Stripe Integration Launch Security Checklist

TL;DR

Before accepting real payments, switch from test to live keys, verify webhooks are secured with signatures, ensure the secret key never touches the browser, test the full payment flow with a real card, and enable Stripe Radar for fraud protection.

API Keys 4

Switch to live mode keysReplace test keys (sk_test_, pk_test_) with live keys (sk_live_, pk_live_)

Secret key is server-side onlysk_live_ must NEVER appear in browser code or client bundles

Publishable key is correctpk_live_ can be in client code. Verify it's the right one.

Keys are in environment variablesNot hardcoded in source files. Check your deployment config.

Webhooks 4

Webhooks endpoint is set upAdd your production webhook URL in Stripe Dashboard

Verify webhook signaturesAlways verify stripe-signature header. Never trust webhook data blindly.

Handle failed webhooksStripe retries failed webhooks. Make your handler idempotent.

Subscribe to relevant eventsAt minimum: checkout.session.completed, invoice.paid, customer.subscription.*

Payment Security 3

Enable Stripe RadarStripe's fraud detection is included. Verify it's active.

Use Stripe Checkout or ElementsNever handle raw card numbers. Use Stripe's secure components.

Test with a real cardDo a small real transaction to verify the full flow works

Business Settings 3

Complete Stripe account verificationFill out business details to avoid payout holds

Set up payout scheduleConfigure when you receive funds

Review refund and dispute settingsUnderstand Stripe's policies before issues arise

Can I use test keys in production?

No. Test keys only create test charges that don't process real money. You must switch to live keys (sk_live_, pk_live_) to accept real payments.

Is it safe to put the publishable key in my frontend?

Yes, the publishable key (pk_) is designed for client-side use. It can only create tokens and cannot access your Stripe account data. The secret key (sk_) must stay server-side.

Scan Your Stripe Integration

Find exposed keys and security issues before launch.