#AF1oridaMan-secret-key

It's best if you use your keys as environment variables.

Hi 👋 that depends on how your key is currently stored. If it's hardcoded into your source code, and your developer has access to that code, then yes they would be able to see it.

Your secret key should not be included in your frontend code. Frontend code should use your publishable key that is safe to disclose.

Keeping secret keys in your source code is a bad practice.

^ exactly!

Ok. I am planning on using Stripe Connect as the payment processor for a mutlivendor website. It is running using a third party plugin on Woocommerce. When you enter the Secret key there is a 'show info' icon where the developer with Admin access can see the number. I was working to create a password protected 'show info' button, so even if the admin can access the dashboard they can't see the Secret Key without the password to view it/update it. But if they can see the Secret Key in the code, it would be a waste of resources.
I know you can't speak on third party plugins. But it is hard to believe this has not been brought up before. Most website owners are not developers and hire them, how do they protect their Secret Keys?

You're right, we can't speak to how WooCommerece's integration works or how they chose to store/display secret keys.

The secret key shouldn't be in code if it's at all avoidable, but with the information that we currently have we can't comment on whether yours is in your code.

Also, it's not uncommon for developers to have access to secret keys. If you don't trust your developer with your secret key then you may want to find a developer that you trust more. Alternatively you could stand up a new Stripe account to use in order to isolate your existing account from them.

Thank you.