Why You Need Stripe API Keys
Stripe API keys are essential for connecting your website or application to Stripe's payment processing infrastructure. Whether you're building an e-commerce store, a SaaS subscription platform, or a simple donation page, you'll need both Test and Live keys to develop and deploy your integration.
Test keys let you simulate transactions without moving real money, while Live keys process actual payments. This guide walks you through retrieving both sets of keys from your Stripe Dashboard.
💡 Quick Tip
Always start development with Test keys. Switch to Live keys only when you're ready to accept real payments.
Step 1: Log in to Stripe
- Go to dashboard.stripe.com
- Sign in with your Stripe account credentials.
- If you don't have an account yet, click "Sign up" to create one — it's free.
Step 2: Navigate to API Keys
Once you're in the Stripe Dashboard:
- Look at the left sidebar and click "Developers".
- Then click "API keys" from the submenu.
You'll now see a page listing your API keys. This is where you'll find both your Publishable key and Secret key.
📍 Navigation path: Dashboard → Developers → API keys
Step 3: Retrieve Your Test Keys
Test keys allow you to simulate payments without processing real transactions. Here's how to get them:
- At the top right of the dashboard, toggle "Test mode" to ON.
- You will now see your test keys displayed:
- Publishable key — starts with
pk_test_ - Secret key — starts with
sk_test_
- Publishable key — starts with
- Click "Reveal test key" to view the full Secret key.
✅ What to copy
- Test Publishable Key (pk_test_...)
- Test Secret Key (sk_test_...)
Step 4: Retrieve Your Live Keys
Once you're ready for production, you'll need your Live keys to process real payments:
- Turn Test mode OFF using the toggle at the top right.
- You will now see your Live keys:
- Publishable key — starts with
pk_live_ - Secret key — starts with
sk_live_
- Publishable key — starts with
- Click "Reveal live key" to view the full Secret key.
✅ What to copy
- Live Publishable Key (pk_live_...)
- Live Secret Key (sk_live_...)
⚠️ Important Security Notes
- Never share your Secret Key publicly. Do not email it in plain text, post it on social media, or include it in client-side code.
- Your Publishable Key is safe to use in frontend code — it can only create tokens, not charge cards.
- Your Secret Key belongs on your server only. It has full access to your Stripe account.
Best Practices for API Key Security
- Store Secret Keys in environment variables, never in source code.
- Use Restricted API Keys in production environments to limit permissions.
- Rotate your keys periodically and revoke any that may have been compromised.
- Use Stripe's webhook signing secrets to verify incoming events.
Using Restricted API Keys (Recommended for Production)
For production environments, Stripe recommends creating Restricted API Keys instead of using your main Secret Key. Restricted keys let you control exactly which API resources the key can access.
- Go to Developers → API keys in your Stripe Dashboard.
- Click "Create restricted key".
- Name your key (e.g., "Website Payments" or "Subscription Manager").
- Select the specific permissions the key needs (Read, Write, or None for each resource).
- Click "Create key" and copy it immediately — you won't be able to see it again.
Quick Reference: Key Prefixes
| Key Type | Prefix | Safe for Frontend? |
|---|---|---|
| Test Publishable | pk_test_ | ✅ Yes |
| Test Secret | sk_test_ | ❌ No |
| Live Publishable | pk_live_ | ✅ Yes |
| Live Secret | sk_live_ | ❌ No |
| Restricted | rk_live_ / rk_test_ | ❌ No |
Need Help?
If you'd like assistance retrieving your keys, setting up restricted keys, or configuring Stripe webhooks, the Hatty AI team is here to help.
Need hands-on assistance with Stripe integration?
Contact Hatty AIWe can also grant temporary access setup, walk you through webhook configuration, or build a complete Stripe integration for your platform.