โ† Back to API Keys Hub
๐Ÿ”’ Security Policy

API Key Security Rules

What every key type means, which are safe to share, and the exact steps for receiving and storing keys from clients.

Key FormatPlatformSafe to Share?What It Grants
pk_live_...Stripeโœ“ SafeFront-end only. Can initialize Stripe.js. Cannot charge anyone or access account data.
rk_live_...Stripeโš  RestrictedScoped permissions you define. Safe only over encrypted channels โ€” not text/email.
sk_live_...Stripeโœ— Never shareFull account access. Can initiate charges, refunds, transfers. Treat like a password.
AIzaSy...Googleโœ“ Safe (if restricted)Domain-restricted. Can only call the APIs you whitelisted. Safe in front-end HTML.
whsec_...Stripeโš  RestrictedWebhook signing secret. Used server-side only to verify Stripe event authenticity.
firebase-sa.jsonFirebaseโœ— Never shareFull admin access to Firebase project. Treat like root credentials. Server-side only.
โŒ
SMS / Text Message

Unencrypted. Stored on carrier servers. Backed up to iCloud or Google Photos. Anyone with access to the device can see it.

โŒ
Regular Email

Email body is not end-to-end encrypted. Sits in inboxes indefinitely. Both parties' email accounts become a risk if either is ever compromised.

โŒ
Screenshot

Syncs to iCloud/Google Photos automatically on most phones. You lose control of where it ends up the moment it's taken.

โŒ
Social Media DMs (Instagram, Facebook, etc.)

These platforms scan messages and store them on their servers. Not suitable for any sensitive credential.

โœ…
Stripe Team Member Access (best)

Client invites you as Developer role โ†’ you log in and copy the key yourself. Nothing is ever transmitted. This is always the first option to try for Stripe.

โœ…
Google Drive View-Only Doc

Client pastes the key into a Google Doc โ†’ shares it view-only with dev@applanta.app โ†’ you copy it โ†’ confirm to client โ†’ client deletes the doc. Simple and works for any small business owner who has Gmail.

โœ…
Screen Share on a Call (Zoom, FaceTime, Google Meet)

Client shares their screen while you're on a call โ†’ you read the key and type it yourself โ†’ nothing is transmitted over the internet. Great for less tech-savvy clients.

โœ…
Signal or WhatsApp (acceptable for restricted keys only)

End-to-end encrypted messaging. Acceptable for restricted/scoped keys (rk_live_, VAPID keys). Not for full secret keys. Both parties should delete the message immediately after the key is confirmed received.

1๏ธโƒฃ
Save it immediately to the client's OneDrive folder

Path: OneDrive/Client-Builds/[BusinessName]/ โ€” create a keys.txt file with the key type, value, and date received. Never leave a key only in chat history.

2๏ธโƒฃ
Wire it into the app in the same session

Don't let keys sit in a text file longer than needed. Get them into the app's config or Firebase RTDB immediately.

3๏ธโƒฃ
Ask the client to clean up the sharing method

Delete the Google Doc, clear the Signal/WhatsApp message thread, confirm the invite is revoked if using Stripe team access (or keep it for support โ€” your call).

4๏ธโƒฃ
Never paste a secret key into Claude chat

Paste keys only into terminal commands or RTDB writes. Keys typed into chat go into conversation logs. Use environment variables or direct RTDB writes instead.

Powered by Applanta Solutions ยท Internal Reference Only