Laravel应用集成Stripe API报错求助:需使用Secret API Key
2026-5-13
Fixing Stripe API Key Error: "This API call cannot be made with a publishable API key"
Hey there, let's sort out this Stripe API issue you're hitting—super common mixup with their key types, so no worries!
First, let's clarify Stripe's two key types
Stripe uses distinct API keys for front-end vs. back-end operations, and mixing them up is exactly what's causing your error:
- Publishable keys (starts with
pk_): These are safe to use in client-side code (browsers, mobile apps) for things like collecting card details or initializing payment elements. They have limited permissions and can't perform sensitive actions. - Secret keys (starts with
sk_): These are for your server-side code only. They have full permissions to handle sensitive operations like creating charges, refunding payments, fetching customer data, or most of the core API calls you'd run from a backend service.
Step-by-step fix
- Identify which API call is failing: Any operation that modifies data, accesses sensitive customer info, or processes payments needs a secret key. If you're running this call from your backend, you definitely need to swap out the publishable key.
- Grab your test secret key: Head to your Stripe Dashboard's API Keys section (test mode) and copy the key starting with
sk_test_(not thepk_test_one you're currently using). - Update your code: Replace the publishable key in your server-side code with the secret key. For example, in a Node.js backend:
// ❌ Wrong: Using publishable key for server-side call const stripe = require('stripe')('pk_test_yourPublishableKey'); // ✅ Correct: Using secret key for server-side operations const stripe = require('stripe')('sk_test_yourSecretKey'); - Double-check key placement: Make sure publishable keys only live in front-end code, and secret keys stay strictly on your backend—never expose a secret key in client-side JS, HTML, or mobile app bundles (that's a huge security risk!).
If you still run into issues after swapping the key, double-check that you're using the right key for your environment (test vs. live) and that the API call you're making is indeed supported with a secret key (most server-side calls are).
内容的提问来源于stack exchange,提问作者chirizwacho
