| Key Format | Platform | Safe to Share? | What It Grants |
|---|---|---|---|
| pk_live_... | Stripe | โ Safe | Front-end only. Can initialize Stripe.js. Cannot charge anyone or access account data. |
| rk_live_... | Stripe | โ Restricted | Scoped permissions you define. Safe only over encrypted channels โ not text/email. |
| sk_live_... | Stripe | โ Never share | Full account access. Can initiate charges, refunds, transfers. Treat like a password. |
| AIzaSy... | โ Safe (if restricted) | Domain-restricted. Can only call the APIs you whitelisted. Safe in front-end HTML. | |
| whsec_... | Stripe | โ Restricted | Webhook signing secret. Used server-side only to verify Stripe event authenticity. |
| firebase-sa.json | Firebase | โ Never share | Full admin access to Firebase project. Treat like root credentials. Server-side only. |
Unencrypted. Stored on carrier servers. Backed up to iCloud or Google Photos. Anyone with access to the device can see it.
Email body is not end-to-end encrypted. Sits in inboxes indefinitely. Both parties' email accounts become a risk if either is ever compromised.
Syncs to iCloud/Google Photos automatically on most phones. You lose control of where it ends up the moment it's taken.
These platforms scan messages and store them on their servers. Not suitable for any sensitive credential.
Client invites you as Developer role โ you log in and copy the key yourself. Nothing is ever transmitted. This is always the first option to try for Stripe.
Client pastes the key into a Google Doc โ shares it view-only with dev@applanta.app โ you copy it โ confirm to client โ client deletes the doc. Simple and works for any small business owner who has Gmail.
Client shares their screen while you're on a call โ you read the key and type it yourself โ nothing is transmitted over the internet. Great for less tech-savvy clients.
End-to-end encrypted messaging. Acceptable for restricted/scoped keys (rk_live_, VAPID keys). Not for full secret keys. Both parties should delete the message immediately after the key is confirmed received.
Path: OneDrive/Client-Builds/[BusinessName]/ โ create a keys.txt file with the key type, value, and date received. Never leave a key only in chat history.
Don't let keys sit in a text file longer than needed. Get them into the app's config or Firebase RTDB immediately.
Delete the Google Doc, clear the Signal/WhatsApp message thread, confirm the invite is revoked if using Stripe team access (or keep it for support โ your call).
Paste keys only into terminal commands or RTDB writes. Keys typed into chat go into conversation logs. Use environment variables or direct RTDB writes instead.