer is where a service like Ralio fits. To be clear about what it is: Ralio is a trust and identity layer you add on top of Stripe — agent identity verification, per-workflow spend limits, payee allowlists, and a transaction audit trail. It is not a payment processor and not a Stripe replacement; Stripe still moves the money, while the guardrail decides whether a given payment is allowed to happen at all.

The pattern behind that guardrail — gate, then rail, then log — is worth understanding even if you buy it rather than build it. Our guide to giving an AI coding agent a budget walks through the exact caps and checks, and the trust layer for agent payments covers the build-versus-buy trade-off.

Production Notes

For a real agent running unattended, move off the interactive MCP setup and onto the Stripe Agent Toolkit. It wraps the Stripe API as function-calling tools for the major frameworks — the OpenAI Agents SDK, LangChain, CrewAI, and the Vercel AI SDK — and ships for both Python and TypeScript:

# Stripe Agent Toolkit — the framework path for production agents (as of 2026).
pip install stripe-agent-toolkit      # Python 3.11+
npm  install @stripe/agent-toolkit    # Node 18+

The toolkit lets you scope actions in code as a second line of defense alongside the restricted key. The snippet below is illustrative — confirm the current constructor and action names in the repo before you copy it:

# Illustrative — wiring the toolkit into a framework agent (OpenAI Agents SDK,
# LangChain, CrewAI, or the Vercel AI SDK). Confirm the current API in the repo.
from stripe_agent_toolkit.openai.toolkit import StripeAgentToolkit

toolkit = StripeAgentToolkit(
    secret_key=os.environ["STRIPE_RESTRICTED_KEY"],   # rk_live_... , already scoped
    configuration={
        "actions": {
            "payment_links": {"create": True},
            "refunds": {"create": True},
        }
    },
)

For monitoring, lean on what Stripe already gives you: agent transactions show up in the dashboard exactly like human ones, so set up alerts, watch the restricted key's usage, and review the payments log on a schedule. If your agents pay other agents or per-session services, that is the territory of Stripe and Tempo's Machine Payments Protocol, which handles machine-to-machine payments over stablecoins and fiat.

Limits & Caveats

A few honest boundaries. A restricted key scopes operations, not amounts or recipients, so it is necessary but not sufficient on its own. Test mode and live mode use different keys, so a promotion to live is a deliberate swap, not a toggle you forget about. The agent can still make mistakes within its scope, which is why the guardrail layer earns its keep. And the exact MCP tools, flags, and toolkit API move faster than any blog post — treat the illustrative blocks here as a starting shape and confirm specifics in the official docs.

Stripe is the obvious default, but it is not the only rail for agent payments; if you are weighing options, see Stripe alternatives for AI agent payments, and for the protocol landscape underneath all of it, the agentic payments explainer.

FAQ

Do I have to give my agent my Stripe secret key?

No, and you should not. Create a restricted API key (it starts with rk_) scoped to only the operations the agent needs, and hand it that. The MCP server accepts OAuth by default, or a bearer restricted key for autonomous harnesses. Stripe recommends restricted keys specifically when giving a key to an AI agent.

What can the Stripe MCP server actually do?

It exposes Stripe API methods as agent tools: create refunds, manage subscriptions and invoices, create and update payment links, read charges, payment intents and balance, search the docs, and more. As of 2026 that is roughly two dozen payment operations, and the exact set depends on what your restricted key permits.

Which agents work with it — is this Claude-only?

Any MCP-capable client works: Claude Code, Cursor, VS Code, Codex, and Gemini CLI all speak the Model Context Protocol, so the same remote server drops into any of them. Autonomous harnesses connect by passing a restricted key as a bearer token instead of using the interactive OAuth flow.

MCP or the Stripe Agent Toolkit — which one do I use?

Use MCP for interactive and IDE work; it is the fastest way to let a coding agent run Stripe operations. Use the Stripe Agent Toolkit (pip install stripe-agent-toolkit or npm install @stripe/agent-toolkit) when you are building a production agent inside a framework like the OpenAI Agents SDK, LangChain, CrewAI, or the Vercel AI SDK.

Is it safe to point this at live payments?

The restricted key is your first guardrail, and test mode is your safety net while you learn the flow. Before real money moves, add a trust layer that enforces per-workflow spend limits, payee allowlists, and an audit trail. The key scopes which operations run; it does not cap how much or to whom.

Can the agent send money to anyone it wants?

A restricted key limits operations, not recipients or totals, so a refund-scoped key can still refund the wrong charge, and a payment-link key can price something wrong. Payee allowlists, spend caps, and identity checks live in a separate guardrail layer you add on top. Our budget guide walks through that gate.

Sources

Sponsored AI assistant. Recommendations may be paid.