#niraj_best-practices

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1428824500975440017

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

I'm not super technically inclined but doing my best, be gentle 🙂

Is he launching your site live?

If he's in the development stage he should only need test keys

And you should be able to give him a developer role access to your stripe account

He is going to launch it to the web, but I haven't marketed the site yet so I won't have cusomters yet.

Also, I looked at the "Developer" role but the description made me think it's equivalent to giving him my secret key: "This role is for developers who need to set up a Stripe integration. This role has access to the secret key, which grants access to almost all API resources."

It feels like I'm misunderstanding something...

Yeah he'll need the secret key for that

The secret key is what gives the sdk access to your stripe account

You can't launch an integration live without access to that

There obviously is a degree of trust here though. Because whoever has that secret key can control your stripe integration

via the api

Ok, hypothetically if he had bad intentions what could he do with it? Also, id there an option to give it to him initially until my site launches and then change it? I know I can change the key inside my Stipe account but I'm unclear on how easy it is to change it on my website.

He could do anything really. Delete all subscriptions/customers, card testing, sell it online, etc

And yeah you could roll it and create a new key, but you'd need to update it in the integration itself

Which requires a level of technical expertise

Can he withdraw funds from my bank account, or make purchases using it?

When you say that it requires a level of technical expertise, can you point me to a walkthrough video of what updating the key would entail?

I can't because it depends on how he built the integration

Yes that would be possible

I can't possibly be the first person worrying about this....what do other folks do?

I don't know we just help developers with api questions in here

I've never had to hire a freelance dev for anything

Ok, so adding him as a team member and giving him "developer" access still give him full access to my real secret key, am I 100% right about that?

Yes that's correct: https://docs.stripe.com/get-started/account/teams/roles#developer

Is there another team or department that might be better suited to helping me figure this out? Like an onboarding team or something like that?

You should probably reach out to Stripe Support

This is just the developer discord

https://support.stripe.com/contact

Can he withdraw funds from my bank account, or make purchases using it?
Also to clarify he wouldn't be able to withdraw funds from your bank account but could use it to make purchases

If you have access to an account's secret key you can fully take over the account's api integration