Skip to main content
API keys are essential for authenticating your requests to the Moflay API. This guide will walk you through creating and managing your API keys.

What are API Keys?

API keys are unique identifiers that authenticate your application when making requests to the Moflay API. They come in two types:
  • Sandbox keys (prefix: mof_test_) - For testing and development
  • Production keys (prefix: mof_live_) - For live payments
API keys are environment-specific. Sandbox keys only work in the sandbox environment, and production keys only work in the production environment.

Creating Your First API Key

1

Navigate to API Keys

Go to the Moflay Dashboard and select your organization.
API Keys Dashboard
2

Choose Environment

Select the environment you want to create an API key for: - Sandbox - For testing and development - Production - For live payments (requires production credentials)
Make sure you’re in the correct environment before creating your API key.
3

Create New API Key

  1. Click the “Create API Key” button 2. Enter a descriptive name for your API key (e.g., “My App - Development”) 3. Select the permissions you need: - Read - View transactions, customers, and analytics - Write - Create payments, customers, and transactions - Admin - Full access including account management
You can always modify permissions later, but it’s recommended to follow the principle of least privilege.
4

Copy and Store Your API Key

Once created, you’ll see your API key. Copy it immediately as it won’t be shown again for security reasons. mof_test_1234567890abcdef...
Important: Store your API key securely. Never commit it to version control or share it publicly. Use environment variables in production.

Using Your API Key

In Your Application

Store your API key as an environment variable: 
# .env file
MOFLAY_API_KEY=mof_test_1234567890abcdef...
Then use it in your code: 
import { Moflay } from "@moflay/sdk";

const moflay = new Moflay({
  token: process.env.MOFLAY_API_KEY,
});

// Now you can make API calls
const result = await moflay.express.pay({
  amount: 100,
  phoneNumber: "254712345678",
  description: "Test Payment",
});

With cURL

curl -H "Authorization: Bearer mof_test_1234567890abcdef..." \
  -X POST "https://api.moflay.com/v1/express" \
  -d '{"amount": 100, "phoneNumber": "254712345678", "description": "Test Payment"}'

Managing API Keys

Viewing Your Keys

In the API Keys dashboard, you can:
  • View all your API keys
  • See their creation date and last used date
  • Check their permissions
  • See which environment they belong to

Regenerating Keys

If you suspect a key has been compromised:
  1. Go to the API Keys dashboard
  2. Find the key you want to regenerate
  3. Click the “Regenerate” button
  4. Copy the new key and update your application
  5. The old key will be immediately invalidated
Regenerating a key will break any applications using the old key. Make sure to update all your applications before regenerating.

Deleting Keys

To delete an unused API key:
  1. Go to the API Keys dashboard
  2. Find the key you want to delete
  3. Click the “Delete” button
  4. Confirm the deletion
Deleted keys cannot be recovered. Make sure you don’t need the key before deleting it.

Security Best Practices

Do’s ✅

  • Store API keys in environment variables
  • Use different keys for different environments
  • Rotate keys regularly
  • Use the principle of least privilege
  • Monitor key usage in the dashboard

Don’ts ❌

  • Never commit API keys to version control
  • Don’t share keys in chat or email
  • Don’t use the same key across multiple applications
  • Don’t hardcode keys in your source code
  • Don’t ignore suspicious activity

Troubleshooting

Invalid API Key Error

If you get an “Invalid API Key” error:
  1. Check the key format - Should start with mof_test_ or mof_live_
  2. Verify environment - Make sure you’re using the right key for the right environment
  3. Check for typos - Copy the key again from the dashboard
  4. Regenerate if needed - The key might have been compromised

Missing API Key Error

If you get a “Missing API Key” error:
  1. Check your code - Make sure you’re including the Authorization header
  2. Verify environment variables - Ensure the variable is loaded correctly
  3. Check the header format - Should be Authorization: Bearer YOUR_API_KEY

Permission Denied Error

If you get a “Permission Denied” error:
  1. Check key permissions - Make sure your key has the required permissions
  2. Verify the endpoint - Some endpoints require specific permissions
  3. Contact support - If you need additional permissions

Next Steps

Once you have your API key set up:
Need help? Contact our support team at [email protected] or join our Discord community.