npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

stripe-mcp

v1.1.0

Published

A production-grade Model Context Protocol server for the Stripe API

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

dontmesswithme-cpudontmesswithme-cpu

Keywords

mcpstripemodel-context-protocolaipayments

Readme

stripe-mcp

A production-grade Model Context Protocol (MCP) server that safely exposes Stripe API operations to AI agents through a strict policy and approval middleware.

System Architecture

All mutating operations are routed through a centralized middleware pipeline that enforces compliance, risk scoring, and audit requirements before interacting with the Stripe API. Read-only operations bypass this pipeline.

Request Input -> Schema Validation (Zod) -> Middleware Pipeline
                                                  |
                                                  v
[Read-Only Mode] -> [Idempotency Enforcement] -> [Risk Engine] -> [Approval Gate] -> [Stripe Execution]
                                                                        |                  |
                                                                        v                  v
                                                             [Audit Log (SQLite)] <- [Response Status]

Production Guarantees

Client-Owned Idempotency

The server strictly enforces client-side idempotency (idempotency_key) for all mutating operations (e.g., payments, refunds, subscriptions). This physical constraint prevents duplicate financial transactions during network failures or LLM retry loops. Mutations submitted without a valid UUID are rejected immediately at the middleware layer.

Synchronous Audit Logging

Every executed operation is durably logged to a SQLite database (audit.db). To ensure absolute accuracy in tracking financial state mutations, the audit log writing mechanism is structurally isolated from the primary transaction execution path via explicit exception handling boundaries. This guarantees that internal audit database failures (e.g., locking constraints) do not erroneously reverse the logical success state returned to the MCP client.

Rate-Limit Safe Concurrency

Bulk operations, such as the purge_expired_customers command for GDPR/CCPA data retention compliance, utilize zero-dependency bounded concurrency limiters. Using native rolling-window implementations, the server maximizes throughput without exceeding Stripe API rate limits or indefinitely blocking the single-threaded Node.js event loop.

Financial Approval Workflow

High-risk mutations trigger the generation of a cryptographic, state-consumed approval token. Operations are paused until authenticated human authorization is received. Once authorized, the token state transitions to consumed to prevent replay attacks against the approval endpoint.

Security & Authentication

Configuration and secrets management rely entirely on environment variables.

# Core Credentials
STRIPE_API_KEY=sk_production_...

# Approval Server Authentication
APPROVAL_API_KEY=secret_auth_token_...
APPROVAL_PORT=3001

The HTTP approval server enforces a strict authorization layer. Administrative interventions (approval or rejection) require the presentation of a valid Bearer token matching the APPROVAL_API_KEY.

# Example Authorization Request
curl -X POST http://localhost:3001/approvals/123e4567-e89b-12d3-a456-426614174000/approve \
  -H "Authorization: Bearer <APPROVAL_API_KEY>"

Tool Registry

| Domain | Read-Only Tools | Mutating Tools | | :--- | :--- | :--- | | Customers | retrieve_customer, list_customers | create_customer, update_customer, delete_customer, archive_customer, purge_expired_customers | | Payments | retrieve_payment_intent, list_payment_intents | create_payment_intent, confirm_payment_intent, cancel_payment_intent | | Subscriptions | retrieve_subscription, list_subscriptions | create_subscription, update_subscription, cancel_subscription | | Products | list_products, list_prices | create_product, create_price | | Invoices | retrieve_invoice, list_invoices | pay_invoice | | Balance | retrieve_balance | - | | Refunds | list_refunds | create_refund | | Audit | get_audit_log | - |

Local Development & Deployment

The server relies on better-sqlite3 and standard TypeScript build processes.

# Install dependencies
npm install

# Compile TypeScript
npm run build

# Start the MCP server process
npm start

Deploy the compiled distribution output into secure infrastructure capable of connecting via standard I/O streams (stdio). Ensure the internal ./data/ directory maintains appropriate filesystem write permissions for SQLite persistence.