I saved the secret key just inside of the pay function. However, people keeping telling it my app could be cracked easily, then I will be in debt.
What does everyone else do?
Thank you!

@brilliantjc basically, in the environment. For now, we are storing tokens on the backend
Do you need to encrypt it? in what way?
No, we don't encrypt secret keys on backend side. But there is no way to get this keys via API.
Because in China's most popular shopping website, people can easily purchase 2.1 billion app credit/coins by paying 5 RMB($0.8).
So, just wondering do we need to concern about that if someone hacks into our database? Mine is firebase.

Your client app should never have the secret key and should not be able to get it.
All operations should be done on the backend side. Till you have no critical vulnerabilites that are allowing someone get inside your backend server - you save. Cannot comment about firebase as database for secure information, you should ensure that only your backend server can get this information.
If you're using Firebase, use Firebase cloud functions (on the backend) with your secret key to process charges. Create payment source tokens on the client-side (in your app) with your publishable key.
An example of cloud functions:
https://github.com/firebase/functions-samples/blob/master/stripe/functions/index.js
Most helpful comment
Your client app should never have the secret key and should not be able to get it.
All operations should be done on the backend side. Till you have no critical vulnerabilites that are allowing someone get inside your backend server - you save. Cannot comment about firebase as database for secure information, you should ensure that only your backend server can get this information.