Stripe OAuth, evidence-minimizing controls, review-first submission.
ProofArc is built to compile dispute evidence without asking merchants to paste broad Stripe secret keys, upload raw card data, or hand over unrelated production exports. The public pilot keeps operators in control before any final remote submit.
Scoped access, reviewed action
- Stripe OAuth install instead of pasted platform or merchant secret keys
- Signed Stripe webhooks with separated platform and connected-account secrets
- Signed OAuth state and HTTP-only operator sessions
- Time-limited intake and public status tokens
- Manual approval gates for final dispute submission
Evidence-minimizing by default
- No PAN or raw cardholder data requested
- No bank credentials, passwords, or unrelated customer exports requested
- Evidence uploads are scoped to dispute support
- Object storage mode is checked in deploy readiness
- Connector tokens can be rotated by issuing new tokens
Submission posture
ProofArc can compile packets and show stage/final-submit readiness. Final remote submission is treated as an explicit operator action, not an autopilot default, so merchants can review packet content, deadlines, attachment warnings, and Stripe-native Smart Disputes guidance first.
Start narrow
Launch accounts start with Stripe OAuth and Stripe-only gap scanning. Product/auth and support/helpdesk evidence sources are requested later only when they materially improve a live packet. Auto-submit remains off by default for public pilot workspaces.
Review the boundary before install.
Free audit first. OAuth after fit. Operator approval before final submission.