#max-plugin-design

@bleak radish I'm happy to try and help but I'm no expert at security. I don't really understand what you described exactly but Stripe has 2 types of API keys:

• A Publishable API key pk_test_123 that is designed to be exposed client-side such as in a browser or mobile app and can do limited operations such as collecting payment method details
• A Secret API key sk_test_123 that is designed to be stored securely server-side and do most operations (Create a Customer, a Refund, etc.)

max-plugin-design

Hi! Thank you. So I built a plugin. Its a simple form that takes in information related to ad space for a local company. They want the advertiser to be able to pay in the same form that they submit their request. So in setting up the stripe integration into the form I can set up the stripe form itself and set the processing of the form in the same server side processing page as the rest of the form. But I am not sure where I should store my secret api key to keep it secrure. I have been reading and it seems I have options like storing it encrypted in the database, or in the config.php file or as an environmental variable, which I am limited on because of my host, or in an env file outside my root directory, but everytime I try to create a new directory outside my public_html directory on this host I am denied access.

Okay so you are the developer here and control the server? It's not code someone elses downloads and installs locally on their own machine?