Stripe API Key Harvest Phishing
Criminals send developer-targeted emails mimicking Stripe's security alerts or API documentation updates, directing technical staff to a fake Stripe developer portal that collects live API secret keys — giving immediate programmatic access to the merchant's Stripe account.
Part of: Phishing
Last reviewed: 7 June 2026
Stripe's developer-facing products are built around API keys: secret keys allow full account access, publishable keys are intended for client-side use. Phishing campaigns targeting software developers and technical administrators specifically request these API credentials rather than login passwords, because they know that developers may be less suspicious of a request framed as a technical security update.
The fake email appears as a developer-community alert: Stripe is supposedly deprecating old API key formats and requiring key rotation, or a new security requirement mandates that keys be validated against Stripe's new key-management portal. A link is provided to a convincing developer-portal clone at a domain like stripe-developer-portal.io or dashboard-stripe.dev.
When the developer enters their live secret key to 'validate' it, the key is captured immediately. Unlike a login credential, an API secret key does not require a 2FA code to use — it gives direct, authenticated access to the full Stripe API. The attacker can then create charges, issue refunds to their own cards, retrieve customer data, and modify payout settings programmatically.
How this scam works on the Stripe brand
Real Stripe API key management happens in the dashboard at dashboard.stripe.com under Developers > API Keys. Stripe never asks merchants to validate, rotate, or confirm API keys through an external third-party portal. Key deprecations and security updates are communicated through the official Stripe changelog at stripe.com/docs and through emails from @stripe.com that direct to the real dashboard.
Developer-targeted campaigns exploit the reality that developers often work quickly, may be accustomed to following links in tool documentation, and may not apply the same phishing scepticism to technical requests as they would to consumer-facing bank alerts. The fake portal may even display a real-looking 'API key health dashboard' after the key is entered, showing fabricated metrics to delay suspicion.
A compromised Stripe secret key can be used in automated scripts that run continuously — creating charges, pulling customer card details (in tokenised form), and modifying subscriptions — until the key is rotated. Detection may take days if the account owner does not review Stripe's API log.
Common red flags
- An email about API key deprecation or rotation directing you to an external non-stripe.com portal
- A link in an email to a 'Stripe developer portal' with a domain that is not stripe.com
- A form asking you to paste your live Stripe secret key to validate or rotate it
- The supposed deprecation notice does not appear in the official Stripe changelog at stripe.com/docs
- Urgency: 'Old key format will stop working in 24 hours'
- Email sent to a developer or technical contact address rather than the main account email
- No corresponding notice in your real Stripe dashboard under Developers > API Keys
How to protect yourself
- Never enter your Stripe secret key on any site other than dashboard.stripe.com
- Check the official Stripe developer changelog at stripe.com/docs for any real deprecation notices
- Use restricted API keys with the minimum required permissions rather than full secret keys where possible
- Rotate your Stripe API keys immediately if you believe they may have been exposed
- Set up Stripe webhook signatures to detect tampering with your integration
- Use IP allowlisting in Stripe's security settings to restrict which addresses can use your API keys
- Enable Stripe's audit log notifications to detect unusual API activity
How to report it
- Forward phishing emails to [email protected]
- Rotate your API keys immediately in Stripe's dashboard under Developers > API Keys
- Contact Stripe support at support.stripe.com to report the incident and request a security review
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI's IC3 at ic3.gov if customer data or funds were affected
Frequently asked questions
Does Stripe ever ask you to validate API keys through an external portal?
No. Stripe manages API keys entirely within the dashboard at dashboard.stripe.com. Any request to enter an API key on an external site — regardless of how technical or official it sounds — is fraudulent.
What should I do if I pasted my secret key on a fake site?
Rotate the key immediately in your Stripe dashboard under Developers > API Keys. The old key will stop working as soon as you regenerate it. Then review your Stripe event logs for any suspicious API calls made with the compromised key.
Are Stripe restricted API keys safer than the full secret key?
Yes. Restricted keys can be limited to specific endpoints and permissions, meaning a stolen restricted key has narrower potential for damage than a full secret key. Use restricted keys wherever a specific integration does not need full access.