Managing Your Account

This guide covers some of the basics of setting up and using your account. If you need help after reading this, check out our answers to common questions.

As you begin to integrate Stripe into your website or app, you'll want to know about the following account features and processes:

Test and live modes

Every account is divided into two universes: one for testing and one for running live transactions. All API requests exist in one of those two universes, and objects—customers, plans, coupons, and so forth—in one universe cannot be manipulated by objects in the other.

The test and live modes were designed to function almost identically, with a few necessary differences:

  • In test mode, credit card transactions are not processed through the actual card networks and only our test card numbers can be used
  • Test mode allows you to fake having a Stripe balance in order to test (fake) transfers
  • Alternative payment methods such as Bitcoin have a more nuanced flow in live mode, with more steps required than those in test mode
  • Disputes also have a more nuanced flow in live mode, and a simpler testing process

Specific values to use and steps to take for testing purposes are on our testing page.

API keys

Related to these universes are your API keys, available through the Dashboard. Each key exists either in the live universe or in the test universe, and this is how Stripe tells what universe you are interacting with. You should only use your test API keys for testing. This will make sure that you don't accidentally modify your live customers or charges.

If you cannot see your API keys in the Dashboard, this means that you are not an administrator for the account, and have only Read & Write or Read Only access. You will need to contact your Stripe account's administrator to request access to view the API keys.

In addition to live and test mode, there are also two types of API keys: publishable and secret.

  • Publishable API keys are meant solely to identify your account with Stripe, they aren't secret. In other words, they can safely be published in places like your Stripe.js JavaScript code, or in an Android or iPhone app. Publishable keys only have the power to create tokens.

  • Secret API keys should be kept confidential and only stored on your own servers. Your account's secret API key can perform any API request to Stripe without restriction.

Activating your account

Before activating your account, you can only interact with Stripe in test mode. All of Stripe's features are available in test mode, though no live charges using the card networks can be created.

Activating your account is a simple process: you fill out a form requesting some basic information about your product, your business, and your own personal relationship to your business. Once you've activated your account, you can immediately start using the live API and charge real cards.

Your account details are reviewed internally to ensure they comply with our terms of service. If we see a problem, we'll get in touch right away to resolve it as quickly as possible.

Keeping your account safe

Once you've set up your account, you'll want to keep it safe. Here are some recommendations:

  • Keep private information private. Your password should be known only to you, and your secret API keys kept confidentially on your own servers. As a reminder, Stripe employees will never ask you for them.

  • Don't reuse your Stripe password. Your password should be unique to Stripe. If you use your password on another site and that site is compromised, an attacker could use those stolen credentials to take over your account.

  • Update your computer and browser regularly. We recommend configuring your computer to automatically download and install updates. (OS X, Windows) This helps protect your system against automated attacks and malware.

  • Beware of phishing. All genuine Stripe sites use the stripe.com domain and are HTTPS. If you get an email from us that you don't expect, go directly to our site to log in. Do not enter your password after clicking a link in email. If you're ever not sure it's really us, here's what to do.

  • Add your mobile number to your account. If you do, we'll text you a short numeric code when you attempt to log in from a new device which you'll need to provide to complete the login process. This means even if someone steals your username and password, they won't be able to log in. To use this feature, go to your account settings and enable two-step verification.