9/27/2025 • 5 min read
Stripe API Keys: Test vs Live and Secure Use
Imagine this: you launch your new SaaS app, integrate payments with Stripe, and everything works in testing. But after shipping, you realize your live secret key was accidentally committed to GitHub. Within hours, bots find it, and your payment account is hit with fraudulent transactions.
This scenario isn't hypothetical — it happens often. Stripe API keys are powerful, and mishandling them can cost your business money, trust, and time.
In this guide, we'll explain the difference between test and live Stripe keys, outline common mistakes, and share best practices for Stripe API key security.
Stripe API keys control real money. A leaked live key can lead to fraudulent transactions, account suspension, and financial losses. Understanding the difference between test and live keys is crucial for every developer.
Introduction
Stripe powers payments for millions of businesses — from small side projects to enterprise-scale SaaS companies. To integrate, you rely on API keys: strings that identify and authenticate your app with Stripe.
But while Stripe makes integration simple, many developers misunderstand the difference between test vs live keys, or worse, expose keys in public code. The stakes are high: live keys process real money.
This post will help you:
- Understand test vs live Stripe keys
- Learn best practices for securing them
- Avoid common mistakes that lead to costly leaks
Understanding Stripe API Keys
Stripe uses API keys to let your application securely talk to its platform. Every request your app makes to Stripe’s API includes a key, which tells Stripe who you are and what you can do.
Keys come in two flavors: publishable and secret.
Secret vs Publishable Keys
-
Secret keys:
- Begin with
sk_test_...(test) orsk_live_...(live). - Provide full access to your Stripe account.
- Should only be used server-side.
- Must never be exposed publicly.
- Begin with
-
Publishable keys:
- Begin with
pk_test_...(test) orpk_live_...(live). - Provide limited access for client-side operations (e.g., tokenizing card details).
- Safe to use in frontend code.
- Begin with
# Example environment variables
STRIPE_SECRET_KEY=sk_test_51N0X...
STRIPE_PUBLISHABLE_KEY=pk_test_TYoo...
// Node.js example
import Stripe from "stripe";
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
// Use publishable key in frontend JavaScript only
Stripe Test API Keys
Test keys allow you to simulate payments without moving real money.
Format: sk_test_... and pk_test_...
Use cases:
- Local development
- QA environments
- Simulating edge cases like failed payments or refunds
Why They Matter
They make integration safe: you can experiment freely without real charges.
But test keys still grant access to your Stripe account objects (customers, charges, invoices).
Key point: Treat test keys as secrets. Don't publish them carelessly.
Stripe Live API Keys
Live keys are used in production to process real transactions.
Format: sk_live_... and pk_live_...
- Handle actual money, subscriptions, and customer data
- Extremely sensitive
Risks of Exposure
If a live secret key is leaked:
- Attackers could create fake charges
- Refund abuse could drain accounts
- Customer data may be accessed or manipulated
Example Lifecycle
flowchart LR
A[Issue Live Secret Key] --> B[Store Securely]
B --> C[App Processes Real Payments]
C --> D[Rotate or Revoke Key if Leaked]
Once a live key is compromised, revoke it immediately and rotate.
Stripe API Key Security Best Practices
For general API key practices, see API Keys Explained: Secure Usage for Developers.
1. Never Hardcode Keys
Instead of embedding keys directly in code:
# .env file
STRIPE_SECRET_KEY=sk_live_abc123
// index.js
import Stripe from "stripe";
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
2. Separate Environments
Always keep dev, staging, and prod keys separate.
Prevents accidental test key usage in production.
3. Restrict Usage
- Use publishable keys in the frontend
- Secret keys should stay server-side
4. Rotate and Revoke
- Rotate live keys regularly
- Revoke compromised keys immediately
5. Scan for Leaks
Use tools like GitHub Secret Scanning, Gitleaks, or Rafter to detect exposed keys.
Common Mistakes with Stripe Keys
- Pushing sk_live keys to GitHub - Bots scrape GitHub every minute for secrets
- Using secret keys in frontend code - Secret keys must never be exposed client-side
- Forgetting to switch from test to live - Leads to broken payments at launch
- Not rotating old keys - Stale keys increase risk of compromise
What to Do If a Stripe Key Leaks
- Revoke immediately in the Stripe Dashboard
- Issue a new key and update your application
- Audit logs for fraudulent activity
- Notify Stripe support if you see suspicious charges
- Add secret scanning to your workflow to catch issues early
Conclusion
Stripe API keys are powerful tools: they control your ability to process payments.
- Test keys let you safely prototype
- Live keys move real money and must be secured at all costs
- Following best practices — environment variables, secret scanning, and regular rotation — ensures you avoid costly mistakes
Run a free Rafter scan today to make sure your Stripe API keys (and other secrets) aren't exposed.
Related Resources
- API Keys Explained: Secure Usage for Developers
- Exposed API Keys: The Silent Killer of Projects
- API Key Leak Detection Tools
Want to automatically detect API key leaks in your repositories? Try Rafter to scan your code and identify exposed secrets before they become security incidents.