#boss-amp_code

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1417112799225712710

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

👋 happy to help

are you trying to test in live mode?

let's go back a few steps for a second, why are you still using Charges and Sources/Tokens? this is a deprecated no longer recommended integration

I mean, it's not my payment, the store is already implemented and I was very surprised when I saw it

It's probably not me. I don't know where these blocked payments are coming from.

I also don't know what it is - https://dashboard.stripe.com/acct_1I0aXtFH7PYR773I/payments/pi_3S7Y2kFH7PYR773I0H6giu8m

yes these seems as they're not coming from your node server

different IP address

so yeah someone is using your secret key for sure

you need to roll that key

ehh, I wonder how it got out. So I have to block it and make new ones?

yes https://docs.stripe.com/keys-best-practices#handling-leaked-keys

unless I've misconfigured something here - https://sklep.amatorkamp.pl/pl

you also should try to update your dashboard user passwords and enable 2FA

I have two-factor authentication

you're using the secret key in the front-end?

I don't think so, because it's murder 😄

mam tylko to env w stroferont

the rest of the things are on the backend side medusa js

but can you check which of these 3 secret codes is this strange use?

I removed the images and API keys you shared

please roll everything

and re-check your code

but can you check which of these 3 secret codes is this strange use?
yes sure

ending with 7wolBs

I don't use this in the store. I may have tested something with it once. I removed it immediately.

I also recommend limiting your keys to specific IP addresses https://docs.stripe.com/keys#limit-api-secret-keys-ip-address

please first things first

roll out the keys

create new ones

all of them

in the store I use the one with the tip - 8ww

this would mean that your website should be out of service

for the time of this intervention

and then you could just focus on trying to figure out where your code is using the different keys and make sure that there's no leaks

and finally change to the new keys and redeploy

I removed the other keys and kept the newest one, which uses Storefront. I had 2FA, so no one got into the dashboard. I honestly don't remember where I used the old key. Maybe on some WordPress site. I'll keep an eye on what's happening. I'll limit access to the store only from the Polish location.

Hey, taking over here. Let me know if there's any follow-up Qs I can answer!