Is it important to hide Stripe secret key in Javascript?

I would like to know if it’s important to hide my stripe key in my javascript.

In fact, in my Symfony website, I put this key in my javascript to allow users to pay their orders.
And this is how I made that:


    <script src="" crossorigin="anonymous"></script>
        <script type="text/javascript">
        var stripe = Stripe("pk_live_....");
        var checkoutButton = document.getElementById("checkout-button");

        checkoutButton.addEventListener("click", function () { 
            fetch("/orders/create-session/154154154", {method: "POST"})
            .then(function (response) { return response.json(); })
            .then(function (session) { if (session.error == 'order') 
            { window.location.replace('/orders'); } else { return stripe.redirectToCheckout({sessionId:}); } })
            .then(function (result) { if (result.error) { alert(result.error.message); } })
            .catch(function(error) { console.error("Error:", error); }); });

But if you open console and check the source code you can see my stripe key…


>Solution :

Yes, you can use the Stripe ‘publishable’ key in your client side app.

More information:

Leave a Reply