Reputation: 9
Stripe secret key security?
I am having a developer build me a website that he has been working on for about a month now. He's doing great, and it looks fantastic. Maybe I'm being paranoid, or maybe I'm not, but this is my first venture into an online business. He needed my stripe api key and secret key. Was it safe to give him the secret key for the coding end? He asked for both. Just wondering if I could be scammed somewhere down the line and not know it from the freelancer. Or be scammed and it is too late.....Sorry I'm coding illiterate for the most part. If I have to take any steps to ensure safety of any funds or my website after he creates it; please let me know.
Upvotes: 0
Views: 1849
Answers (2)
Reputation: 2417
For Stripe, and many other API systems like it, there are two sets of keys. One is for testing/development, and does not do any actual live work. The other is the live set, and that will hit the live API and allow the person with the keys to act as your business.
In an ideal, secure organization you'd have the live and test sides completely separated. The developers would not have access to the live site, and thus the live keys at all. Not in the UI, not in the database, nothing. This limits the vulnerability to only those people who are assigned to keep the live site running.
Since you're working with a freelancer it's a bit murkier. I'm assuming you don't have an internal team to handle the maintenance on the site. If that's the case then even if you were to insert the live keys yourself during the launch, the freelancer would likely be the person you're contacting to address issues, at which time they'll have access to the keys anyways.
However, if the freelancer will not be the person maintaining or supporting the site, then the best course of action is for them to provide you with a spot on the back-end of the site where you can enter the live keys yourself before making the site active to the public. Again, this is only something that provides security if the freelancer will not have access to the website after it is launched.
Upvotes: 1
Reputation: 743
If he is your developer then he would need both keys. Here is some more information about the keys and what they can do
Upvotes: 0
Related Questions
- Stripe: Validating Publishable and Secret API Keys
- How to ensure security in Stripe webhooks?
- Is it important to hide Stripe secret key in Javascript?
- How to use Stripe's secret key and publishable key?
- Is creating Stripe Payment Backend API secure?
- Is the Stripe API test key limited to certain features?
- What's the purpose of the secret key for stripe? Also, is this safe?
- Which Stripe api key should be used for unit tests
- Stripe Secret and Publishable key validation
- Where do I place Stripe's publishable and secret keys?