API keys (2024)

Stripe authenticates your API requests using your account’s API keys. If a request doesn’t include a valid key, Stripe returns an invalid request error. If a request includes a deleted or expired key, Stripe returns an authentication error.

Use the Developers Dashboard to create, reveal, delete, and roll API keys. To access your v1 API keys, select the API Keys tab in your Dashboard.

Test mode versus live mode

All Stripe API requests occur in either test mode or live mode. Use test mode to access test data, and live mode to access actual account data. Each mode has its own set of API keys. Objects in one mode aren’t accessible to the other. For instance, a test-mode product object can’t be part of a live-mode payment.

Live mode key access

You can only reveal a live mode secret or restricted API key one time. If you lose it, you can’t retrieve it from the Dashboard. In that case, roll it or delete it and create a new one.

Type	When to use	Objects	How to use	Considerations
test mode	Use test mode, and its associated test API keys, as you build your integration. In test mode, card networks and payment providers don’t process payments.	API calls return simulated objects. For example, you can retrieve and use test `account`, `payment`, `customer`, `charge`, `refund`, `transfer`, `balance`, and `subscription` objects.	Use test credit cards and accounts. You can’t accept real payment methods or work with real accounts.	Identity doesn’t perform any verification checks. Also, Connect account objects don’t return sensitive fields.
live mode	Use live mode, and its associated live API keys, when you’re ready to launch your integration and accept real money. In live mode, card networks and payment providers do process payments.	API calls return real objects. For example, you can retrieve and use real `account`, `payment`, `customer`, `charge`, `refund`, `transfer`, `balance`, and `subscription` objects.	Accept real credit cards and work with customer accounts. You can accept actual payment authorizations, charges, and captures for credit cards and accounts.	Disputes have a more nuanced flow and a simpler testing process. Also, some payment methods have a more nuanced flow and require more steps.

Secret and publishable keys

All accounts have a total of four API keys by default—two for test mode and two for live mode:

Test mode secret key: Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction.
Test mode publishable key: Use this key for testing purposes in your web or mobile app’s client-side code.
Live mode secret key: Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction.
Live mode publishable key: Use this key, when you’re ready to launch your app, in your web or mobile app’s client-side code.

Testing and development

Use only your test API keys for testing and development. This ensures that you don’t accidentally modify your live customers or charges.

You can find your secret and publishable keys on the API keys page in the Developers Dashboard. While you’re logged in, Stripe documentation automatically populates code examples with your test mode API keys. (Only you can see these values). If you’re not logged in, our code examples include randomly generated API keys. Replace them with your own test keys or log in to see the code examples populated with your own test API keys. If you can’t view your API keys, ask the owner of your Stripe account to add you to their team with the proper permissions.

The following table shows randomly generated examples of secret and publishable test API keys:

Restricted API keys

The Dashboard can also include restricted API keys, which allow customizable limited access to the API. Stripe doesn’t provide any restricted keys by default.

Type	Value	When to use
Secret		On the server side: Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Stripe APIs. Don’t expose this key on a website or embed it in a mobile application.
Publishable		On the client side: Can be publicly accessible in your web or mobile app’s client-side code (such as checkout.js) to securely collect payment information, such as with Stripe Elements. By default, Stripe Checkout securely collects payment information.
Restricted	A string that starts with `rk_test_`	In microservices: Must be secret and stored securely in your microservice code to call Stripe APIs. Don’t expose this key on a website or embed it in a mobile application.

Keep your keys safe

Anyone can use your live mode secret API key to make any API call on behalf of your account, such as creating a charge or performing a refund. Keep your keys safe by following these best practices:

Grant access only to those who need it.
Don’t store keys in a version control system.
Control access to keys with a password manager or secrets management service.
Don’t embed a key where it could be exposed to an attacker, such as in a mobile application.

Customize API access with restricted API keys

To provide limited access to the API, create restricted API keys. You can configure a restricted API key to allow read or write access to specific API resources. When using microservices that interact with the API on your behalf, define restricted keys that allow only the minimum access those microservices require. For example, if you use a dispute monitoring service, create a restricted key that only provides read access to dispute-related resources. That key allows the service to get the data it needs, but doesn’t allow it to make any changes or access any other data.

Restricted keys can’t interact with many parts of Stripe’s API because they’re only intended to reduce risk when using or building microservices. Don’t use restricted keys as an alternative to your account’s secret or publishable API keys during development of your Stripe integration.

Permission errors

If you use a restricted API key in a call it doesn’t have access to, Stripe raises a permission error.

Limit the IP addresses that can send API requests

You can increase the security of a secret or restricted key by limiting the IP addresses that can use it to send API requests. Additionally, you can restrict a key to one or more IP addresses or to a range of IP addresses.

Reveal a secret API key for test mode

In test mode, you can reveal a secret API key as many times as you want.

To reveal a secret key in test mode:

In the Developers Dashboard, select the API keys tab.
In the Standard keys list, in the Secret key row, click Reveal test key.
Copy the key value by clicking it.
Save the key value.
Click Hide test key.

