- Public key (
mk_…) — identifies your manufacturer account; safe in client code - Secret key (
msk_…) — privileged; must never reach a client
Mock and local dev
In development the starter reads keys from.env.local, which is git-ignored.
That’s fine locally — but .env values bundled into a client build are not
secret. The secret key needs a server-side home for production.
In production
Keep the secret key on a server you control and have the client talk to that, not the API directly. The app ships only the public key.The starter ships a
docs/SECURITY.md with the exact setup for your copy.
Follow it before any production release.Back to deployment
Build for web and native.