How to hide stripe secret key using lambda function

I am using a serverless lambda function to run Stripe payments.

In my server function i have the following…

require(‘dotenv’).config()
const stripe = require(‘stripe’)(process.env.STRIPE_SECRET_KEY);

i have a .env file with the SK in there, and this works when running on localhost. But it doesnt work when i deploy.

I have added the SK in Netlify’s dashboard
STRIPE_SECRET_KEY
sk_test_opK…sIKZ

But it doesnt work for me, what am i doing wrong?

Cross posted answer here on StackOverflow

More than likely, the dependency dotenv does not exist when the lambda function executes, because you did not package it into your function.

When using Netlify’s dashboard to store the private key, you won’t have a .env. This is good news, because you don’t want to store that key in your repository. This is only needed in your case for local development.

  • Remove require('dotenv').config() from your function, because it is not needed in this case on Netlify, because process.env.STRIPE_SECRET_KEY will exist on Netlify at the time the function executes.
  • Add the key during local development with a different process (maybe using cross-env at the command line instead)
1 Like

I’d suggest reading this article that goes into extensive details on best practices with environment variables:

But, TL;DR, I wouldn’t use dotenv at all - I’d be using javascript (during build!) to fetch from the env var you have set in the netlify UI. Saner to put sensitive values in our UI than in your repo (where anyone who gets access to your code can find it).

This was copied from https://functions-playground.netlify.com/
Once you have set the value of GREETING in the Netlify UI you have access to it in the Lambda function. It works. I’m using it. There are a number of useful snippets and associated information there - worth a look.

const { GREETING } = process.env;

exports.handler = async (event, context) => {
  return {
    statusCode: 200,
    body: GREETING
  };
};
1 Like

it’s a great resource, @witcradg - glad you found it useful :+1:

I’ve been using this as a guide for getting Stripe working in my React app: https://mitchgavan.com/react-serverless-shop/

Yet, when I use an environment variable either locally in my .env file or in the Netlify admin for the Stipe secret key, I cannot get any Stripe transactions to work. If the secret key is hardcoded in the charge.js file, everything works.

Is there something special about the Stripe secret key? Has anyone gotten this working and if so, how?

All my other Netlify environment variables are working (Firebase, etc.) except for Stripe.

You would not be able to use the .env file for a lambda function. The admin Environment variable should work and should be accessed via process.env.YOUR_STRIPE_KEY.

I know that you can’t use the .env for lambda function but the admin Environment Variable is not working. It works if the API key is hardcoded.

I think you probably would benefit from reading this article:

So, my answer would be the same as @talves around making sure you access it as suggested.

Do note that functions do NOT use the variables mentioned in netlify.toml, only the ones shown in our UI.

It was my stupid mistake - I was using process.env_STRIPE_SECRET_KEY…(unneeded underscore instead of period. Ugh).

Thanks for all the suggestions. I wasn’t the original poster but hopefully he got it sorted as well.

2 Likes

thanks for keeping us posted! glad it was just a typo - frustrating, but at least not serious :wink: