Critical severity

How to fix an exposed Stripe secret key (sk_live_...)

A Stripe secret key (starts with `sk_live_` for production, `sk_test_` for test) is in your client code. This key can create charges, issue refunds, access customer data, and modify products. Treat this as a five-alarm incident: (1) rotate in Stripe dashboard immediately; (2) check Stripe logs for unauthorized use; (3) move all Stripe calls to server-side; (4) on client, only use the Publishable Key (`pk_live_...`), which is safe.

Why it matters

Stripe keys are some of the most targeted. GitHub scan feeds, bundle scrapers, and browser extensions all hunt for them. A leaked sk_live is drained in hours.

How to check

  1. 01Search your site bundle for `sk_live_` or `sk_test_`.
  2. 02In Stripe dashboard → Developers → API keys, check "Last used" for each secret key.
  3. 03Review Stripe logs (Developers → Logs) for unfamiliar events.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Stripe dashboard

Developers → API keys → Click the secret key → Reveal → Roll. The old key is revoked instantly.

Next.js

Stripe secret key goes server-side only. Client uses publishable key via @stripe/stripe-js.

// app/api/checkout/route.ts — SERVER
import Stripe from 'stripe';
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);  // NOT NEXT_PUBLIC_

// client side:
import { loadStripe } from '@stripe/stripe-js';
const stripePromise = loadStripe(process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY!);

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My Stripe secret key (sk_live_ or sk_test_) is in my client bundle. This is critical. Walk me through: (1) rotating in Stripe dashboard; (2) checking logs for unauthorized use; (3) moving every Stripe call to server-side; (4) replacing client usage with the publishable key only. Also set up a webhook signing secret verification on my webhook handler if I have one.

FAQ

Frequently asked questions

What if it was only sk_test_?
Still rotate. Test keys can create test charges (which do not move real money) but can expose your customer email addresses and test data. Rotate and investigate.
I use Stripe Checkout — do I need server code?
Yes. Even Checkout requires creating a Session with your secret key on the server, then redirecting the user to the returned URL.

Related fix guides

Fix these too

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Read more

Lovable security

Lovable makes it easy to ship fast, but AI-generated backends often ship with open Supabase tables and leaked API keys. Scan your Lovable app before your users find out.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.