API Key
An API key is the credential your code uses to authenticate with Stripe; keys come in publishable, secret, and restricted types across test and live mode.
An API key is the secret credential your application sends with every Stripe request to prove who it is. It tells Stripe which account the call belongs to and what it's allowed to do. Guarding these keys is the foundation of Stripe security — anyone holding a secret key can act as your account.
The three key types
Stripe issues three kinds of key, each with a recognizable prefix:
- Publishable key (
pk_) — safe to include in client-side code. It can only do low-risk things like tokenizing a card in the browser; it can't read or move money. - Secret key (
sk_) — full server-side access. It authenticates privileged calls and must never appear in client code or a public repo. - Restricted key (
rk_) — a scoped server-side key. When you create one you choose exactly which resources it can read or write, limiting the damage if it leaks.
Test vs live keys
Every key is tied to a mode. Test-mode keys contain _test_ (e.g. sk_test_...) and touch only simulated data; live-mode keys contain _live_ and process real money. The two are fully separated, so a test key can never accidentally charge a real customer.
Keeping keys safe
- Store secret keys in environment variables or a secrets vault — never in the browser, a mobile app, or version control.
- Prefer restricted keys for services that only need part of your account.
- Roll (regenerate) a key immediately if it's ever exposed.
Not every integration hands over a raw secret key. ChargeBell connects through Stripe's official OAuth flow with read-only access, so it can see payment events without you sharing a secret key or granting any ability to move money.
Related terms
Updated July 6, 2026