flamegecko_best-practices | Stripe Developers | Page 1

rugged quartzBOT Sep 8, 2025, 10:07 AM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1414552678901747764

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

#

desert pelican Sep 8, 2025, 10:09 AM

#

Hmm, are you sure it's not the secret key we've emailed you about?

dire turret Sep 8, 2025, 10:09 AM

#

pk_live_......

#

and they have rolled that key, our secret key is still teh same and working

#

and I'm confused 🙂

desert pelican Sep 8, 2025, 10:11 AM

#

What's your acct_xxx ID?

dire turret Sep 8, 2025, 10:13 AM

#

is that visible on the portal ?

desert pelican Sep 8, 2025, 10:14 AM

#

https://dashboard.stripe.com/settings/account

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.

dire turret Sep 8, 2025, 10:14 AM

#

acct_1MdbKEFH2nmiJiu2

desert pelican Sep 8, 2025, 10:15 AM

#

Looking

dire turret Sep 8, 2025, 10:16 AM

#

thanks

#

fyi, this is the email:

Hello,

Our monitoring tools indicate that your API key, pk_live_...7sUy, is likely accessible on the internet, and that a third party might have used it to create unauthorised charges on your Stripe account. Although nobody can use your secret keys to log into Stripe, a fraudulent actor can use them to charge cards on your account's behalf. Because of their sensitive nature, handle them like your password, and protect them in an equally secure manner.

To protect your account, rotate the impacted API key as soon as possible. We'll automatically expire your API key in 48 hours if you don’t take action before then.

Although we don't currently have evidence that a third party accessed your account with your previous key, we recommend that you audit requests made by your API keys to make sure nobody accessed your data in an unauthorised way.

desert pelican Sep 8, 2025, 10:19 AM

#

OK, I can see the email. Never seen that sent for a pk_live_xxx key

dire turret Sep 8, 2025, 10:20 AM

#

and I'm not going mad, pk_live is supposed to be accessible on the internet

desert pelican Sep 8, 2025, 10:22 AM

#

I suspect that it's less than it's accessible on the internet (as you say they're designed to be), but more that we've detected potential malicious use of it (also noted in email), so we re-roll it as a precaution

#

The email is poorly phrased, I agree

dire turret Sep 8, 2025, 10:25 AM

#

hmm, ok. It would help if we could see what was considered to be malicious, and whoever was doing it can easily get the new key from the website and continue doing it. oh well. I just hope this doesn't keep happening.

#

Thanks for taking a look

desert pelican Sep 8, 2025, 10:26 AM

#

You'd need to speak to support about that really given that is all kind of confidential and this is a public forum

#flamegecko_best-practices