Skip to content

Stripe API Key

Service Name: Stripe

Service Description: Stripe is a technology company that builds economic infrastructure for the internet. Businesses of every size use Stripe's software to accept payments and manage their businesses online.

Service Address: https://stripe.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured in the Stripe Dashboard under API Keys settings.

Secret Access Scope: Grants access to Stripe's API for processing payments, managing customers, subscriptions, invoices, and other Stripe resources. The scope depends on the key type (publishable or secret) and the permissions assigned to it.

Secret Revokement URL: https://dashboard.stripe.com/apikeys

Secret Example: sk_test_51NXhT8JHMbHBKBu1PNHtatQ2veJlmHK5PhwQGAr7LWXyR9tNF7hTEZQOy

Suspicious Activity Investigation Instructions:

  • Review the Stripe Dashboard for unusual payment activity or API requests.
  • Check the API request logs in the Stripe Dashboard for unauthorized access patterns.
  • Monitor for unexpected changes to payment methods, customer data, or subscription settings.
  • Review webhook configurations for any unauthorized endpoints.
  • Check for unusual refunds or chargebacks that might indicate fraudulent activity.

Mitigation Instructions:

  • Log in to your Stripe Dashboard at https://dashboard.stripe.com/
  • Navigate to Developers > API keys
  • Locate the compromised API key
  • Click "Revoke" next to the key
  • Create a new API key with appropriate restrictions
  • Update your applications with the new API key
  • Consider implementing restricted keys with limited permissions
  • Enable webhook signatures for added security
  • Review and update any integrations that were using the old key