Paystack Secret Keys

[collinsmarra]

Hello,

I am currently investigating an issue with using paystack live key in flutter.
In your official example I see sk_test_4daeaa768f986a546516cd9a5d101f657ea4f1d3 which means when we build for prod we will have the live key somewhere in the environment variables and we will have to build it with the app.

Why not use the paystack live public key pk_live_524224fb10a9719320dfa3acd4d3f741a16142cd for flutter?

Because when .apk is genrated, an attacker can just grep the string in the binary and boom, the key is exposed.

[VhiktorBrown]

Hello,

I am currently investigating an issue with using paystack live key in flutter. In your official example I see sk_test_4daeaa768f986a546516cd9a5d101f657ea4f1d3 which means when we build for prod we will have the live key somewhere in the environment variables and we will have to build it with the app.

Why not use the paystack live public key pk_live_524224fb10a9719320dfa3acd4d3f741a16142cd for flutter?

Because when .apk is genrated, an attacker can just grep the string in the binary and boom, the key is exposed.

Hello @collinsmarra
You're right that an attacker can reverse your app and get access to your live key if you store it in your env.

Also, to be able to call Paystack's checkout endpoint, you need to use your Secret key. It is a requirement. Public keys are used on the client side mostly to display the pop up on the browser.

To solve your issue, you should consider fetching your public key at run time. Firebase Remote Config is a tool you can use. There's also flutter_secure_dotenv that you could explore so that your secret key is not accessible to malicious actors or just anyone.