Stripe
Stripesaas4 credentials
Secret API Key
stripe / secret-api-key
Stripe API requests are authenticated with API keys. Stripe documents that secret keys start with sk_test_ in test mode and sk_live_ in live mode, and that live secret keys grant access to Stripe API resources.
Looks like
examplesk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
STRIPE_SECRET_KEY, STRIPE_API_KEYAuthorizationBasic auth using the secret key as the username or Authorization bearer-style helper output
.env files, backend config, deployment manifests, and serverless settings
cloud secret managers, CI/CD variables, PaaS config vars, and Kubernetes Secrets
backend payment code, tests, examples, and accidentally committed config
HTTP client debug output, failed payment traces, and CI logs
Notes
Secret keys can create charges, read customers, and perform other account operations according to mode and account permissions. Live keys carry production payment risk.
Restricted API Key
stripe / restricted-api-key
Stripe restricted API keys limit access to selected API resources. Stripe documents restricted keys with rk_test_ and rk_live_ prefixes and recommends them to limit damage if a key is obtained by a bad actor.
Looks like
examplerk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
STRIPE_RESTRICTED_KEY, STRIPE_API_KEYAuthorizationAPI authentication with the restricted key
service-specific backend config, .env files, and deployment manifests
secret managers, CI/CD variables, and platform app settings
scoped integrations, webhook processors, and operational scripts
API client traces and CI output
Notes
Blast radius depends on the resources and permissions selected when the restricted key was created.
Publishable Key
stripe / publishable-key
Stripe publishable keys identify an account to client-side Stripe libraries. Stripe documents publishable key prefixes pk_test_ and pk_live_ and states that only publishable keys are safe to expose outside the backend.
Looks like
examplepk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
STRIPE_PUBLISHABLE_KEY, NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEYfrontend config, mobile app config, .env files, and build settings
browser bundles, mobile applications, examples, and checkout integrations
frontend build logs and client SDK diagnostics
Notes
Publishable keys are not secrets by themselves, but they often appear near secret keys in misconfigured applications or .env files.
Webhook Signing Secret
stripe / webhook-signing-secret
Stripe webhook endpoints use an endpoint secret to verify the Stripe-Signature header. Stripe documents that webhook signing secrets start with the whsec_ prefix.
Looks like
examplewhsec_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
STRIPE_WEBHOOK_SECRETStripe-Signatureincoming header verified with the endpoint secret; the secret itself is not sent
webhook handler config, .env files, local Stripe CLI config, and deployment manifests
cloud secret managers, platform config vars, and CI/CD variables
webhook examples, tests, and committed local config
webhook verification errors and local stripe listen terminal output
Notes
Dashboard-managed endpoint secrets and Stripe CLI forwarding secrets are different even though both use the whsec_ prefix.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.