Use the dashboard API Keys page for ongoing API key operations after your first key is created.Documentation Index
Fetch the complete documentation index at: https://docs.moflay.com/llms.txt
Use this file to discover all available pages before exploring further.
When to manage keys
Manage API keys when you need to:- Add a key for another service or deployment target
- Rotate a key during a normal security cycle
- Revoke a key after a leak or employee offboarding
- Review key usage and last-used timestamps
- Reduce permissions for a service
Recommended key strategy
- Create separate keys for sandbox and production.
- Use one key per service, worker, or deployment target.
- Grant only the permissions each service needs.
- Store keys in a secret manager or deployment environment variables.
- Rotate keys instead of reusing one key everywhere.
Permissions
Current API permissions include:| Permission | Use |
|---|---|
express.pay | Create M-Pesa Express payment requests |
customers.read | Read customer records |
customers.write | Create, update, or delete customer records |
transactions.read | Read transactions and payment status |
Rotate a key
- Create a new key in the same environment with the same required permissions.
- Add the new key to your secret manager or deployment environment.
- Deploy the service that uses the new key.
- Confirm the new key is being used successfully.
- Revoke the old key.
Respond to a leaked key
If a key may be exposed:- Revoke the key immediately.
- Create a replacement key with the minimum required permissions.
- Redeploy affected services.
- Review recent key usage and payment activity.
- Rotate any related internal secrets if they were exposed with the key.