Reveal a secret or restricted API key for live mode

For security, in live mode Stripe only shows you a secret or restricted API key one time. Store the key in a safe place where you won’t lose it. To help yourself remember where you stored it, you can leave a note on the key in the Dashboard. If you lose the key, you can roll it or delete it and create another.

You can't reveal a live mode secret key that you created

After you create a secret or restricted API key in live mode, we display the value before you save it. You must copy the value before saving it because you can’t reveal it later. You can only reveal a default secret key or a key generated by a scheduled roll.

Note

The API keys link here opens in live mode.

In the Developers Dashboard, select the API keys tab.
In the Standard keys list or Restricted keys list, in the row for the key you want to reveal, click Reveal live key.
Copy the key value by clicking it.
Save the key value.
Click Hide test key.
Click the overflow menu () next to the key, then select Edit key….
In the Note field, enter the location where you saved the key, then click Save.
If you created the key before Stripe introduced this feature, click Hide live key.

Note

Keys that you created before Stripe introduced this feature aren’t automatically hidden when they’re revealed. You must manually hide them.

Roll an API key

Rolling a key revokes it and generates a replacement key. You can roll a key immediately or schedule a key to roll after a certain time. Roll a key in scenarios such as the following examples:

If you’re in live mode and you lose a secret key or restricted key, you can’t recover it from the Dashboard and must replace it.
If a secret or restricted key is compromised, you need to revoke it to block any potentially malicious API requests that might use it.
Your policy requires rotating keys at certain intervals.

To roll an API key:

Open the API keys page.
In the row for the key you want to roll, click the overflow menu (), then select Roll key….
Choose an expiration date from the Expiration dropdown.
Click Roll API key.
The dialog displays the new key value. Copy it by clicking it.
Save the key value. You can’t retrieve it later.
In the Add a note field, enter the location where you saved the key and click Done or Save.

If you chose Now for the Expiration, we delete the old key. If you selected a different time, you can see the time remaining until the key expires below its name.

Regardless of the old key’s expiration time, the new key is ready to use immediately.

When you roll a publishable key, the replacement key’s name is always Publishable key. When you roll a secret key, the replacement key’s name is always Secret key. When you roll a restricted key, the replacement key’s name is the same as the rolled key. You can rename a secret or restricted key by clicking its overflow menu and selecting Edit key….

Delete a secret or restricted API key

If you delete a key, any code that uses that key can no longer make API calls. Create a new key and update the code to use it.

Note

You can’t delete a publishable key.

To delete a key:

In the Developers Dashboard, select the API keys tab.
Locate the key you want to delete in either the Standard keys or Restricted keys list. Click the overflow menu icon () in the row of that key, then select Delete key….
In the Delete API key dialog, if you’re sure that you want to delete the key, click Delete key. Otherwise, click Cancel.

Create a secret API key

To create a secret API key:

Open the API keys page.
Click Create secret key.
Stripe sends a verification code to your email address or in a text message. (As with any email or text message, it might not arrive immediately.) Enter the code in the dialog. If the dialog doesn’t continue automatically, click Continue.
Enter a name in the Key name field.
Click Create.
The dialog displays the new key value. Copy it by clicking it.
Save the key value. You can’t retrieve it later.
In the Add a note field, enter the location where you saved the key and click Done.

Create a restricted API key

A restricted API key only allows the level of access that you specify.

To create a restricted API key:

Open the API keys page.
You can create a restricted key from scratch or start by cloning an existing restricted key.
- To create a restricted key from scratch, click Create restricted key. In this case, the default value for all permissions is None.
- To clone an existing key, in the row for the key you want to clone, click the overflow menu (), then select Duplicate key…. In this case, the default value for each permission is its value in the cloned key.
In the Key name field, enter a name. If you cloned an existing key, the default name is the cloned key’s name.
For each resource you want the new key to access, select the permission for this key to allow. If you use Connect, you can also select the permission for this key to allow when accessing connected accounts. Available permissions are None, Read, or Write.
Click Create key.
Stripe sends a verification code to your email address or in a text message. (As with any email or text message, it might not arrive immediately.) Enter the code in the dialog. If the dialog doesn’t continue automatically, click Continue.
The dialog displays the new key value. Copy it by clicking it.
Save the key value. You can’t retrieve it later.
In the Add a note field, enter the location where you saved the key and click Done.

Limit secret or restricted keys to a list or range of IP addresses

To limit API requests using a key to one or more specific IP addresses or to a range of IP addresses:

Valid IP address ranges

If you specify a range of IP addresses, they can only span the fourth byte of the address. All addresses in the range must have the same first three bytes. For example, a valid range could be 100.10.38.1 - 100.10.38.12, specified as 100.10.38.1/12. All addresses in the range must start with 100.10.38.

Open the API keys page.
In the Standard keys list or Restricted keys list, in the row for the key you want to reveal, click the overflow menu (), then select Manage IP restrictions….
Click Restrict IP addresses that can use the API key.
Enter a list or range of IP addresses:
- For a list of IP addresses, enter the first IP address in the fields. For each additional IP address, click + Add IP address and enter the address.
- For a range of IP addresses, click CIDR, then enter the range in Classless Inter-Domain Routing (CIDR) notation. In the first three fields, enter the first three numbers of the IP addresses in the range. In the fourth and fifth fields, enter the fourth number of the first and last addresses in the range, respectively.
Click Save.

