You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to craft a stripe-cli invocation which would make it work in live mode by using an API key.
For example, to listen to events.
One way which works is stripe listen --live --api-key rk_live_... --forward-to localhost:4242
The downside is that the live API key is visible in the process list, and it's visible to all sorts of other processes. I intend to run this on my own server but there are many processes on that machine, not all in containers, and I am very uncomfortable with this exposure of API key. This is a broadly recognized risk and most utilities don't give the user any way to put a secret token onto command line.
So I am looking at putting the API key into the config file. Unexplicably, stripe-cli destroys it in the config file and says it will not use the API key passed:
stripe listen --live --forward-to localhost:4242
(!) Livemode value found for the field 'live_mode_api_key' in your config file.
Livemode values from the config file will be redacted and will not be used.
Checking for new versions...
For some reason the process keeps running, which might be a sign it actually picked up the key and will do the job it was invoked for, but it's hard to tell because events happen rarely on my account, and that would be contrary to what the process said it would do.
I cannot fathom why the tool accepts insecure mode of operation (the first one) with no complaint, but refuses to operate orderly in the second mode, which has no apparent security problems, or at least the tool makes no attempt to justify itself. I found no prior discussion of this behaviour. I question my own understanding despite having spent many hours with stripe-cli and many years in software development, because it can't possibly be that such a big, successful and developer oriented company as Stripe missed such basics after 5 years of development of this tool.
Thanks for your attention.
The text was updated successfully, but these errors were encountered:
Feedback
I am trying to craft a stripe-cli invocation which would make it work in live mode by using an API key.
For example, to listen to events.
One way which works is
stripe listen --live --api-key rk_live_... --forward-to localhost:4242The downside is that the live API key is visible in the process list, and it's visible to all sorts of other processes. I intend to run this on my own server but there are many processes on that machine, not all in containers, and I am very uncomfortable with this exposure of API key. This is a broadly recognized risk and most utilities don't give the user any way to put a secret token onto command line.
So I am looking at putting the API key into the config file. Unexplicably, stripe-cli destroys it in the config file and says it will not use the API key passed:
For some reason the process keeps running, which might be a sign it actually picked up the key and will do the job it was invoked for, but it's hard to tell because events happen rarely on my account, and that would be contrary to what the process said it would do.
I cannot fathom why the tool accepts insecure mode of operation (the first one) with no complaint, but refuses to operate orderly in the second mode, which has no apparent security problems, or at least the tool makes no attempt to justify itself. I found no prior discussion of this behaviour. I question my own understanding despite having spent many hours with stripe-cli and many years in software development, because it can't possibly be that such a big, successful and developer oriented company as Stripe missed such basics after 5 years of development of this tool.
Thanks for your attention.
The text was updated successfully, but these errors were encountered: