How to access Private Keys in client-side Elements

danielkellydev · June 26, 2024, 2:51am

Hi all,

I’m creating a plugin that integrates Stripe payments.

Within the Element, the Initialize function initializes Stripe with a provided API key. Currently the keys are set up as Public keys.

For security, these would obviously be better as Private keys. Though when I set them as Private, I can’t easily access them from my Element.

What would be the most straightforward way to get Private keys into Element code?

Thank you in advance.

lindsay_knowcode · June 26, 2024, 3:43am

As you’ve figured out, things are not secret when they are exposed in the browser.

One technique is to have your front end code call a backend workflow. Then any processing requiring secrets is done in that backend workflow.

danielkellydev · June 26, 2024, 5:08am

Thanks Lindsay.

Can server-side actions access Private keys directly via context.keys?

tylerboodman · June 26, 2024, 5:13am

Yes like this: context.keys["Stripe Secret Key"] then the name just has to match in the keys section

danielkellydev · June 26, 2024, 5:18am

Thanks, I’m going to try this now.

danielkellydev · June 26, 2024, 7:54am

Just an update. I created a server-side action that retrieves the private key.

Then, created a backend workflow that calls this action, and returns the key.

Then, created a property in the Client-side element that takes the endpoint to run the action.

Now, this endpoint can be accessed within the Element’s Update function via properties.publishable_key_endpoint.

The endpoint can now be used in function Initialize for a POST request to retrieve the STRIPE_PUBLISHABLE_KEY.

    fetch(publishableKeyEndpoint, {
      method: 'POST'
    })
      .then(response => response.json())
      .then(data => {
        if (data.status === 'success' && data.response && data.response.publishable_key) {
          const publishableKey = data.response.publishable_key;
          instance.data.publishableKey = publishableKey;
          return instance.data.loadStripeScript(publishableKey);

And it works!

I’d like to simplify it eventually if possible, but the main thing for now is that it’s working.

tylerboodman · June 26, 2024, 3:30pm

I haven’t used Stripe, but according to google the Publishable Key isn’t supposed to be a private key, so that you can do directly in your element without all the workarounds since it’s intended for client side use.

The Secret Key is the one you can’t let get exposed

Jici · June 26, 2024, 3:35pm

PK can be used for client side for some scripts.
If you need SK, this need to be used server side.
Not sure what you are doing, but I don’t see any reason to use a server side script where you can use API Connector.

Topic		Replies	Views
Can't access private API key in "initialize"? Plugin builders	3	577	October 10, 2023
Using Stripe Secret Key in Third Party Plugin - Safe? APIs	2	41	March 9, 2025
Stripe API - What are the Publishable Key's Primary Uses Questions	2	741	April 16, 2024
Passing data from front end to server side Plugins	3	81	June 14, 2024
Is it possible to store secret API keys in a plugin (without revealing them in the plugins tab)? Plugins	2	547	July 27, 2022

How to access Private Keys in client-side Elements

Related topics