What's the blast radius of a leaked Stripe key?

Updated
Short answer

sk_live_: full account access — issue refunds, pull customer metadata, create charges. ~70% of fraud caught by Stripe within hours; 30% goes through. Documented losses range $1K-$50K before rotation.

sk_live_ key bypasses every Stripe security: refund to attacker cards, read customer PAN metadata (last-4 + brand), pull last 90 days of charge metadata, create test-mode data to confuse audit.

Defense: rotate immediately at dashboard.stripe.com → API Keys → Roll. Use restricted keys (rk_live_) where possible. Never NEXT_PUBLIC_-prefix Stripe keys.

People also ask

How do I rotate a leaked Supabase service-role key?
Immediately: app.supabase.com → Project Settings → API → Roll service_role secret. Update every server env. Audit Supaba