Oh, wow I didn't realize that. I'm a little surprised it's a common thing. Stripe's secret key is the "keys to kingdom" so to speak. This means someone with the key can get up to all kinds of funny stuff.
Stripe also says not to do it:
> Your API keys give you access to Stripe’s systems and a global financial network. That access is what card testers want to exploit, so it’s important to keep your keys safe and put safeguards around the functionality those keys provide to prevent fraud and other malicious activity.
> Your secret API key can be used to make any API call on behalf of your account, such as creating charges or performing refunds. Treat your secret API key as you would any other password. Grant access only to those who need it. Ensure it is kept out of any version control system you may be using.
To me this sounds like an example of bad practice commonly implemented. Along the lines of the litany of open source projects who's install instructions involve CURLing a shell file into sh directly. It's bad practice, but so commonly implemented people mistake it for good/fine practice.
To be fair, sometimes you need bad practice to make things possible to do. Plaid takes your bank username and password to scrape pages because it’s the only choice to make the tech.
Flouting the rules is the basis for a lot of successful businesses.
A qualified absolutely. I love to build side projects, and generally the first iteration is very poorly built. If your goal is to put "ideas on paper" so to speak, then you're 100% right. This could even make it to early production if you're really in a pinch.
I think though that there's a point where you need to move past the bad practice and find, or create the right way to do what you're trying to do.
It looks like this documentation might predate Stripe's auto-generated API keys, which generates a separate API key for each successive app, and then you are able to identify the app and revoke only those keys:
Stripe also says not to do it:
> Your API keys give you access to Stripe’s systems and a global financial network. That access is what card testers want to exploit, so it’s important to keep your keys safe and put safeguards around the functionality those keys provide to prevent fraud and other malicious activity.
https://stripe.com/docs/card-testing#stripe-mitigations
> Your secret API key can be used to make any API call on behalf of your account, such as creating charges or performing refunds. Treat your secret API key as you would any other password. Grant access only to those who need it. Ensure it is kept out of any version control system you may be using.
https://stripe.com/docs/keys#keeping-your-keys-safe