My Stripe test key is in production — payments are failing for real customers

Updated

Real customers can't pay because your live deploy uses sk_test_. 5-minute fix + the env-var hygiene that prevents this from happening again.

Customer email: 'I can't check out — keeps failing.' You test the flow yourself in production. Stripe error: 'You provided a test API key in live mode.' You realize you copied your `.env.local` straight into production env vars 3 weeks ago + never noticed because no one else had checked out yet.

What happens next

  1. Minute 0 — confirm

    Open your Vercel / Netlify / Fly env vars. Confirm STRIPE_SECRET_KEY starts with sk_test_. Confirm there's no separate sk_live_ value scoped to production.

  2. Minute 0-5 — rotate

    Get sk_live_ from Stripe Dashboard → API Keys. Set in production env vars (Sensitive flag if Vercel; secret-encrypted on Fly/Railway/Netlify). Redeploy.

  3. Minute 5-15 — verify

    Test the full checkout flow yourself with a real card. Confirm webhook signatures use the matching live secret (whsec_). Confirm payments land in Stripe live dashboard, not test.

  4. Hour 0-24 — customer recovery

    Reach out to customers whose checkouts failed in the past 3 weeks. Offer them the chance to retry; some will, some won't.

Without Securie

You manually audit env vars per platform. You hope you caught everything. Next time you deploy to a new platform you make the same mistake.

With Securie

Securie's secret_scanner specialist's live_validate step distinguishes sk_test_ from sk_live_ + flags any sk_test_ in a production-tagged env var as a critical finding. The cors_misconfig + auth specialists catch the related class of dev-config-shipped-to-prod bugs.

Exactly what to do right now

  1. Set sk_live_ in production env vars (Vercel: scope to Production environment + flag Sensitive)
  2. Use restricted keys when possible (rk_live_) — scope to specific resources
  3. Test full checkout flow as part of every deploy
  4. See /templates/env-var-hygiene for the per-platform setup
  5. Set Stripe spend cap as a backstop against runaway usage
  6. Subscribe to Stripe's webhook delivery alerts to catch silent failures