#Thibaut

What do you mean somebody is using your API key?

If this is not something you expect you should consider that key leaked and roll it immediately:
https://stripe.com/docs/keys#rolling-keys

You can do that here: https://dashboard.stripe.com/apikeys

Note this will require you to change the keys in your live apps

I'm working with Thibaut. To provide more information, the hacker user our publisahble API key (which is accessible on the frontend of our app). So, he is able to make a large number of request with this key, which trigger the rate limit

We are confortable to roll our key, but, as the publishable key is accessible from the browser (we use StripeElement on our frontend), the hacker will use the new key easily

Here is an example of the request he make
POST /v1/payment_intents/pi_3McnnaFgrf8fsEG40rc8t3Bz/confirm

Can you share that request ID?

req_Qbh5vvuGivTBta

req_12345

So this also requires the PI client_secret -- you need to prevent abuse of any endpoints that expose these:
https://stripe.com/docs/disputes/prevention/card-testing#implement-controls

ie, require authentication in order to get your backend to supply a PI + client secret

or using captchas etc

Recaptcha will not be sufficient because the hacker makes just one payment on our application, then use the same paymentIntent for all the calls

But, I will take a look on what your said about the client_secret protection

One more question: if we protect all the client_secret of the paymentIntents, what will prevent the hacker to makes https call to the stripe API with older paymentIntents ?

Thanks for your answer! Somebody is here?

No, but you can explicitly /cancel those payment intents

Then further confirm calls will not be processed

You can also implement eg IP address blocks from them getting PIs at all. If you have authentication in place you can more tightly control when PIs are created and provided