API keys (2024)

Table of Contents
Test mode versus live mode Secret and publishable keys Keep your keys safe Reveal a secret API key for test mode Reveal a secret or restricted API key for live mode Roll an API key Delete a secret or restricted API key Create a secret API key Create a restricted API key Limit secret or restricted keys to a list or range of IP addresses Change a secret or restricted API key’s name or note View the API request logs

Stripe authenticates your API requests using your account’s API keys. If a request doesn’t include a valid key, Stripe returns an invalid request error. If a request includes a deleted or expired key, Stripe returns an authentication error.

Use the Developers Dashboard to create, reveal, delete, and roll API keys. To access your v1 API keys, select the API Keys tab in your Dashboard.

Test mode versus live mode API keys (1)

All Stripe API requests occur in either test mode or live mode. Use test mode to access test data, and live mode to access actual account data. Each mode has its own set of API keys. Objects in one mode aren’t accessible to the other. For instance, a test-mode product object can’t be part of a live-mode payment.

Live mode key access

You can only reveal a live mode secret or restricted API key one time. If you lose it, you can’t retrieve it from the Dashboard. In that case, roll it or delete it and create a new one.

Type When to useObjectsHow to useConsiderations
test modeUse test mode, and its associated test API keys, as you build your integration. In test mode, card networks and payment providers don’t process payments.API calls return simulated objects. For example, you can retrieve and use test account, payment, customer, charge, refund, transfer, balance, and subscription objects.Use test credit cards and accounts. You can’t accept real payment methods or work with real accounts.Identity doesn’t perform any verification checks. Also, Connect account objects don’t return sensitive fields.
live modeUse live mode, and its associated live API keys, when you’re ready to launch your integration and accept real money. In live mode, card networks and payment providers do process payments.API calls return real objects. For example, you can retrieve and use real account, payment, customer, charge, refund, transfer, balance, and subscription objects.Accept real credit cards and work with customer accounts. You can accept actual payment authorizations, charges, and captures for credit cards and accounts.Disputes have a more nuanced flow and a simpler testing process. Also, some payment methods have a more nuanced flow and require more steps.

Secret and publishable keys API keys (2)

All accounts have a total of four API keys by default—two for test mode and two for live mode:

  1. Test mode secret key: Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction.
  2. Test mode publishable key: Use this key for testing purposes in your web or mobile app’s client-side code.
  3. Live mode secret key: Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction.
  4. Live mode publishable key: Use this key, when you’re ready to launch your app, in your web or mobile app’s client-side code.

Testing and development

Use only your test API keys for testing and development. This ensures that you don’t accidentally modify your live customers or charges.

You can find your secret and publishable keys on the API keys page in the Developers Dashboard. While you’re logged in, Stripe documentation automatically populates code examples with your test mode API keys. (Only you can see these values). If you’re not logged in, our code examples include randomly generated API keys. Replace them with your own test keys or log in to see the code examples populated with your own test API keys. If you can’t view your API keys, ask the owner of your Stripe account to add you to their team with the proper permissions.

The following table shows randomly generated examples of secret and publishable test API keys:

Type Value When to use
SecretOn the server side: Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Stripe APIs. Don’t expose this key on a website or embed it in a mobile application.
PublishableOn the client side: Can be publicly accessible in your web or mobile app’s client-side code (such as checkout.js) to securely collect payment information, such as with Stripe Elements. By default, Stripe Checkout securely collects payment information.
RestrictedA string that starts with rk_test_In microservices: Must be secret and stored securely in your microservice code to call Stripe APIs. Don’t expose this key on a website or embed it in a mobile application.

Keep your keys safe API keys (3)

Anyone can use your live mode secret API key to make any API call on behalf of your account, such as creating a charge or performing a refund. Keep your keys safe by following these best practices:

  • Grant access only to those who need it.
  • Don’t store keys in a version control system.
  • Control access to keys with a password manager or secrets management service.
  • Don’t embed a key where it could be exposed to an attacker, such as in a mobile application.

Customize API access with restricted API keys API keys (4)

To provide limited access to the API, create restricted API keys. You can configure a restricted API key to allow read or write access to specific API resources. When using microservices that interact with the API on your behalf, define restricted keys that allow only the minimum access those microservices require. For example, if you use a dispute monitoring service, create a restricted key that only provides read access to dispute-related resources. That key allows the service to get the data it needs, but doesn’t allow it to make any changes or access any other data.

