Stripe authenticates your API requests using your account’s API keys. If you do not include your key when making an API request, or use one that is incorrect or outdated, Stripe returns an error.
Secret API keys should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Stripe without restriction.
Step 1: Revoke the exposed secret.
Users with Administrator permissions can access a Stripe account’s API keys by navigating to the Developers section of the Stripe dashboard and clicking on API Keys.
If you no longer need a restricted key (or you suspect it has been compromised), you can revoke it at any time. You can also edit the key to change its level of access.
Step 2: Clean the git history.
Updated 2 months ago