After checkout completes, the Stripe webhook provisions a customer record, generates a key, and activates enforcement limits. Your account page lets you reveal the key once.

The plaintext value is available once so it can be safely transferred into your secret manager. After reveal, encrypted key material is removed.

Store the key in a secret manager (GCP Secret Manager, AWS Secrets Manager, HashiCorp Vault) and load it into your service at runtime. Do not hardcode keys into client-side code.

Keys map to monthly limits and a per-minute rate limit. The gateway enforces limits before calling the enforcement runtime, keeping behavior deterministic under load.