Which description applies to the Publishable Key pk_?

• A. Use this on the client-side. They can be publicly accessible in your web or mobile app's client-side code to tokenize payment information.
• B. Use this on the server-side. They must be secret and stored securely in your web or mobile app's server-side code to call stripe APIs.
• C. Use this to sign webhook events.
• D. Use this for admin API access only.

Answer: (A)

Publishable keys are meant for use in client-side code and can be exposed publicly in your app. They let you tokenize payment details with Stripe.js or mobile SDKs, so card data goes directly to Stripe rather than through your server, which helps reduce PCI scope. In contrast, secret keys stay on the server and are used to authenticate requests from your backend to Stripe, so they must never be exposed in client code. Webhook events are verified with a separate webhook signing secret on your server, not with a publishable key. Admin API access is a higher-privilege capability and isn’t intended for client-side use. So the description that matches the publishable key is that it’s used on the client side and is publicly accessible to tokenize payment information.