How to hide stripe secret key using lambda function

I am using a serverless lambda function to run Stripe payments.

In my server function i have the following…

require(‘dotenv’).config()
const stripe = require(‘stripe’)(process.env.STRIPE_SECRET_KEY);

i have a .env file with the SK in there, and this works when running on localhost. But it doesnt work when i deploy.

I have added the SK in Netlify’s dashboard
STRIPE_SECRET_KEY
sk_test_opK…sIKZ

But it doesnt work for me, what am i doing wrong?

Cross posted answer here on StackOverflow

More than likely, the dependency dotenv does not exist when the lambda function executes, because you did not package it into your function.

When using Netlify’s dashboard to store the private key, you won’t have a .env. This is good news, because you don’t want to store that key in your repository. This is only needed in your case for local development.

  • Remove require('dotenv').config() from your function, because it is not needed in this case on Netlify, because process.env.STRIPE_SECRET_KEY will exist on Netlify at the time the function executes.
  • Add the key during local development with a different process (maybe using cross-env at the command line instead)
1 Like

I’d suggest reading this article that goes into extensive details on best practices with environment variables:

But, TL;DR, I wouldn’t use dotenv at all - I’d be using javascript (during build!) to fetch from the env var you have set in the netlify UI. Saner to put sensitive values in our UI than in your repo (where anyone who gets access to your code can find it).

This was copied from https://functions-playground.netlify.com/
Once you have set the value of GREETING in the Netlify UI you have access to it in the Lambda function. It works. I’m using it. There are a number of useful snippets and associated information there - worth a look.

const { GREETING } = process.env;

exports.handler = async (event, context) => {
  return {
    statusCode: 200,
    body: GREETING
  };
};
1 Like

it’s a great resource, @witcradg - glad you found it useful :+1:

I’ve been using this as a guide for getting Stripe working in my React app: https://mitchgavan.com/react-serverless-shop/

Yet, when I use an environment variable either locally in my .env file or in the Netlify admin for the Stipe secret key, I cannot get any Stripe transactions to work. If the secret key is hardcoded in the charge.js file, everything works.

Is there something special about the Stripe secret key? Has anyone gotten this working and if so, how?

All my other Netlify environment variables are working (Firebase, etc.) except for Stripe.

You would not be able to use the .env file for a lambda function. The admin Environment variable should work and should be accessed via process.env.YOUR_STRIPE_KEY.

I know that you can’t use the .env for lambda function but the admin Environment Variable is not working. It works if the API key is hardcoded.

I think you probably would benefit from reading this article:

So, my answer would be the same as @talves around making sure you access it as suggested.

Do note that functions do NOT use the variables mentioned in netlify.toml, only the ones shown in our UI.

It was my stupid mistake - I was using process.env_STRIPE_SECRET_KEY…(unneeded underscore instead of period. Ugh).

Thanks for all the suggestions. I wasn’t the original poster but hopefully he got it sorted as well.

2 Likes

thanks for keeping us posted! glad it was just a typo - frustrating, but at least not serious :wink:

Hi @witcradg, I’ve been reading up on Lambda functions and environment variables. I went through the functions-playground and ended up creating a Netlify function based on this GREETING example.

It works great! I can see my environment variable displayed on a webpage when I hit the endpoint in my browser. But, I’d like to use it in my app instead.

Sorry for the noob question, how do I retrieve the environment variable (in my case an API key) programmatically and use it in my server.js code?

I couldn’t find any examples of this. I’m probably missing something simple here. Any help is appreciated! :slight_smile:

Thanks!

@marklchaves, is the server.js code intended to be run on the web server or in javascript in the end user’s browser.

If it is the web server itself, this isn’t possible at Netlify. There is a more detailed explanation about this here:

Hi @luke, I really appreciate your prompt reply. Thank you! BTW, the engagement level in this forum is great.

Ok, so I figured it out. And, I documented step-by-step exactly what I did–which I haven’t been able to find yet (hard to believe?).

I put everything in a gist. Comments welcome.

You retrieve environmental variables with a line like this:

const { MY_SCRET_KEY1, MY_SCRET_KEY2 } = process.env

place that line just ABOVE this line

exports.handler = async (event, context) => {

Hey @witcradg,

As I mentioned earlier, that part is working great. That was easy.

It works great! I can see my environment variable displayed on a webpage when I hit the endpoint in my browser. But, I’d like to use it in my app instead.

I just never saw a full lifecycle example start-to-finish. I figured it out on my own and posted my solution as a gist.

Thanks so much for your reply!