lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Stripe

Stripesaas4 credentials

Credentials4 documented
01

Secret API Key

stripe / secret-api-key

Stripe API requests are authenticated with API keys. Stripe documents that secret keys start with sk_test_ in test mode and sk_live_ in live mode, and that live secret keys grant access to Stripe API resources.

generated on installsecretAPI key

Looks like

example
example

Stripe secret API key prefix

sk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
STRIPE_SECRET_KEY, STRIPE_API_KEY
http header
Authorization

Basic auth using the secret key as the username or Authorization bearer-style helper output

config file

.env files, backend config, deployment manifests, and serverless settings

secret store

cloud secret managers, CI/CD variables, PaaS config vars, and Kubernetes Secrets

source code

backend payment code, tests, examples, and accidentally committed config

logs

HTTP client debug output, failed payment traces, and CI logs

Notes

Secret keys can create charges, read customers, and perform other account operations according to mode and account permissions. Live keys carry production payment risk.

02

Restricted API Key

stripe / restricted-api-key

Stripe restricted API keys limit access to selected API resources. Stripe documents restricted keys with rk_test_ and rk_live_ prefixes and recommends them to limit damage if a key is obtained by a bad actor.

user definedsecretAPI key

Looks like

example
example

Stripe restricted API key prefix

rk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
STRIPE_RESTRICTED_KEY, STRIPE_API_KEY
http header
Authorization

API authentication with the restricted key

config file

service-specific backend config, .env files, and deployment manifests

secret store

secret managers, CI/CD variables, and platform app settings

source code

scoped integrations, webhook processors, and operational scripts

logs

API client traces and CI output

Notes

Blast radius depends on the resources and permissions selected when the restricted key was created.

03

Publishable Key

stripe / publishable-key

Stripe publishable keys identify an account to client-side Stripe libraries. Stripe documents publishable key prefixes pk_test_ and pk_live_ and states that only publishable keys are safe to expose outside the backend.

generated on installpublic by designAPI key

Looks like

example
example

Stripe publishable API key prefix

pk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
STRIPE_PUBLISHABLE_KEY, NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
config file

frontend config, mobile app config, .env files, and build settings

source code

browser bundles, mobile applications, examples, and checkout integrations

logs

frontend build logs and client SDK diagnostics

Notes

Publishable keys are not secrets by themselves, but they often appear near secret keys in misconfigured applications or .env files.

04

Webhook Signing Secret

stripe / webhook-signing-secret

Stripe webhook endpoints use an endpoint secret to verify the Stripe-Signature header. Stripe documents that webhook signing secrets start with the whsec_ prefix.

generated on installsecretsecret value

Looks like

example
example

Stripe webhook signing secret prefix

whsec_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
STRIPE_WEBHOOK_SECRET
http header
Stripe-Signature

incoming header verified with the endpoint secret; the secret itself is not sent

config file

webhook handler config, .env files, local Stripe CLI config, and deployment manifests

secret store

cloud secret managers, platform config vars, and CI/CD variables

source code

webhook examples, tests, and committed local config

logs

webhook verification errors and local stripe listen terminal output

Notes

Dashboard-managed endpoint secrets and Stripe CLI forwarding secrets are different even though both use the whsec_ prefix.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.