Fix guide · critical · stripe_secret_key

Stripe live secret key (sk_live_) in your client bundle

Why it matters

The publishable key (pk_live_*) is meant to be public. The secret key is roughly equivalent to admin access on your Stripe dashboard: list and refund any charge, list customer payment methods, modify webhook endpoints, transfer Connect balances.

How to fix it

1. Roll the key in the next 90 seconds. dashboard.stripe.com/apikeys → "Roll key".
2. Move the new key to server-side env vars without a public prefix.
3. Audit Stripe API logs for unfamiliar IPs and unexpected refunds/transfers. Email [email protected] if abuse is found.
4. Switch to restricted keys (rk_live_*) with minimum permissions.
5. Add a CI gate.

Full incident-response post: /blog/stripe-key-exposure

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.