I am developing a Web application that will charge a percentage fee of the transaction between two consenting parties who want to do business.
My question is -- do I need the OAuth registration, client Id and client secret if I am going to use managed accounts?
I have read the OAuth 1.0a and 2.0 specifications and am intimately aware of its implementation. My question simply is -- do I need it?
Esp. when I am not creating a native mobile app but a web application where I will be getting tokens (Stripe tokens and not OAuth access tokens) using Stripe.js where needed and then the actual charge or transaction I will make from my ASP.NET server to the Stripe server.
I see that there are two ways of authentication -- one uses the Stripe-Account HTTP header with the Stripe secret key and the other uses the OAuth access token. This means that getting an access token is not mandatory.
If I don't absolutely need an access token (as I observe from most API calls in the documentation) to make charges and transfers on behalf of connected managed accounts, then why do I need to register with a client Id and client secret and where does the initial OAuth handshake / user consent / authorization workflow fit in when creating managed accounts?
If I do go the OAuth route, do I first create a managed account for the user and then initiate OAuth workflow, i.e. take him to the "consent dialog?" Or do I first ask for his consent and then create the managed account for him?
If I don't need the initial handshake, then how and where am I getting the user's consent that I am acting on his behalf?
What is this workflow going to be like other than showing him a "Please accept these terms of service and these Stripe Connect Agreement."