9 comments

[ 4.7 ms ] story [ 43.2 ms ] thread
The documentation you link for the stripe API key says

Authenticate your account when using the API by including your secret API key in the request. You can manage your API keys in the Dashboard. Your API keys carry many privileges, so be sure to keep them secret! Do not share your secret API keys in publicly accessible areas such GitHub, client-side code, and so forth.

How is this supposed to work safely, when you need to put the key in the package? Or is the enduser (who wants to donate) somehow expected to have their own API key?

You can check an example here where I use `dotenv`.

https://github.com/bukinoshita/npm-donate/blob/master/exampl...

So the latter? People need to have a stripe API key to use it to donate?
Just the project owner.

1. Project maintainer add `npm-donate`; 2. Creates stripe account; 3. Add API Key; 4. Release;

Users that wants to donate to the project, doesn't need an API key.

Add API key where? I don't get how this authenticates to Stripe without distributing the API key.
To the file where is calling `npm-donate`. But instead of hard code the API Key, you use some sort of dotenv to hide the API key from the end users.

When users install your package, they won't see your API key.

The code on the endusers machine needs the API key to function, since there is no server on the publishers side involved, right? So you have to give the API key to them in some way, if directly embedded in the code or not.
You are right. I will add a warning and try to figure it out a better way. Thanks!