Skip to main content

Managing API Keys

This guide walks through managing your API keys in the PayKore dashboard — no coding required. It's written for anyone on your team who needs to create, monitor, or revoke keys, whether or not they're an engineer.

Accessing API keys

Log in at app.paykore.dev, then navigate to Settings → API Keys.

This page lists every key your team has created, showing its label, environment (Live or Sandbox), creation date, and last-used date.

Creating a key

  1. Click the Create Key button at the top of the page.

    📸 Screenshot placeholder: the API Keys page with the "Create Key" button highlighted in the top-right corner.

  2. Enter a descriptive label for this key — something that tells you where it's used, like "Production Server" or "Staging Environment." Avoid generic labels like "Key 1," since you'll want to identify it at a glance later.

  3. Select the environment: Live (real money, real transactions) or Sandbox (testing only, no real money moves).

    📸 Screenshot placeholder: the create-key dialog showing the label text field and a toggle between "Live" and "Sandbox."

  4. Optionally, set an expiry date. This is useful for temporary access — for example, a contractor who only needs access for a defined project window.

  5. Click Create.

  6. Your full key is shown once, on screen. Copy it immediately and store it somewhere secure (see the next section). Once you navigate away from this screen, PayKore cannot show you the full key again — only the first and last few characters, for identification purposes.

    📸 Screenshot placeholder: the key-reveal modal showing the full key string with a "Copy" button, and a warning banner reading "This is the only time you'll see this key in full."

Key security rules

These apply regardless of your technical background — a leaked key can result in real financial loss, so treat it with the same seriousness as a bank password.

  • Never paste a key into a chat message, email, or shared document. If you need to share a key with a developer, use your hosting platform's secrets manager instead (see below) so the key never travels through a chat tool's servers or search index.

  • Store the key in your hosting platform's secrets manager, not in a spreadsheet or a text file on your desktop. Most hosting platforms have a built-in, secure place for this:

    • Heroku → Config Vars (Settings tab on your app dashboard)
    • Railway → Variables (Project Settings)
    • Vercel → Environment Variables (Project Settings)

    If you're not sure which platform your engineering team uses, ask them — they'll know exactly where this goes.

  • If a key is ever exposed accidentally (pasted somewhere public, left in a screenshot, etc.), revoke it immediately using the steps below, even if you're not certain anyone saw it. It's far cheaper to create a new key than to risk it being misused.

Revoking a key

If a key is compromised, no longer needed, or was created by someone who has since left your team, revoke it:

  1. Find the key in the Settings → API Keys list.

  2. Click the Revoke button next to it.

  3. Confirm in the dialog that appears.

    📸 Screenshot placeholder: a confirmation dialog reading "Revoke this key? This cannot be undone" with Cancel and Revoke buttons.

danger

Revocation is immediate and irreversible. There is no "undo" or "restore" option. If this key is still being used by a deployed application, those requests will start failing — typically within 5 minutes, as PayKore's internal caches expire. Make sure any service using this key has already switched to a replacement key before you revoke it, or you risk an outage.

Key usage

Each key in the list shows a Last Used column — the most recent date and time that key was used to make an API call. This is a useful signal: if a key has shown no activity for 90 days or more, it's likely safe to revoke. An unused key sitting active is unnecessary risk with no offsetting benefit.

If you're unsure whether a key is still in active use by your engineering team before revoking it, ask before proceeding — "Last Used" tells you about past activity, but doesn't guarantee a deployment isn't about to use it for the first time.

Next steps