Critical: act in the next 60 seconds

Stripe secret key leaked? Roll it now — this is a five-alarm incident

Your Stripe secret key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Roll the key in Stripe Dashboard → Developers → API keys. The old key dies the moment you confirm.

  2. Step 02

    Pull Stripe logs for the last 7 days. Look for charges, refunds, or PaymentIntents you did not initiate.

  3. Step 03

    Scan your site to confirm no other payment-related secrets (webhook signing keys, restricted keys) are exposed.

Step 01 — Revoke

Kill the leaked credential first

Developers → API keys → click the leaked key → Reveal → Roll key. Stripe gives you a 12-hour window to update services with the new key, or you can revoke instantly. Roll instantly if you suspect active abuse.

Open Stripe API keys

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

app/api/checkout/route.ts — server only
import Stripe from 'stripe';
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
// Client side uses ONLY the publishable key:
//   loadStripe(process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY!)

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your URL — leaked Stripe keys often travel with leaked DB credentials. Find what else is exposed.

How this usually leaks

  • 01sk_live_ accidentally placed in a Lovable/Bolt-generated frontend instead of a server action.
  • 02NEXT_PUBLIC_STRIPE_SECRET_KEY env var (publishable is fine, secret is not — they swapped them).
  • 03.env committed to a public repo on first push.
  • 04Postman collection with embedded auth header committed to GitHub.

FAQ

Frequently asked questions

Should I refund any unauthorized charges I find?
Yes — refund customers proactively the moment you spot fraud. Document everything for your Stripe Risk team and contact Stripe support immediately. They can flag the affected window for chargeback protection.
Does rolling the key invalidate active subscriptions?
No. Subscriptions, customers, and PaymentIntents are tied to your account, not the key. Rolling the key only invalidates that specific credential. Existing subscriptions keep billing.
What about restricted keys vs the master secret key?
Use restricted keys (rk_live_) for individual integrations — they limit blast radius. The master secret key should only be used in your most-locked-down server. Roll the master key only when truly necessary.

Deeper dive

Long-term fixes for this leak class

Exposed Stripe secret key

A leaked Stripe secret key means an attacker can charge your customers, refund payments, or drain your account. Rotate immediately.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.