stripe-best-practices
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- API Key Management: The skill emphasizes the use of Restricted API Keys (RAKs) over standard secret keys, which is a security best practice following the principle of least privilege. It also provides detailed instructions on secure secret storage using vaults and environment variables.
- Webhook Security: There is clear guidance on verifying webhook signatures to ensure data integrity and authenticity, which prevents request spoofing.
- Credential Safety: The instructions explicitly warn against including API keys in source code, client-side applications, or logging systems, providing a robust framework for preventing accidental credential exposure.
- Secure Integration Patterns: The skill recommends using Stripe-hosted onboarding and pre-built UI components like the Payment Element, which reduces the complexity of maintaining PCI compliance and handling sensitive PII.
Audit Metadata