#bhanu365
loud brook
ionic wren
Hey! Bit of a broad question! Is there a specific use case you're trying to account for?
Because in general the secret key you need to use it in your backend, and protect your backend/server access like you are protecting any sensitive data (e.g. database, credentials, deploy keys...)
This is something strongly depends on your integration
warm ibex
Here I have passed the secret key and if I remove it from here then i am getting error
we've got a lot of fake charges
ionic wren
The payment_intent.clientSecret can be shared with the customer that is paying
It's used in client side with your publishable key. At the begining I though you were talking about your Stripe secret key.
here is how you can use payment_intent.client_secret:
https://stripe.com/docs/api/payment_intents/object#payment_intent_object-client_secret
warm ibex
Ahh correct, this is payment_intent.clientSecret
but how scammer are creating a fake charge and how we can prevent
ionic wren
You can refer to this guide and check our recommendation in order to prevent card testign:
https://stripe.com/docs/disputes/prevention/card-testing
You can implement Captcha, rate limit in your integration...
https://stripe.com/docs/disputes/prevention/card-testing#captcha
warm ibex
but we have implimented a destination charge model but these fraud payments do not look like a destination charge model
ionic wren
Can you share a requestId
warm ibex
pm_1MfIljFmM52WOkSo0uvGnprO
ionic wren
this is a PaymentMethodId.
Can you share the ID (req_xxx) of the failing API request?
https://support.stripe.com/questions/finding-the-id-for-an-api-request
warm ibex
req_OeFjjAd1RrkZWI
req_15SqLxg7jLHIud
I don't know how they are creating such kind of charges
We are getting hundreds of charges like that
ionic wren
this request req_OeFjjAd1RrkZWI is created from your python backend. You need to check your integration.
If you are not sure how this was done, simply roll out your secret key and create a new one. Make sure that it's protected and not shared publically.
https://stripe.com/docs/keys#rolling-keys
warm ibex
but we haven't shared before as well how they knows our secret key
ionic wren
Not sure this is related to your environment.
warm ibex
Can anyone create a charge via the Publishable key?
warm ibex
Here I have passed the secret key and if I remove it from here then i am getting...
See in the screenshot, we are using Publishable key in the js code
that's why i am asking
wide comet
Hi! I'm taking over this thread.
Can anyone create a charge via the Publishable key?
You mean create a Charge object directly with the API? https://stripe.com/docs/api/charges/create
warm ibex
Yes, because we've got a lot of fake charges and our account has been suspended now
If we roll out our secret key, we don't want to like this in future
I just want to know how they are create these kind of fake charges and how we can prevent
wide comet
Can you share an example of a "fake charge"?
warm ibex
I already sent on above
wide comet
This request https://dashboard.stripe.com/logs/req_OeFjjAd1RrkZWI was created on the backend with a secret key. If you didn't do this request, then you need to make sure to roll your secret API key in the dashboard.
And make sure to keep your secret key safe in the future.
warm ibex
but I am still confused, about how they know our stripe secret key even though we never shared it with anyone
wide comet
First, are you sure your code didn't create this request? And if you are sure, it means someone got access to your secret key somehow, but we have no idea how.
warm ibex
Yes I am pretty sure we never do this and we are using destination charge model but these charges are separate charge i think
wide comet
The request above is not a Connect request, it's just a regular PaymentIntent created on your account directly.