Restricted keys can’t interact with many parts of Stripe’s API because they’re only intended to reduce risk when using or building microservices. Don’t use restricted keys as an alternative to your account’s secret or publishable API keys during development of your Stripe integration.

Permission errors

If you use a restricted API key in a call it doesn’t have access to, Stripe raises a permission error.

Limit the IP addresses that can send API requests API keys (5)

You can increase the security of a secret or restricted key by limiting the IP addresses that can use it to send API requests. Additionally, you can restrict a key to one or more IP addresses or to a range of IP addresses.

Reveal a secret API key for test mode API keys (6)

In test mode, you can reveal a secret API key as many times as you want.

To reveal a secret key in test mode:

  1. In the Developers Dashboard, select the API keys tab.
  2. In the Standard keys list, in the Secret key row, click Reveal test key.
  3. Copy the key value by clicking it.
  4. Save the key value.
  5. Click Hide test key.

Reveal a secret or restricted API key for live mode API keys (7)

For security, in live mode Stripe only shows you a secret or restricted API key one time. Store the key in a safe place where you won’t lose it. To help yourself remember where you stored it, you can leave a note on the key in the Dashboard. If you lose the key, you can roll it or delete it and create another.

You can't reveal a live mode secret key that you created

After you create a secret or restricted API key in live mode, we display the value before you save it. You must copy the value before saving it because you can’t reveal it later. You can only reveal a default secret key or a key generated by a scheduled roll.

See Also
How to Use an API Key Securely: 5 Tips From Binance | Binance Blog

To reveal a secret or restricted key in live mode and attach a note:

Note

The API keys link here opens in live mode.

  1. In the Developers Dashboard, select the API keys tab.
  2. In the Standard keys list or Restricted keys list, in the row for the key you want to reveal, click Reveal live key.
  3. Copy the key value by clicking it.
  4. Save the key value.
  5. Click Hide test key.
  6. Click the overflow menu () next to the key, then select Edit key….
  7. In the Note field, enter the location where you saved the key, then click Save.
  8. If you created the key before Stripe introduced this feature, click Hide live key.

Note

Keys that you created before Stripe introduced this feature aren’t automatically hidden when they’re revealed. You must manually hide them.

Roll an API key API keys (8)

Rolling a key revokes it and generates a replacement key. You can roll a key immediately or schedule a key to roll after a certain time. Roll a key in scenarios such as the following examples:

  • If you’re in live mode and you lose a secret key or restricted key, you can’t recover it from the Dashboard and must replace it.
  • If a secret or restricted key is compromised, you need to revoke it to block any potentially malicious API requests that might use it.
  • Your policy requires rotating keys at certain intervals.

To roll an API key:

  1. Open the API keys page.
  2. In the row for the key you want to roll, click the overflow menu (), then select Roll key….
  3. Choose an expiration date from the Expiration dropdown.
  4. Click Roll API key.
  5. The dialog displays the new key value. Copy it by clicking it.
  6. Save the key value. You can’t retrieve it later.
  7. In the Add a note field, enter the location where you saved the key and click Done or Save.

If you chose Now for the Expiration, we delete the old key. If you selected a different time, you can see the time remaining until the key expires below its name.

Regardless of the old key’s expiration time, the new key is ready to use immediately.

When you roll a publishable key, the replacement key’s name is always Publishable key. When you roll a secret key, the replacement key’s name is always Secret key. When you roll a restricted key, the replacement key’s name is the same as the rolled key. You can rename a secret or restricted key by clicking its overflow menu and selecting Edit key….

Delete a secret or restricted API key API keys (9)

If you delete a key, any code that uses that key can no longer make API calls. Create a new key and update the code to use it.

Note

You can’t delete a publishable key.

To delete a key:

  1. In the Developers Dashboard, select the API keys tab.
  2. Locate the key you want to delete in either the Standard keys or Restricted keys list. Click the overflow menu icon () in the row of that key, then select Delete key….
  3. In the Delete API key dialog, if you’re sure that you want to delete the key, click Delete key. Otherwise, click Cancel.

