Redact Stripe API Keys

Q: Redact Stripe API Keys

## Redacting Stripe API Keys Stripe API keys control access to payment processing functionality. A leaked Stripe secret key can allow an attacker to create charges, issue refunds, access customer payment data, and manipulate your financial operations. Stripe key leaks are among the most financially damaging credential exposures. ### Stripe Key Types Stripe uses a clear prefixed format for all key types: | Key Type | Test Prefix | Live Prefix | Risk Level | |----------|------------|----------

Detect and redact Stripe publishable keys, secret keys, and restricted keys from code and configuration. Prevent unauthorized charges and financial data access.

Platform-Specific

Detailed Explanation

Redacting Stripe API Keys

Stripe API keys control access to payment processing functionality. A leaked Stripe secret key can allow an attacker to create charges, issue refunds, access customer payment data, and manipulate your financial operations. Stripe key leaks are among the most financially damaging credential exposures.

Stripe Key Types

Stripe uses a clear prefixed format for all key types:

Key Type	Test Prefix	Live Prefix	Risk Level
Publishable Key	`pk_test_`	`pk_live_`	Low (public by design)
Secret Key	`sk_test_`	`sk_live_`	Critical
Restricted Key	`rk_test_`	`rk_live_`	High
Webhook Signing Secret	`whsec_`	`whsec_`	Medium

Detection Patterns

(sk_live_|sk_test_|pk_live_|pk_test_|rk_live_|rk_test_|whsec_)[A-Za-z0-9]{20,}

The prefixed format makes Stripe keys extremely reliable to detect. The sk_live_ prefix is the highest priority for redaction because it grants full API access in production.

Why Live vs. Test Matters

Test keys (sk_test_, pk_test_) operate against Stripe's test environment and cannot process real payments. However, they should still be redacted because:

They may reveal your Stripe account structure
An attacker with test keys can enumerate your products, prices, and webhooks
Test and live keys often appear together, increasing the chance of live key exposure

Common Leak Scenarios

Frontend code — Publishable keys are meant to be public, but sometimes sk_live_ is mistakenly used in client-side code
Environment files — .env files committed to version control
Server logs — API error responses that include the key used for the request
Support tickets — Developers pasting configuration to troubleshoot payment issues

# Before redaction
STRIPE_SECRET_KEY=sk_live_51OxkDjVfS3kmB7aN2Xt4s8Ye
STRIPE_PUBLISHABLE_KEY=pk_live_51OxkDjVfS3kmB7aN2Xt4s8Yf
STRIPE_WEBHOOK_SECRET=whsec_MbXkCaOHZr5VsMCjqNEbK7dW

# After redaction
STRIPE_SECRET_KEY=[REDACTED_STRIPE_KEY]
STRIPE_PUBLISHABLE_KEY=[REDACTED_STRIPE_KEY]
STRIPE_WEBHOOK_SECRET=[REDACTED_STRIPE_WEBHOOK]

Stripe's Response to Leaks

Stripe monitors GitHub and other public sources for leaked keys. If they detect an exposed live secret key, they may send a notification, but they do not automatically revoke it. You must manually roll the key in the Stripe dashboard.

Use Case

An e-commerce development team is migrating their payment integration from one Stripe account to another. During the migration, configuration files containing both old and new Stripe keys are being passed between team members. The Secret Redactor ensures that when these configs are shared in documentation or chat, no live Stripe keys are exposed.

Try It — Secret Redactor

Open full tool →