diff --git a/morph/grid.config.json b/morph/grid.config.json
index 5b848d31264fb84017752a76376467466c717f35..c6ee26422d3af52d7618ffc84add6fc825e3f4d4 100644
--- a/morph/grid.config.json
+++ b/morph/grid.config.json
@@ -1,5 +1,6 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
 , "issuerDomain": "payments.privatestorage.io"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 }
diff --git a/morph/issuer.nix b/morph/issuer.nix
index ddf01bdfc832a13aee357475ef639c539ea5bda3..57ffd009d58064830a30d30af926263962dcc5d7 100644
--- a/morph/issuer.nix
+++ b/morph/issuer.nix
@@ -1,5 +1,6 @@
 { hardware
 , ristrettoSigningKeyPath
+, stripeSecretKeyPath
 , issuerDomain
 , letsEncryptAdminEmail
 , stateVersion
@@ -27,6 +28,7 @@
     enable = true;
     # XXX This should be passed as a path.
     ristrettoSigningKey = builtins.readFile (./.. + ristrettoSigningKeyPath);
+    stripeSecretKeyPath = ./.. + stripeSecretKeyPath;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
diff --git a/morph/testing-grid.config.json b/morph/testing-grid.config.json
index 018367db9da09364c718a521dd28ef06a2642288..46cf4ff25c5eb0c6dffdba01f774c7862e300aa3 100644
--- a/morph/testing-grid.config.json
+++ b/morph/testing-grid.config.json
@@ -1,5 +1,6 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
 , "issuerDomain": "payments.privatestorage-staging.com"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 }
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index fc0d2355f204c3192133e3d63c210aefce7a467b..b22cb07f749d85daed41bd4dcd59652bf266a37c 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -49,6 +49,13 @@ in {
         ``Ristretto``.
       '';
     };
+    services.private-storage-issuer.stripeSecretKeyPath = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The path to a file containing a Stripe secret key to use for charge
+        and payment management.
+      '';
+    };
     services.private-storage-issuer.database = lib.mkOption {
       default = "Memory";
       type = lib.types.enum [ "Memory" "SQLite3" ];
@@ -124,8 +131,9 @@ in {
             else
               # Only for automated testing.
               "--http-port 80";
+          stripeArgs = "--stripe-key ${builtins.readFile cfg.stripeSecretKeyPath}";
         in
-          "${cfg.package}/bin/PaymentServer-exe ${issuerArgs} ${databaseArgs} ${httpsArgs}";
+          "${cfg.package}/bin/PaymentServer-exe ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
     # Certificate renewal.  We must declare that we *require* it in our
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index b731404dcad8c6b0729778f9778e9fdbec311b26..9028691fc8edb133b5c048291cd5f0741f6f4ea1 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -17,6 +17,9 @@ let
   # world at large.
   ristrettoSigningKey = "wumQAfSsJlQKDDSaFN/PZ3EbgBit8roVgfzllfCK2gQ=";
 
+  # Ugh.
+  stripeSecretKey = "sk_test_blubblub";
+
   # Here are the preconstructed secrets which we can assign to the introducer.
   # This is a lot easier than having the introducer generate them and then
   # discovering and configuring the other nodes with them.
@@ -85,6 +88,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
         tls = false;
         issuer = "Ristretto";
         inherit ristrettoSigningKey;
+        stripeSecretKeyPath = pkgs.writeText "stripe.secret" stripeSecretKey;
+        letsEncryptAdminEmail = "user@example.invalid";
       };
     } // networkConfig;
   };
diff --git a/nixos/pkgs/zkapissuer-repo.nix b/nixos/pkgs/zkapissuer-repo.nix
index 433ecfba94c162fd1ec4159cb34eedcf37b16b41..af0eda33aeccbe01d71407123129330326d7b6ba 100644
--- a/nixos/pkgs/zkapissuer-repo.nix
+++ b/nixos/pkgs/zkapissuer-repo.nix
@@ -4,6 +4,6 @@ in
   pkgs.fetchFromGitHub {
     owner = "PrivateStorageio";
     repo = "PaymentServer";
-    rev = "6dfc02e395fbbec2c70a109874227ab21bddbb25";
-    sha256 = "1zc8cxc37zixsh8zcqasvg07rfsravlx0bhnx6zv9c5srm37iqap";
+    rev = "c5651f58ff564f00cfcdb4c73584817b9197f7a6";
+    sha256 = "1gmx4c82h95lkmqdklak3kpj6gkpp57hwc309h4798sclgvp287b";
   }
\ No newline at end of file