First, work out which key it is
Stripe has two kinds of keys, and they are very different. A publishable key starts with pk_ and is meant to be public, so it being in your front-end is normal and fine.
A secret key starts with sk_ (for example sk_live_ or sk_test_). This is the one that can move money. If a secret key is exposed, treat it as an emergency.
Roll the key right now
Do not wait. In your Stripe Dashboard, go to Developers, then API keys, and roll (regenerate) the exposed secret key. Rolling it instantly invalidates the old one so it can no longer be used.
Stripe lets you set a short expiry on the old key so anything still using it keeps working for a few hours while you deploy the new one. Use that window, then make sure the old key is fully revoked.
Get the key out of your client code
- •Move the secret key into a server-side environment variable.
- •Make all Stripe calls that need the secret key from your server, never the browser.
- •Your front-end should only ever use the publishable key (pk_).
- •Redeploy, then re-scan to confirm the secret key is no longer in your public bundle.
Check for damage
In the Stripe Dashboard, review recent payments, refunds, and any new products or payment links you did not create. Look at the logs under Developers for unfamiliar API calls.
If you see anything suspicious, contact Stripe support. They deal with this often and can help.
Stop it from happening again
- •Keep all secret keys in environment variables, never in code.
- •Add your env files to your ignore rules so they are never deployed.
- •Scan your site after each deploy so a new leak is caught early.