
MOTO transactions explained
What are MOTO transactions? Why is it worth accepting them? Are there any risks to look out for? Here’s all you need to know →
Are you thinking about using Stripe as your payment gateway on your website? No matter if you plan to use off-the-shelf or custom-built plugins (or other types of Stripe integrations) to accept payments, you’ll need to use Stripe APIs. To access these, you’ll need to get your Stripe API keys so that you can connect your plugin with the payment gateway.
Let’s cover the most important questions: what types of Stripe API keys do exist? How can you get and test them, and how can you keep them safe? Here’s the ultimate guide!
First things first, let’s discuss why you need Stripe API keys for your payments plugin.
The purpose of using Stripe API keys is to authenticate Stripe API requests. They need to be included when making an API request, otherwise, your request cannot be completed. The Stripe API keys are unique to your account, and this is the only way for the payment gateway to recognize that the API requests were made by your account. If you don’t include your key when making an API request or use an invalid or expired Stripe API key, Stripe returns a 401 – Unauthorized HTTP response code.
Stripe API keys can be categorized in two ways:
Consequently, you’ll always have at least four keys associated with your account.
Let’s see what these mean in practice.
All Stripe API requests occur in either test or live mode. It’s important to note that API objects created in one mode aren’t accessible in the other. For instance, a subscription plan created in test mode is not available in live mode, and vice versa.
The question is: when should you use the test mode?
Use this mode when you test your plugin. In this case, payments are not processed by card networks or payment providers. API requests return simulated accounts, payments, customers, charges, refunds, transfers, and subscriptions. Webhooks that were not successfully delivered are attempted three times in a few hours, in contrast to 72 hours in live mode. All this ensures that you don’t accidentally charge money to someone’s account while you’re testing. Therefore, make sure to use test credit cards and accounts while you use your Stripe API keys in test mode.
Also, you need to note that Stripe objects – such as plans, products, coupons, tax rates (EU VAT rates), or shipping rates – created in test mode will not be available in live mode. Therefore, when going live, you need to recreate your products by clicking the “Copy to live mode” button:
When should you switch your Stripe API keys to live mode?
You’ve probably already guessed the answer: when you launch your app, plugin, or website. In this mode, all transactions will be live and real, test credit cards and accounts will not work anymore, and the API requests will return real customer accounts, payments, and so on. Use this mode only, if you’re really ready for the launch.
Publishable API keys are used to identify your account with Stripe. As the name suggests, these Stripe API keys are publishable; therefore, they can be used on websites available to the public.
Secret API keys have to be stored properly on your own servers to keep them confidential. Secret Stripe API keys can perform any API request.
In order to get your Stripe API keys, first, you need to create your Stripe account.
Once you’re ready, you can find your Stripe API keys in your Stripe account’s dashboard. If you’re not the account’s owner and cannot see the Stripe API keys, you probably don’t have access to them. In this case, make sure to contact the account’s owner to obtain an administrator or developer role to gain access. Once you’ve proper access, follow these steps:
Find a short video below on how to obtain your test and live API keys: https://www.youtube.com/watch?v=UxpgwkiA5OM&ab_channel=KorinIverson
Secret Stripe API keys can be used for API calls such as charging or refunding. Therefore, they should be kept in a safe digital environment. Think of them as passwords. Grant access only to those who need it, and ensure that the key is kept out of any version control system you may be using. To control access to your secret Stripe API key, you might use a password manager, for instance. Make sure to make a note in your dashboard of where you copied the given secret API key:
In case secret Stripe API keys are compromised, one has the option to “roll the key”. This means you can block your key and generate a new one:
When rolling an API key, you can choose to block the old key immediately or allow it to work for 12 hours. The latter option will provide you with time to make the necessary transitions. However, you’ll be able to use the new key immediately in both cases.
Secret Stripe API keys can be used for any kind of API request without limitation; therefore, you might want to add another layer of security to keep them safe.
You can create restricted Stripe API keys that enable you to limit access to them. Restricted keys are available to reduce the risks when building or using microservices and they can be revoked anytime if not needed anymore. However, they cannot be used for the development of your Stripe integration. Consequently, use your test API keys during development, and once the integration is live, use your live API keys.
Now that you are familiar with the test mode Stripe API keys, let’s take an example of how you can make a test transaction. In our example, we’ll demonstrate how you can test transactions on a WordPress site, using the WP Full Pay payments plugin.
First, follow these steps to configure the WP Full Pay publishable and secret Stripe API keys:
Now, you can run a test transaction on any published form, including Stripe checkout pages if you have a payment, subscription, or donation form that is already created and published:
If you need more details, check out this short video on how to complete a test transaction:
https://www.youtube.com/watch?v=zRNn5XwOze8&ab_channel=KorinIverson
If you need further assistance on how to configure and test your Stripe API keys, you can find more information in the Stripe Docs or the Stripe API Reference.
Stay on top of the latest news about WP Full Pay
What are MOTO transactions? Why is it worth accepting them? Are there any risks to look out for? Here’s all you need to know →
If your online store is plagued with high cart abandon rates, using Link by Stripe can be a real game changer. This is how it works →