#NickJTY - store API keys

I'm not familiar with the vault option. Can you clarify more of what that would look like?

It doesn't look like we have specific reccommended methods to keep the keys safe as long as you keep them safe. For example we list password managers or secrets service management services as a way to keep them safe on our site https://stripe.com/docs/keys#safe-keys

Hello. The vault is an azure key vault. We would make an http GET request to the vault from the frontend and the vault would return they key in the response body. Otherwise we could store it in our environment variables in a node.js backend

So you have two Stripe API keys here: your publishable key and your secret key

Your publishable key can be send to the client in plain text as part of the page. If you have a mobile app, if often makes sense to have a backend endpoint like you describe, that way you can roll your publishable key without having to publish a new version of your app to the store.

The secret key should never be sent to your client. The guidance above applies to the secret key as that should stay safe from anyone that you don't want to have control over your account.