Create a secret API key API keys (10)

To create a secret API key:

  1. Open the API keys page.
  2. Click Create secret key.
  3. Stripe sends a verification code to your email address or in a text message. (As with any email or text message, it might not arrive immediately.) Enter the code in the dialog. If the dialog doesn’t continue automatically, click Continue.
  4. Enter a name in the Key name field.
  5. Click Create.
  6. The dialog displays the new key value. Copy it by clicking it.
  7. Save the key value. You can’t retrieve it later.
  8. In the Add a note field, enter the location where you saved the key and click Done.

Create a restricted API key API keys (11)

A restricted API key only allows the level of access that you specify.

To create a restricted API key:

  1. Open the API keys page.
  2. You can create a restricted key from scratch or start by cloning an existing restricted key.
    • To create a restricted key from scratch, click Create restricted key. In this case, the default value for all permissions is None.
    • To clone an existing key, in the row for the key you want to clone, click the overflow menu (), then select Duplicate key…. In this case, the default value for each permission is its value in the cloned key.
  3. In the Key name field, enter a name. If you cloned an existing key, the default name is the cloned key’s name.
  4. For each resource you want the new key to access, select the permission for this key to allow. If you use Connect, you can also select the permission for this key to allow when accessing connected accounts. Available permissions are None, Read, or Write.
  5. Click Create key.
  6. Stripe sends a verification code to your email address or in a text message. (As with any email or text message, it might not arrive immediately.) Enter the code in the dialog. If the dialog doesn’t continue automatically, click Continue.
  7. The dialog displays the new key value. Copy it by clicking it.
  8. Save the key value. You can’t retrieve it later.
  9. In the Add a note field, enter the location where you saved the key and click Done.

Limit secret or restricted keys to a list or range of IP addresses API keys (12)

To limit API requests using a key to one or more specific IP addresses or to a range of IP addresses:

Valid IP address ranges

If you specify a range of IP addresses, they can only span the fourth byte of the address. All addresses in the range must have the same first three bytes. For example, a valid range could be 100.10.38.1 - 100.10.38.12, specified as 100.10.38.1/12. All addresses in the range must start with 100.10.38.

  1. Open the API keys page.
  2. In the Standard keys list or Restricted keys list, in the row for the key you want to reveal, click the overflow menu (), then select Manage IP restrictions….
  3. Click Restrict IP addresses that can use the API key.
  4. Enter a list or range of IP addresses:
    • For a list of IP addresses, enter the first IP address in the fields. For each additional IP address, click + Add IP address and enter the address.
    • For a range of IP addresses, click CIDR, then enter the range in Classless Inter-Domain Routing (CIDR) notation. In the first three fields, enter the first three numbers of the IP addresses in the range. In the fourth and fifth fields, enter the fourth number of the first and last addresses in the range, respectively.
  5. Click Save.

Shortcutting

Press Ctrl+V or ⌘+V with a valid IP address on your clipboard to input text into all of the fields.

Change a secret or restricted API key’s name or note API keys (13)

To change the name or note text of a secret or restricted key:

  1. Open the API keys page.
  2. In the row for the key you want to change, click the overflow menu (), then select Edit key….
  3. If you want to change the name, in Key name, enter the new name.
  4. If you want to change the note text, in Note, enter the new note text.
  5. Click Save.

View the API request logs API keys (14)

To open the API request logs, click the overflow menu () for any key, then select View request logs. Opening the logs redirects you to the main Stripe Dashboard.

API keys (2024)
Top Articles
08 Disadvantages for seller against FOB terms of delivery
Knowledge Base | Duo Security
Portfolio Recovery Associates, LLC vs Brian Nelson, 27-CV-21-7820, 22062021_Affidavit of Plaintiff_0 (Minnesota State, Hennepin County, District Court Jun. 22, 2021)
New York Times NYT Spelling Bee Answers and Solution for May 18, 2024
Latest Posts
What Is FOB and What Does It Mean? – Redwood Logistics
Why Did My Credit Score Go Down? - Experian
Article information

Author: Catherine Tremblay

Last Updated:

Views: 5951

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Catherine Tremblay

Birthday: 1999-09-23

Address: Suite 461 73643 Sherril Loaf, Dickinsonland, AZ 47941-2379

Phone: +2678139151039

Job: International Administration Supervisor

Hobby: Dowsing, Snowboarding, Rowing, Beekeeping, Calligraphy, Shooting, Air sports

Introduction: My name is Catherine Tremblay, I am a precious, perfect, tasty, enthusiastic, inexpensive, vast, kind person who loves writing and wants to share my knowledge and understanding with you.