#shotster_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1430268098367193089

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hello
We're aware of this and It is intentional..

So then it's not a security issue? There's no risk of sensitive info leaking in logs and such?

Is either approach equally recommended by Stripe? What's the rationale?

We generally recommend using the SDKs to make requests to our APIs.

The only risk would be if you were passing the API key in the query params which isn't something we allow.

Without the API keys, no one can access the object IDs you're passing into the parameters.

Ok, but with some no-code environments, SDKs are not an option or are far less convenient. It's easier to build an API call with the no-code tool, and I see other devs posting to Stripe endpoints using query params. It's good to know it's just as secure as the body.

...as long as the request is made from the backend instead of client-side.

Correct. You'd want to make sure the right keys are being used for particular interface.

i.e. not using Private/Secret API key for client-side code

Would you still say using the body is "best practice" or are both approaches equivalent from a security standpoint?

Yup. IMO the less information that gets exposed to public eye, the better

Ok, thanks.