As you begin to integrate Stripe into your website or app, you'll want to know about the following account features and processes:
Test and live modes
Every account is divided into two universes: one for testing, and one for running on your live website. All API requests exist in one of those two universes, and objects in one universe cannot be manipulated by objects in the other.
Related to these universes are your API keys, available through the Dashboard. Each key exists either in the live universe or in the test universe, and this is how Stripe tells what universe you are interacting with. You should only use your test API keys for testing. This will make sure that you don't accidentally modify your live customers or charges.
If you cannot see your API keys in the Dashboard, this means that you are not an administrator for the account, and have only Read & Write or Read Only access. You will need to contact your Stripe account's administrator to request access to view the API keys.
In addition to live and test mode, there are also two types of API keys: publishable and secret.
Secret API keys should be kept confidential and only stored on your own servers. Your account's secret API key can perform any API request to Stripe without restriction.
Activating your account
Before activating your account, you can only interact with Stripe in test mode. All of Stripe's features are available in test mode, though no live charges using the card networks can be created.
Activating your account is a simple process: you fill out a form requesting some basic information about your product, your business, and your own personal relationship to your business. Once you've activated your account, you can immediately start using the live API and charge real cards.
Your account details are reviewed internally to ensure they comply with our terms of service. If we see a problem, we'll get in touch right away to resolve it as quickly as possible.
Keeping your account safe
Once you've set up your account, you'll want to keep it safe. Here are some recommendations:
Keep private information private. Your password should be known only to you, and your secret API keys kept confidentially on your own servers. As a reminder, Stripe employees will never ask you for them.
Don't reuse your Stripe password. Your password should be unique to Stripe. If you use your password on another site and that site is compromised, an attacker could use those stolen credentials to take over your account.
Update your computer and browser regularly. We recommend configuring your computer to automatically download and install updates. (OS X, Windows) This helps protect your system against automated attacks and malware.
Beware of phishing. All genuine Stripe sites use the stripe.com domain and are HTTPS. If you get an email from us that you don't expect, go directly to our site to log in. Do not enter your password after clicking a link in email. If you're ever not sure it's really us, here's what to do.
Add your mobile number to your account. If you do, we'll text you a short numeric code when you attempt to log in from a new device which you'll need to provide to complete the login process. This means even if someone steals your username and password, they won't be able to log in. To use this feature, go to your account settings and enable two-step verification.