| Type | What it unlocks | Typical caller |
|---|---|---|
| Connector | End-user actions exposed to Consumers: list Offers, display Rewards, update consent. | Your bank’s mobile or web app. |
| Injector | Transaction and bank-data ingestion: push bank connections, accounts, and daily transactions. | Your data ingestion service. |
| Program M2M | Back-office automation: pull the Ventilation file, performance metrics, Offer catalog. | Your finance, reporting, and reconciliation jobs. |
View existing keys
Open My account > Developer tools > API Keys. The main table lists every key currently active on your Program.| Column | Description |
|---|---|
| Created | The date the key was generated. |
| Type | One of Program M2M, Injector, Connector. |
| API Key | The token value. Hidden by default; reveal or copy from the row actions. |
| Description | Free-form label you set when generating the key. Use it to identify the consumer system. |
Generate an API key
Select the type
Pick
Program M2M, Injector, or Connector based on the system that will use the token. One key serves one role: do not reuse a Connector token for M2M calls.Add a description
Enter a description that names the consumer system clearly, for example
Bank Lyra mobile app, production or Yuna Money ingestion job. Future operators rely on this label to know what they would break by revoking the key.Rotation and revocation
Treat API keys like any other production secret.- Store them in a secret manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). Never commit a token to Git, paste it in a ticket, or share it over chat.
- Rotate periodically: generate a new key, deploy it to the consumer system, confirm traffic flows on the new token, then revoke the old one from Shift.
- Revoke immediately on suspicion: if a token may have leaked, delete it from the API Keys list. Calls using the revoked token return
401 Unauthorizedinstantly. - One key per consumer system: do not share a single key across services. Per-system keys make rotation and incident response straightforward.
What’s next
Authentication reference
Token format, headers, and scopes for the public API.
Configure your Program
Program details, Segments, and the Brand catalog.