# Payment Setup
## PayPal
1. Log in to your [PayPal Developer](https://developer.paypal.com/) account.
2. Click **Dashboard**.
3. Click **Accounts** under Sandbox.
4. Click the email address of the business account whose credentials you're checking.
5. Click **Profile**.
6. Click **API credentials** on the Account details screen.
> If for some reason your API credentials aren't displayed there, you can also find them in your Sandbox account. Click **Close** on the Account details screen and continue with the rest of this procedure.
1. Check the box next to the business account whose credentials you are checking, and then click **Enter Sandbox site**.
2. Log in to that Sandbox business account.
3. Select **Profile** > **My Selling Tools** under the My Account tab.
4. Click **Update** next to API access on the My Profile screen.
5. Click **View API Signature** under Option 2 on the API Access screen. (If **Request API Credentials** appears under Option 2, it may be because you haven't requested your API credentials.)
### **Configure**
`PAYPAL_CLIENT_ID="client_id"`
`PAYPAL_SECRET="secret_key"`
## Stripe
Stripe authenticates your API requests using your account’s API keys. If you do not include your key when making an API request or use one that is incorrect or outdated, Stripe returns an error.
Every account is provided with separate keys for testing and for running live transactions. All API requests exist in either [test or live mode](https://stripe.com/docs/keys#test-live-modes), and objects—customers, plans, coupons, and so forth—in one mode cannot be manipulated by objects in the other.
There are also two types of API keys: *publishable* and *secret*.
* **Publishable** API keys are meant solely to identify your account with Stripe, they aren’t secret. In other words, they can safely be published in places like your Stripe.js JavaScript code, or in an Android or iPhone app.
* **Secret** API keys should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Stripe without restriction.
Each account has a total of four keys: a publishable and secret key pair for test mode and live mode.
### Obtaining your API keys
Your API keys are always available in the [Dashboard](https://dashboard.stripe.com/account/apikeys). For your convenience, your *test* API keys for your account are:
| Key | Value |
| --------------- | ---------------------------------- |
| **Publishable** | `pk_test_TYooMQauvdEDq54NiTphI7jx` |
| **Secret** | `sk_test_4eC39HqLyjWDarjtT1zdp7dc` |
### Test and live modes
The test and live modes function almost identically, with a few necessary differences:
* In test mode, payments are not processed by card networks or payment providers, and only our [test payment information](https://stripe.com/docs/testing) can be used.
* Some payment methods using [Sources](https://stripe.com/docs/sources) have a more nuanced flow in live mode, with more steps required than those in test mode.
* Disputes also have a more nuanced flow in live mode and a simpler [testing process](https://stripe.com/docs/testing#disputes).
* [Webhooks](https://stripe.com/docs/webhooks) that were not successfully acknowledged are retried three times over a few hours (as opposed to 72 hours for live mode).
### Rolling keys
If an API key is compromised, roll the key in the [Dashboard](https://dashboard.stripe.com/account/apikeys) to block it and generate a new one.
### Configure
`STRIPE_KEY="app_key"`
`STRIPE_SECRET="app_secret"`