Stripe Public Key Validator

Stripe API keys: pk_, sk_, rk_ and the live/test split

Stripe uses prefixed API keys to make their purpose immediately recognizable in code review and log scans. Every key starts with a two- or three-character role indicator, followed by the environment slug live or test, then an alphanumeric payload generated by Stripe's randomness service. The four prefixes you will encounter daily are:

• pk_live_ — publishable key, production. Safe to embed in client-side JavaScript, mobile bundles and HTML pages.
• pk_test_ — publishable key, sandbox. Same rules as live; charges hit the test ledger only.
• sk_live_ — secret key, production. Full account access. Must never leave the server.
• sk_test_ — secret key, sandbox. Same risk as live in lower environments; treat with equal care.
• rk_live_ / rk_test_ — restricted key, scoped subset of permissions (e.g. read-only on Charges, write on Invoices).
• whsec_ — webhook signing secret, used to verify event payloads via HMAC-SHA256.

The validation regex this tool applies is ^(pk|sk|rk)_(live|test)_[a-zA-Z0-9]{24,}$. Stripe does not publicly commit to a fixed payload length, and historically the payload has grown from 24 to 99+ characters as the platform increased entropy. The relevant invariant is the prefix shape, which Stripe Radar and their internal SDKs rely on for routing.

Client vs server: where each key belongs

The split is strict. Publishable keys go to Stripe.js, Elements and Checkout — front-end code that creates PaymentMethods, confirms PaymentIntents and renders card forms in iframes hosted by Stripe (so card data never touches your server, satisfying PCI DSS SAQ A). Secret keys belong to backend SDKs (stripe-node, stripe-python, stripe-ruby, etc.) and are used to create Charges, issue Refunds, query Customers and write webhook endpoints.

// CLIENT (browser) - publishable key is fine
const stripe = Stripe('pk_live_51ABC...');
const elements = stripe.elements();

// SERVER (Node.js) - secret key only
const Stripe = require('stripe');
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY); // sk_live_...
await stripe.paymentIntents.create({ amount: 5000, currency: 'brl' });

Leaking a secret key is the single most damaging mistake in a Stripe integration. Stripe's bot continuously scans GitHub, npm, PyPI and public Pastebin for leaked keys; a hit auto-rolls the key and emails the account owner. Even so, the window between commit and rotation is enough for an attacker to drain Connect balances or issue refunds.

Brazil: BRL, PIX, boleto and the 2024 full launch

Stripe operated in Brazil under a limited cross-border model for years, but the 2024 full launch brought a Brazilian entity, local BRL acquiring and direct support for the three payment methods customers actually use:

• Cartao de credito: Visa, Mastercard, Elo, Hipercard, with installments (parcelamento) of up to 12 fixed monthly payments.
• PIX: instant payment, available via Stripe since 2021, settled within 30 seconds. Integration uses payment_method_types: ['pix'] on the PaymentIntent.
• Boleto bancario: the bank-slip method, with a 2-day expiration window typically.

Stripe Connect, the marketplace product, supports Brazilian sellers and is widely used by SaaS platforms onboarding BR merchants. 3D Secure 2 (3DS2) is mandatory for European cross-border transactions under PSD2; Stripe handles the friction automatically via Dynamic 3DS in PaymentIntents. The standard Stripe Brazil fee schedule is around 3.99% + R$ 0.39 for domestic cards as of 2024.

Webhooks, idempotency, API versioning and test cards

Robust Stripe code relies on four non-key primitives:

• Webhook signing secret (whsec_...): each endpoint has its own, verified by stripe.webhooks.constructEvent(payload, signature, secret). Never trust event bodies without signature verification.
• Idempotency-Key header: a UUID per logical request, sent to every POST. Stripe deduplicates retries within 24 hours, preventing double-charges on network flakes.
• API versioning: each account is pinned to a date string (e.g. 2024-04-10). Pin the SDK version to match, then upgrade with explicit migration testing.
• Test cards: 4242 4242 4242 4242 always succeeds, 4000 0000 0000 0002 always declines, 4000 0000 0000 3220 triggers 3DS authentication. The full deck is documented in Stripe's testing reference.

Stripe's rate limit is 100 read or write operations per second in live mode, 25/sec in test mode, with bursting allowed. Hitting the cap returns 429 Too Many Requests; the official SDKs implement exponential backoff automatically. Stripe's Climate commitment (1% of revenue toward carbon removal) and the Stripe Issuing product (programmatic virtual and physical card issuance) round out the platform.

FAQ

Can I ever ship a secret key to the browser?

Never. sk_ keys grant full account access — they can refund any charge, transfer balances and read all customer PII. Any code path that puts a secret key in the front-end is a critical incident.

Does Stripe really support PIX in Brazil?

Yes, since 2021 for cross-border and since the 2024 launch with full domestic BRL settlement. Enable PIX as a payment method on the PaymentIntent and Stripe renders the QR code and copy-paste code automatically.

What is the difference between a live and a test key?

Only the environment slug in the prefix. pk_test_ and sk_test_ hit Stripe's sandbox ledger, never charge a real card and never settle real money. Both environments share the same dashboard layout.

My key fails the regex but works in production. Why?

Either the prefix is non-standard (e.g. legacy tok_ tokens are not keys but card tokens) or whitespace contaminates the value. Strip whitespace, confirm the prefix and re-test. Stripe never issues keys outside the documented prefixes.

Should I rotate keys regularly?

Yes, especially after every personnel change with dashboard access. Stripe lets you create new keys and revoke old ones independently; restricted keys (rk_) let you scope permissions narrowly for each integration.