What happens if my Stripe key leaks?

Short answer

An attacker with your Stripe secret key can issue refunds to their own cards, pull customer metadata, and create fraudulent charges. Stripe's fraud detection catches about 70% within hours, but the remainder can cost thousands before discovery. Revoke + contact Stripe Support immediately.

Impact depends on the key type: - Publishable key (pk_live_): safe to expose — it's designed to ship client-side. - Restricted key (rk_live_): limited scope; damage is bounded by granted permissions. - Secret key (sk_live_): full access. Worst-case.

Attacker workflow with a leaked sk_live_ key: 1. Validate via `sk_live_...` against Stripe API 2. Inspect account + customers 3. Refund charges to attacker-owned cards 4. Pull PAN last-4 and billing addresses for downstream fraud 5. Create test-mode data to confuse your audit

Recovery: 1. Dashboard → Developers → API Keys → Roll key 2. Update every environment 3. Contact Stripe Support for fraud audit (they honor reversal within 7 days) 4. Migrate to restricted keys everywhere possible

People also ask

How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv
How do I rotate an OpenAI API key after it leaks?
Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every e