Fix guide · high · stripe_restricted_key

Stripe restricted key (rk_live_) in your client bundle

Why it matters

Less catastrophic than sk_live_ — restricted keys have a scoped permission set — but still exposes whatever capabilities that specific key was granted. Frequently includes customer data read or charge creation.

How to fix it

1. Revoke the key at dashboard.stripe.com/apikeys.
2. Audit logs for the time window the key was valid.
3. Generate a new restricted key with minimum permissions, store server-side.
4. Add a CI gate to fail deploys containing rk_live_.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.