#CheckMate - PK and client secret

There aren't a lot of things you can do with just those 2 things and there are many mitigation strategies for blocking anything from happening when a bad actor is involved

I see there are rate limiters , but if some one does this , then my rate limit will be exhausted as he is using my API keys , how do stripe block that ?

Also can you please brief me about what other strategies are there other than rate limiters, just curious to know

Pretty much all the mitigation strategies here will be applicable: https://stripe.com/docs/disputes/prevention/card-testing#prevent-card-testing

Client Secret is not a single, generic secret - it is tied to a single specific paymentIntent. Similarly, the "publishable key" has to be matched on the backend with the secret key, and is mostly used for reads not writes.

(I don't work for Stripe)

These aren't really the API keys - they are specifically designed for limited use by the front-end

CheckMate - PK and client secret

If you have any further questions about this please let me know and I can take over for two shoes

Yup I know they aren't really the API keys but these keys can be used to call the stripe server.

My rate limit gets exhausted because of that

As noted in the mitigations here, you may want to consider some authentication or anti fraud measures prior to creating a payment intent

So I have to do it from my end to protect stripe /

?

It depends on the nature of your issue -- we discuss mitigations broadly on that page.

You need to protect your own API endpoints, especially those that might be abused:
https://stripe.com/docs/disputes/prevention/card-testing#implement-controls

Endpoints targeted by card testers typically allow them to do one of the following:

Attach a card to a customer.
Make a payment.
Adding security restrictions to endpoints that expose this functionality will help you prevent or mitigate card testing.