By Hemanta Sundaray on 2022-10-26
When implementing payment processing using Stripe, you get two API keys for both test mode and live mode.
One is a publishable key & the other is a secret key. Stripe uses these API keys to authenticate your API requests.
According to Stripe DOCS, the publishable key can be publicly accessible in your web or mobile app’s client-side code. For example, in the code snippet below, the publishable key is in client-side code and becomes publicly accessible when the code is pushed to GitHub.
import { loadStripe } from "@stripe/stripe-js"
export const stripePromise = loadStripe(
"pk_test_61I29144e4HAv4tCvB2Srott0k9YQQKrSp4vDC9aZrs6BPpDajVBlU6Z00NWaijUhh"
)The secret key, on the other hand, must be stored securely in your web or mobile app’s server-side code (such as in an environment variable).
You should NEVER EXPOSE the secret key, because anyone with access to your secret key can make any API call on behalf of your account to create a charge or perform a refund for example.