Skip to main content
Work in progress, under review. This page is not validated yet and may contain inaccuracies. Track and record its status in the documentation review tracker. This banner is removed once the page is validated.
API keys are how systems outside Shift talk to Paylead. Every call to the public API, whether from your bank app, your transaction ingestion pipeline, or your finance back-office, carries a bearer token generated here. Each token is scoped to a single API role.
TypeWhat it unlocksTypical caller
ConnectorEnd-user actions exposed to Consumers: list Offers, display Rewards, update consent.Your bank’s mobile or web app.
InjectorTransaction and bank-data ingestion: push bank connections, accounts, and daily transactions.Your data ingestion service.
Program M2MBack-office automation: pull the Ventilation file, performance metrics, Offer catalog.Your finance, reporting, and reconciliation jobs.
For the API-side reference (endpoints, scopes, and request formats), see the Authentication page.

View existing keys

Open My account > Developer tools > API Keys. The main table lists every key currently active on your Program.
ColumnDescription
CreatedThe date the key was generated.
TypeOne of Program M2M, Injector, Connector.
API KeyThe token value. Hidden by default; reveal or copy from the row actions.
DescriptionFree-form label you set when generating the key. Use it to identify the consumer system.
Row actions let you copy the key to the clipboard, reveal it, or delete it.

Generate an API key

1

Open the generator

In My account > Developer tools > API Keys, click Generate new API key.
2

Select the type

Pick Program M2M, Injector, or Connector based on the system that will use the token. One key serves one role: do not reuse a Connector token for M2M calls.
3

Add a description

Enter a description that names the consumer system clearly, for example Bank Lyra mobile app, production or Yuna Money ingestion job. Future operators rely on this label to know what they would break by revoking the key.
4

Confirm

Click Confirm. The new key appears in the list and is ready to use immediately.
Paylead tokens are JWTs: three Base64URL segments separated by dots (header.payload.signature). Paylead does not prefix tokens with pk_, sk_, or any other marker. If a token in your secret store looks different, it is not a Paylead token. Verify before using.

Rotation and revocation

Treat API keys like any other production secret.
  • Store them in a secret manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). Never commit a token to Git, paste it in a ticket, or share it over chat.
  • Rotate periodically: generate a new key, deploy it to the consumer system, confirm traffic flows on the new token, then revoke the old one from Shift.
  • Revoke immediately on suspicion: if a token may have leaked, delete it from the API Keys list. Calls using the revoked token return 401 Unauthorized instantly.
  • One key per consumer system: do not share a single key across services. Per-system keys make rotation and incident response straightforward.
Sandbox and production use distinct API keys generated from the matching Shift environment. A sandbox token cannot reach production endpoints, and vice versa.

What’s next

Authentication reference

Token format, headers, and scopes for the public API.

Configure your Program

Program details, Segments, and the Brand catalog.