I have seen similar questions but none that goes to my point.
I am developing an app with firebase (no backend) and react-native. Payments are a critical feature of my app so Stripe is my go to platform. I am specifically using Stripe Connect so that wrapper packages like npm install --save tipsi-stripe are out of question.
The problem is that stripe requires me to add the following import to my App.js of my react-native project:
var stripe = require('stripe')('stripe API key');
Question 1: I shouldnt be doing this because then basically anyone downloading my app will have access to the API key right?
Question 2: Should I use https (for example: the axios package) to connect to firebase cloud functions and then send all sensitive information over there and do the API requests to Stripe from within the cloud functions?
Sorry if the question is a bit obvious for some, I just want to be sure of what I am doing, since it is the first time I am implementing Stripe.
EDIT
I ended up using the react native package tipsi-stripe to tokenize (=== safely handle) the card and bank account information and I would then do any request to stripe through a cloud-function https trigger to maintain the Stripe API key secret.
I haven't used the Stripe API, but this sounds like something that should be done on the backend to secure your API key. Look into creating an http endpoint in Firebase Functions that will fire off all the requests to stripe and keep your api key hidden.