Secure Stripe credentials for production
Stripe secret keys have direct access to your payment data. Host-bind them so they're worthless if leaked from your codebase or deployment.
Which Stripe keys to protect
Direct API access - highest risk. Protect with KeyVault Edge.
Scope-limited but still real credentials. Worth protecting.
Intentionally public - no need to protect.
Used for signature verification - store in secret manager.
Setup
- 1.
Create a Stripe token in the dashboard
Go to Tokens → New Token, select Stripe as the provider. Paste your
sk_live_...key. Add your authorised origins. - 2.
Update your environment
.envSTRIPE_SECRET_KEY=kve_hb_...your_sanitized_tokenSTRIPE_BASE_URL=https://stripe.keyvaultedge.com - 3.
Update your Stripe client initialization
stripe.tsimport Stripe from "stripe"; export const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, { apiVersion: "2024-10-28.acacia", host: process.env.STRIPE_BASE_URL ? new URL(process.env.STRIPE_BASE_URL).hostname : undefined,});
Production considerations
Stripe's idempotency keys and webhook endpoints are unaffected - these pass through the proxy unchanged. Stripe Connect and OAuth flows use the publishable key and do not require proxying.
For restricted keys (e.g., read-only for analytics), the same setup applies - replace the key value, add the base URL override.