Connect provider data safely

Stripe and PayPal use different credential types. Use the section for the provider you are connecting.

Stripe setup

Connect Stripe invoices with a test or restricted key

Use Stripe test mode first. For quick sandbox testing, the standard Secret key starts with sk_test_. For safer access, create a Restricted key with invoice read access; restricted test keys start with rk_test_.

Stripe credential to paste

Use sk_test_ for quick test-mode validation.
Use rk_test_ only after creating a restricted key in Stripe's Restricted keys section.
Do not paste pk_test_; publishable keys cannot import invoices.
Do not use unrestricted live keys for normal testing.
Confirm test invoices exist before syncing.

Stripe API keys page showing standard publishable and secret test keys — The default API keys page shows pk_test_ and sk_test_. Restricted keys appear in the separate Restricted keys section after you create one.

PayPal setup

Connect PayPal invoices with a sandbox Merchant REST app

Use a PayPal sandbox merchant REST app for testing. Do not share PayPal account passwords.

PayPal credential to paste

Sandbox POC format: CLIENT_ID:SECRET.
Use the sandbox business account for invoice creation.
Enable Invoicing on the REST app before syncing.
Long-term customer access should move to OAuth consent.

PayPal sandbox app setup

Log in to PayPal Developer with your real PayPal developer account.
Open Apps & Credentials and switch to Sandbox.
Create a Merchant app. Use a name like Guard Billing Sandbox if PayPal blocks invoice-related names.
Select the sandbox business account that owns the invoices.
Open the app settings and enable Invoicing or Send and manage customer invoices.
Save the app settings, then copy the Client ID and Secret.
In Invoice Guard, connect PayPal using CLIENT_ID:SECRET in sandbox mode.
Create or send sandbox invoices from the same sandbox business account, then run Sync.

PayPal sandbox app payment capabilities with Subscriptions and Invoicing enabled — In the sandbox REST app, Subscriptions and Invoicing should be enabled before testing billing and invoice import.

A 403 NOT_AUTHORIZED error usually means the app can authenticate but does not have Invoicing API permission, or the app belongs to a different sandbox business account than the one that owns the invoices.

Provider identity display

Invoice Guard avoids showing unnecessary provider customer details in the dashboard. Stripe rows use provider account IDs. PayPal rows use a stable PayPal account reference instead of the recipient email while still allowing duplicate matching.

What Invoice Guard does not need

Provider account passwords.
Payment approval access.
Refund or payout permissions.
Unrestricted live keys for a first review.