Shortcutting

Press Ctrl+V or ⌘+V with a valid IP address on your clipboard to input text into all of the fields.

Change a secret or restricted API key’s name or note

To change the name or note text of a secret or restricted key:

Open the API keys page.
In the row for the key you want to change, click the overflow menu (), then select Edit key….
If you want to change the name, in Key name, enter the new name.
If you want to change the note text, in Note, enter the new note text.
Click Save.

View the API request logs

To open the API request logs, click the overflow menu () for any key, then select View request logs. Opening the logs redirects you to the main Stripe Dashboard.

FAQs

Are API keys secure enough? ›

API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API. They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app.

Read On ›

Are API keys considered secrets? ›

They are deemed secret because their exposure to unauthorized individuals or the public could lead to security breaches. If a malicious entity gains access to your secret API key, they could potentially impersonate you, gaining the ability to access or alter your data, functionality, and resources.

Discover More Details ›

What happens if someone gets my API key? ›

On the API keys tab of your account, you have the option to revoke an API key, and generate a new one.

Is it safe to email an API key? ›

The API key should never leave your control. Your API key should only ever be communicated between your server and OpenAI's server. If you ever send it to a client it will, with near-certainty become compromised.

See Details ›

What are the disadvantages of API keys? ›

3 Drawbacks of using API keys

Moreover, because API keys are often stored in insecure locations, such as code repositories, configuration files, or browser storage, they can be exposed, stolen, or shared by unauthorized parties.

Find Out More ›

Can API keys be intercepted? ›

The API Keys method embeds the API key directly into the header or query of the request, allowing others to see the content inserted into that request. As a result, someone can intercept the request and steal the API key 😮.

Tell Me More ›

Is it safe to store API keys in a database? ›

API keys, essential for digital integrations, are at risk if not managed securely. Their exposure can lead to unauthorized data access, system manipulations, financial losses, and reputational damage. To safeguard them: Store keys away from code, preferably in environmental variables.

Show Me More ›

Why should you hide your API key? ›

Data Protection: API keys often provide access to sensitive and paid data or services. Failure to keep the key secret could result in malicious or unauthorized access to this data and directly increase the risk of a data breach.

Explore More ›

When to use OAuth vs API key? ›

If you need to support read-only access to data, API keys may be a good option. If you need to support more granular authorization control, OAuth tokens may be a better choice.

Is it OK to expose an API key? ›

The Importance of Securing API Keys

Exposed keys can lead to significant data exfiltration, which can be incredibly damaging to the organization's economic stability and the user's trust in the product.

Show Me More ›

Does API answers your requests? ›

An API works by requesting information from a server and then receiving a response after that. The communication channel that APIs use to send a request and specify where a given resource resides is what is known as an endpoint.

Read The Full Story ›

Is it safe to share OpenAI API key? ›

Your API key is intended to be used by you. The sharing of API keys is against the Terms of Use. As you begin experimenting, you may want to expand API access to your team. OpenAI does not support the sharing of API keys.

See Details ›

Can I use someone else's API key? ›

So if you use someone else's API key, it's not good but not a serious security breach. The API key lets them identify (most likely) who is making a API call so they can limit on the number of requests you can make. Identity is important here to keep service volume under control.

Get More Info Here ›

What is an API key in ChatGPT? ›

Every OpenAI account has a security API Key that can be used to integrate third party tools, access OpenAI API's like their client API libraries for ChatGPT for chatbot conversations, DALL-E, OpenAI's AI art generator, which creates images based on detailed text descriptions from a person, and Whisper, a speech- ...

Are API keys private? ›

There are two main types of API keys: Public API keys: These are usually generated by the owner of the application and made available to developers or users. They allow developers to access public data or features of an application. Private API keys: Private keys are used in server-to-server communications.

Is OAuth more secure than API key? ›

While the API key mechanism is easy and well understood, OAuth provides an alternative solution, considered more secure and better suitable to support a large number of users.

View Details ›

Do API keys need to be kept private? ›

Understanding the Risks With API Keys

Keep this key confidential, as it can be misused if shared or stolen. Unauthorized Data Access and System Manipulation: Exposed API keys can lead to serious security risks, such as unauthorized access to sensitive data, system functionalities, and proprietary business information.

How secure is an API? ›

Because APIs expose application logic, resources and sensitive data — including personal identifiable information (PII) — they have become a target for attackers. If attackers are able to access unprotected APIs, they can disrupt business, access or destroy sensitive data, and steal property.

Learn More ›

Can someone else use my API key? ›

To keep your account secure we recommend that you don't share your API Key with anyone. Instead of sharing your key, you can invite teammates to be part of your organization account through the Members page. When they join, they'll get access to their own API Key, which will keep your account even safer.

Discover More Details ›