diff --git a/apps/api/src/lib/stripe.ts b/apps/api/src/lib/stripe.ts
index b9d5e80..873bbd2 100644
--- a/apps/api/src/lib/stripe.ts
+++ b/apps/api/src/lib/stripe.ts
@@ -10,9 +10,20 @@ import { getRedis } from './redis.js';
  */
 export const stripe: Stripe | null = config.STRIPE_SECRET_KEY
   ? new Stripe(config.STRIPE_SECRET_KEY, {
-      // biome-ignore lint/suspicious/noExplicitAny: SDK type lags behind real API version strings
-      apiVersion: '2025-10-29.acacia' as any,
+      // Must match the version the installed SDK (stripe@22) is built against —
+      // its types expose ui_mode: 'embedded_page', which only exists from this
+      // version on. Pinning the older '2025-10-29.acacia' made Stripe reject the
+      // embedded checkout create call (acacia still used ui_mode: 'embedded').
+      apiVersion: '2026-04-22.dahlia',
       typescript: true,
+      // Fail fast + visibly. Without a tight timeout, a wedged Stripe call (bad
+      // version, egress hiccup) hangs past Cloudflare's ~100s edge limit, and
+      // CF returns its own 5xx WITHOUT our CORS headers — which surfaces in the
+      // browser as an opaque "No Access-Control-Allow-Origin" error instead of
+      // the real failure. 20s keeps us well inside the edge limit so the handler
+      // returns a proper 502 (with CORS) the client can actually read.
+      timeout: 20_000,
+      maxNetworkRetries: 2,
     })
   : null;
 
diff --git a/apps/web/app/(dashboard)/servers/new/page.tsx b/apps/web/app/(dashboard)/servers/new/page.tsx
index 7818f77..6702af4 100644
--- a/apps/web/app/(dashboard)/servers/new/page.tsx
+++ b/apps/web/app/(dashboard)/servers/new/page.tsx
@@ -480,7 +480,11 @@ function NewServerPageInner() {
             />
             <p className="text-[12px] leading-relaxed text-[--color-fg-subtle]">
               Next step we&apos;ll show you exactly which tools we&apos;ll expose and let you tweak
-              the spec before we build.
+              the spec before we build.{' '}
+              <span className="text-[--color-fg-muted]">
+                Don&apos;t paste API keys or access tokens here — you&apos;ll add each one in its own
+                encrypted field in the next step.
+              </span>
             </p>
             <div className="flex flex-wrap gap-1.5 pt-1">
               {EXAMPLE_PROMPTS.map((p) => (
@@ -675,15 +679,18 @@ function NewServerPageInner() {
           </div>
 
           <div>
-            <h3 className="text-[13px] font-semibold tracking-tight">Credentials we need</h3>
+            <h3 className="text-[13px] font-semibold tracking-tight">API keys &amp; credentials</h3>
             <p className="mt-1 text-[12px] leading-relaxed text-[--color-fg-muted]">
-              AES-256-GCM encrypted at rest, injected as env vars at runtime. Remove if your
-              implementation doesn&apos;t actually use one.
+              One field per key or access token — entered here, separately from your prompt.
+              AES-256-GCM encrypted at rest, injected as env vars at runtime only. Remove any your
+              implementation doesn&apos;t use; add any we missed.
             </p>
             <div className="mt-3 space-y-2">
               {editable.requiredSecrets.length === 0 && (
                 <p className="text-[12.5px] text-[--color-fg-muted]">
-                  No credentials. This server runs self-contained.
+                  None detected. If your tool calls an API that needs a key or access token, add it
+                  below with <span className="mono">+ Add credential</span> — never put secrets in
+                  the prompt.
                 </p>
               )}
               {editable.requiredSecrets.map((key, idx) => (