API - Dec 12, 2024

API keys: Assign permission scopes, reset, and revoke

Platforms can now rotate API keys and create them with access rights only to certain endpoints. This improves security for platforms and their collaboration with external partners.

Permission scopes

All Mangopay API endpoints now belong to permission scopes. When generating an API key, platforms can assign specific scopes to give the key access only to certain endpoints. Each scope can be assigned to give read access to data (via GET HTTP methods) and/or write access (via POST and PUT methods).

Multiple API keys per Client ID

A single Client ID can now have multiple API keys created for it, each identified with an alias. When an API account is created, the first key is automatically generated with all permission scopes assigned and the alias Auto-generated key.

Platforms can generate new keys via the Dashboard (Developers > API accounts).

When you generate a new key in Production, it is only shown once at creation for you to copy a store securely in an encrypted vault. Sandbox keys are always available in the Dashboard.

Reset and revoke

All API keys can be reset, which generates a new encrypted string associated with the Client ID. The newly generated key has the same permission scopes and alias. This allows platforms to rotate their API keys periodically for improved security.

User-generated API keys can be revoked, which permanently deletes the encrypted string, its alias and permission scopes.

The Auto-generated key can be reset but not revoked. Resetting and revoking is available for both Production and Sandbox keys.

Read more in the new guides: