Which statement about server-side keys is true?

• A. They can be exposed in client-side code.
• B. They should be shared with teammates.
• C. They must be kept secret and stored securely.
• D. They are used to tokenize payment information.

Answer: (C)

Server-side keys are the credentials your backend uses to call Stripe APIs. They must be kept secret and stored securely because if they ever leak, someone could impersonate your server and perform privileged actions—like creating charges or accessing sensitive account data—without your authorization. That’s why you never put secret keys in client-side code or public repositories. Use environment variables or a dedicated secret management service, apply least-privilege access, rotate keys regularly, and monitor for unusual activity. Tokenization and other client-side operations use the publishable key, not the secret key, so the secret key isn’t needed on the client. By keeping the secret keys safe, you protect your Stripe account and your users’ information.