Stripe Test Keys in Live Bundles — 30-Second Detection
Test-mode Stripe keys (sk_test_ / pk_test_) in a production bundle means your checkout never actually charges. A surprisingly common vibe-coded bug. Here's how to catch it.
The bug happens every week: Cursor / Claude writes the Stripe integration with pk_test_ because the dev env was still set, and the prod deploy ships that key to the browser.
Your "purchases" succeed in test mode, users see "Payment succeeded" — and your Stripe dashboard shows zero live revenue.
Detect
curl -s https://your-app.com/_next/static/chunks/*.js 2>/dev/null | grep -oE "pk_(test|live)_[A-Za-z0-9]{20,}" | sort -uIf pk_test_ is present on a production domain, stop the presses.
The inverse failure
Live keys in the client bundle. pk_live_ is publishable — that's fine. sk_live_ on the client is catastrophic. Grep for it:
curl -s https://your-app.com/_next/static/chunks/*.js | grep -oE "sk_live_[A-Za-z0-9]{20,}"Any match → rotate the key within the hour. Stripe's fraud team is faster than you.
VibeWShield's built-in check
The Secrets scanner runs the regex above across every JS chunk found via discovery. In Quick mode. Two-minute total scan.
Free security scan
Test your app for these vulnerabilities
VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.
Scan your app free