Skip to main content

API Keys

BEEtoolkit accounts can hold up to 5 API keys at a time. Each key can be created or revoked through the web UI or through this API — making no-downtime rotation straightforward.

A typical rotation flow:

  1. Create a new key with an expiry that suits your policy.
  2. Update your integration to use the new key and secret.
  3. Once traffic has moved across, revoke the old key.

See Authentication for details on how keys and signatures are used on every request.


Endpoints

MethodPathPurpose
POST/api/public/v1/api_keysCreate a new API key for the account.
DELETE/api/public/v1/api_keys/{id}Revoke an existing API key.
Authentication

Include the following headers on every request:

  • Authorization: HMAC <signature>
  • X-Api-Key: <your account key>
  • Accept: application/json

See Authentication.

Listing keys

This API does not expose a list endpoint. Use the BEEtoolkit web UI to see the keys currently registered for an account, along with their expiry and last-used timestamps.


Rules

  • A maximum of 5 active keys per account. Creating a 6th key returns 422 Unprocessable Entity.
  • A key cannot revoke itself. Authenticate with one key, then revoke the other.
  • The secret is returned only on creation. Store it immediately; it cannot be retrieved again.
  • Keys created through this API must have an expiry; non-expiring keys can only be created from the BEEtoolkit web UI.

Attributes

Request parameters (create)

FieldTypeRequiredDescription
expires_instringyesLifetime of the new key. See Expiry values.

Response fields (create)

FieldTypeDescription
idintegerInternal ID of the key. Used when revoking.
keystringThe public key identifier, prefixed mpk_. Sent in X-Api-Key.
secretstringThe signing secret. Returned once only.
expires_atstring | nullISO 8601 expiry timestamp, or null if the key does not expire.
created_atstringISO 8601 creation timestamp.

Enumerations

Expiry values

  • 30d
  • 90d
  • 180d
  • 365d

An expires_in value is required when creating a key through this API. Non-expiring keys can only be created from the BEEtoolkit web UI.


Create an API key

Generate a new API key and secret for the account.

POST /api/public/v1/api_keys

Request body

{
"expires_in": "90d"
}

Code examples

curl -X POST "https://www.beetoolkit.co.za/api/public/v1/api_keys" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "X-Api-Key: <your account key>" \
-H "Authorization: HMAC <your signature>" \
-d '{"expires_in": "90d"}'

Response

Returns 201 Created:

{
"id": 4231,
"key": "mpk_Xb9aR3dv7_FQz6yp1HkTqNmLw8gV4sJcUeKoPbZxYtE",
"secret": "kR2vN4xP9sJ6aE3yHqZ7wLbTmUgVdFcXiKoRnSpQeDt",
"expires_at": "2026-07-15T12:34:56Z",
"created_at": "2026-04-16T12:34:56Z"
}
Store the secret now

The secret field is the only time this value is returned. If lost, the key must be revoked and replaced.

Errors

StatusDescription
422expires_in is missing/blank, is not a supported value, or the account already has the maximum number of keys.

Missing expires_in:

{ "error": "expires_in is required" }

Invalid expiry:

{ "error": "Invalid expiry duration: 999d" }

Cap reached:

{ "error": "Account already has 5 API keys" }

Revoke an API key

Delete an existing API key. Once revoked, requests authenticated with the revoked key return 401 Unauthorized.

DELETE /api/public/v1/api_keys/{id}

Path parameters

NameTypeRequiredDescription
idintegeryesThe id returned when the key was created.

Code examples

curl -X DELETE "https://www.beetoolkit.co.za/api/public/v1/api_keys/4231" \
-H "Accept: application/json" \
-H "X-Api-Key: <your account key>" \
-H "Authorization: HMAC <your signature>"

Response

Returns 204 No Content on success.

Errors

StatusDescription
404No key with that id exists on this account.
422The id refers to the key used to authenticate this request. Authenticate with a different key and retry.

Self-revocation attempt:

{ "error": "Cannot revoke the key used to authenticate" }

Unknown id:

{ "error": "Key not found" }