Don't Use Stripe Secret Keys
Stripe secret keys give full access to the Stripe API. This can be a security risk. Learn a better approach.
Table of Contents 📖
What is a Secret Key?
We can use a Stripe secret key to connect an application to Stripe's API. However, secret keys are extremely sensitive as they provide full access to the Stripe API. This means if this key is exposed, the malicious user could refund charges, cancel subscriptions, etc.
ERROR: This is why the Stripe Secret key should be kept secret and out of any public access.
The Alternative
If your application requires full API access, then using the secret key is your only option. However, if you do not need full API access (as most applications do not), then you should use restricted keys instead. Restricted keys have specific access limits and permissions for greater security. Both secret keys and restricted keys can be created on Stripe's website at the following URL:
https://dashboard.stripe.com/test/apikeys
When generating a restricted key, you can set its access limits and permissions. A common usage of Stripe is to create one time payments from a pre-built payment form. This would only require one permission:
- Write for Checkout Sessions - This allows us to create a checkout session for a customer using the stripe.checkout.sessions.create API call (specifying write also gives read permission).
INFO: A Checkout Session represents your customer's session as they pay for one-time purchases or subscriptions through Checkout or Payment Links. A new Session should be created each time your customer attempts to pay.
After generating this restricted key, we now have read and write access to the stripe.checkout object. If we try to access a property we don't have access to (like the stripe.customers object for example) then we get an error.
Error getting user information for extension StripePermissionError:
The provided key 'rk_test_*************************************************' does not have the required permissions for this endpoint on account 'acct_******************'.
Having the 'rak_customer_read' permission would allow this request to continue.