The Stripe CLI Stores Your API Key in Plaintext. Here's the Fix.

There's a file on your machine right now at ~/.config/stripe/config.toml . Open it. [default] device_name = "your-macbook" secret_key = "sk_live_51H..." Your Stripe live key. In a plaintext file. Sitting there permanently from the moment you ran stripe login . This is not a Stripe bug. It is how the Stripe CLI works by design, it needs the key somewhere it can read it. The problem is that "somewhere it can read it" is also somewhere your AI coding assistant can read it, somewhere any process running as your user can read it, and somewhere that never expires or rotates on its own. If you use Claude, Cursor, or any AI assistant with filesystem access while working on a Stripe integration, that file is reachable. Not hypothetically — your assistant reads your project directory. Your project directory is on the same machine as that file. This is the exact issue a developer raised on the AgentSecrets GitHub this week. They were setting up the native Stripe MCP server and noticed the key in