
Show HN: Npm donate - bukinoshita
https://github.com/bukinoshita/npm-donate
======
detaro
The documentation you link for the stripe API key says

 _Authenticate your account when using the API by including your secret API
key in the request. You can manage your API keys in the Dashboard. Your API
keys carry many privileges, so be sure to keep them secret! Do not share your
secret API keys in publicly accessible areas such GitHub, client-side code,
and so forth._

How is this supposed to work safely, when you need to put the key in the
package? Or is the enduser (who wants to donate) somehow expected to have
their own API key?

~~~
bukinoshita
You can check an example here where I use `dotenv`.

[https://github.com/bukinoshita/npm-
donate/blob/master/exampl...](https://github.com/bukinoshita/npm-
donate/blob/master/example/lib/donate.js)

~~~
detaro
So the latter? People need to have a stripe API key to use it to donate?

~~~
bukinoshita
Just the project owner.

1\. Project maintainer add `npm-donate`; 2\. Creates stripe account; 3\. Add
API Key; 4\. Release;

Users that wants to donate to the project, doesn't need an API key.

~~~
detaro
Add API key _where_? I don't get how this authenticates to Stripe without
distributing the API key.

~~~
bukinoshita
To the file where is calling `npm-donate`. But instead of hard code the API
Key, you use some sort of dotenv to hide the API key from the end users.

When users install your package, they won't see your API key.

~~~
detaro
The code on the endusers machine needs the API key to function, since there is
no server on the publishers side involved, right? So you have to give the API
key to them in _some way_ , if directly embedded in the code or not.

~~~
bukinoshita
You are right. I will add a warning and try to figure it out a better way.
Thanks!

~~~
bukinoshita
fixed! released v0.0.2

