There's a file on your machine right now at ~/.config/stripe/config.toml. Open it.
[default]
device_name = "your-macbook"
secret_key = "sk_live_51H..."
Your Stripe live key. In a plaintext file. Sitting there permanently from the moment you ran stripe login.
This is not a Stripe bug. It is how the Stripe CLI works by design, it needs the key somewhere it can read it. The problem is that "somewhere it can read it" is also somewhere your AI coding assistant can read it, somewhere any process running as your user can read it, and somewhere that never expires or rotates on its own.
If you use Claude, Cursor, or any AI assistant with filesystem access while working on a Stripe integration, that file is reachable. Not hypothetically — your assistant reads your project directory. Your project directory is on the same machine as that file.
This is the exact issue a developer raised on the AgentSecrets GitHub this week. They were setting up the native Stripe MCP server and noticed the key in config.toml. The question was: how do you get the security model of a zero-knowledge secrets manager while still using the native Stripe tools you actually want to use?
Here's how.
What the Stripe MCP Server and Stripe CLI Actually Need
Both the Stripe MCP server and the Stripe CLI read credentials from the environment. Specifically, they look for STRIPE_API_KEY or STRIPE_SECRET_KEY as environment variables when they start up.
The config.toml file exists as a fallback, when those environment variables aren't set, the CLI falls back to what's stored there. But if you set the environment variable, config.toml becomes irrelevant.
This is the key insight. You don't need to modify Stripe's tools. You just need to inject the right environment variable before they start.
The Fix: agentsecrets env
AgentSecrets stores credentials in the OS keychain — macOS Keychain, Windows Credential Manager, Linux Secret Service. Not a file. Not an environment variable sitting in your shell profile. The OS keychain requires system-level authentication to access and is not readable by other processes or AI assistants.
agentsecrets env wraps any command and injects secrets from the keychain as environment variables at launch. The wrapped process reads from os.environ normally. It has no idea the values came from a keychain. When the process exits, the values are gone.
# Store your Stripe key in the OS keychain
agentsecrets secrets set STRIPE_SECRET_KEY=sk_live_51H...
# Run the Stripe MCP server — key injected from keychain at launch
agentsecrets env -- stripe mcp
# Run the Stripe CLI directly
agentsecrets env -- stripe customers list
agentsecrets env -- stripe listen --forward-to localhost:3000
agentsecrets env -- stripe trigger payment_intent.created
The Stripe CLI and Stripe MCP server start normally, find STRIPE_SECRET_KEY in their environment, and work exactly as expected. The key was never in config.toml for this session.
Setting Up Claude Desktop With the Native Stripe MCP
This is the setup most developers actually want — the native Stripe MCP tools inside Claude Desktop, without the key sitting in a config file.
Step 1: Install AgentSecrets
brew install the-17/tap/agentsecrets
# or
npm install -g @the-17/agentsecrets
# or
pip install agentsecrets
Step 2: Store your Stripe key
agentsecrets init
agentsecrets secrets set STRIPE_SECRET_KEY=sk_live_51H...
Step 3: Authorize the Stripe domain
agentsecrets workspace allowlist add api.stripe.com
Step 4: Update your Claude Desktop config
Instead of configuring the Stripe MCP server directly with a plaintext key, wrap it with AgentSecrets:
{
"mcpServers": {
"stripe": {
"command": "agentsecrets",
"args": ["env", "--", "stripe", "mcp"]
}
}
}
Restart Claude Desktop. The native Stripe MCP tools appear exactly as before. Every tool call works exactly as before. The difference is that your Stripe key is no longer in any config file, it was injected from the OS keychain when the MCP server started.
What About config.toml?
If you've already run stripe login, config.toml already exists with your key in it. The agentsecrets env approach bypasses it but doesn't delete it.
To clean up:
# Remove the stored key from config.toml
stripe config --unset secret_key
# Or remove the file entirely if you only use Stripe through AgentSecrets
rm ~/.config/stripe/config.toml
Going forward, don't run stripe login. Use agentsecrets env -- stripe <command> instead. The key comes from the keychain every time.
Why This Matters for AI-Assisted Development
The specific risk with AI coding assistants isn't that Stripe's servers will leak your key. It's that your local development environment becomes an attack surface when an AI assistant with filesystem access is involved.
Prompt injection — embedding malicious instructions in data the agent processes — is documented and exploited in production. CVE-2026-21852 demonstrated API key exfiltration through malicious project configuration files in AI coding tools. The attack didn't breach any server. It instructed an agent to forward credentials it already had access to.
config.toml is exactly the kind of file that makes that attack trivial. It's at a known path, readable by any process running as your user, and contains a live Stripe key in plaintext.
agentsecrets env removes it from the equation. The Stripe MCP server and Stripe CLI get the credentials they need. Your AI assistant — and anything it might be instructed to do — never has access to the value.
The Complete Workflow
# One-time setup
agentsecrets init
agentsecrets secrets set STRIPE_SECRET_KEY=sk_live_51H...
agentsecrets workspace allowlist add api.stripe.com
# Daily use — Stripe CLI
agentsecrets env -- stripe customers list
agentsecrets env -- stripe listen --forward-to localhost:3000
# Claude Desktop — update config once, never touch it again
# (see config snippet above)
# Verify your key is safe
cat ~/.config/stripe/config.toml # should be empty or absent
agentsecrets secrets list # STRIPE_SECRET_KEY — name only, never value
The Stripe tools work. The key is in the OS keychain. config.toml is empty. Your AI assistant has full Stripe access and zero knowledge of the actual key value.
GitHub: https://github.com/The-17/agentsecrets
ClawHub: https://clawhub.ai/SteppaCodes/agentsecrets
Top comments (0)