Managed API keys
Let your hosting platform manage Stripe API keys for you.
Some third-party platforms, such as Vercel, can create and manage API keys on your behalf when you install their integration. These keys are called managed API keys, and the platform creates them programmatically instead of you creating them manually in the Dashboard. Follow your platform’s documentation to understand how it manages your Stripe API keys.
Because a managed key grants access to your Stripe account, you’re responsible for securing it. Make sure you follow best practices to keep these keys safe in your server environment. In particular, if your server platform provides managed API keys to your application as environment variables, don’t expose debugging features or error messages in your application that could show environment variables.
Managed API keys appear alongside your other keys on the API keys tab, labeled with the name of the managing platform. You can’t reveal managed keys because you don’t need them outside the server platform. If you need additional API keys that you can manage, create restricted API keys instead.
The following table summarizes the differences between unmanaged and managed keys.
| Unmanaged keys | Managed keys | |
|---|---|---|
| Key creation | You create keys in the Dashboard | The platform creates keys using the API |
| User interaction | You copy keys from the Dashboard and configure them in the platform | The platform handles key setup automatically |
| Key delivery | Displayed to you in the Dashboard | Delivered directly to the platform |
| Key management | You control rotation and expiration | The platform manages the key lifecycle; you can expire the keys at any time |
Rotate a managed API key
Because you never need to use managed API keys directly, your server platform can rotate them without impacting your applications. However, you might need to rotate your keys if you notice unusual behavior, if the server platform or your application is compromised, or if you have a personnel change. Rotate a managed key in the Stripe Dashboard or use an interface provided by your server platform.
When your managed API keys change, you generally need to redeploy the corresponding server-side applications unless your server platform redeploys them automatically. Follow your platform’s documentation to learn how it handles key changes.
Revoke managed key access
You can revoke a managed API key at any time by doing one of the following:
- Expire the key: On the API keys tab, click the overflow menu () for the managed key and expire it. That immediately revokes the platform’s access without removing the integration.
- Uninstall the integration: Uninstall the platform’s app from your Stripe account. When you uninstall an app, you can expire the managed keys immediately or keep them active.