> ## Documentation Index
> Fetch the complete documentation index at: https://docs.paylead.fr/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Generate, rotate, and revoke the JWT bearer tokens that authenticate Connector, Injector, and M2M API calls, all from Shift.

<Warning>
  **Work in progress, under review.** This page is not validated yet and may contain inaccuracies. Track and record its status in the [documentation review tracker](https://www.notion.so/22a535a8f8794ec8aa19f56cbb5f749a). This banner is removed once the page is validated.
</Warning>

API keys are how systems outside [Shift](/glossary#shift) talk to Paylead. Every call to the public API, whether from your bank app, your transaction ingestion pipeline, or your finance back-office, carries a bearer token generated here. Each token is scoped to a single API role.

| Type            | What it unlocks                                                                                                                                   | Typical caller                                    |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| **Connector**   | End-user actions exposed to [Consumers](/glossary#consumer): list [Offers](/glossary#offer), display [Rewards](/glossary#reward), update consent. | Your bank's mobile or web app.                    |
| **Injector**    | Transaction and bank-data ingestion: push bank connections, accounts, and daily transactions.                                                     | Your data ingestion service.                      |
| **Program M2M** | Back-office automation: pull the [Ventilation](/glossary#ventilation) file, performance metrics, Offer catalog.                                   | Your finance, reporting, and reconciliation jobs. |

For the API-side reference (endpoints, scopes, and request formats), see the [Authentication](/program/user-journey/authentication) page.

## View existing keys

Open **My account** > **Developer tools** > **API Keys**. The main table lists every key currently active on your Program.

| Column          | Description                                                                              |
| --------------- | ---------------------------------------------------------------------------------------- |
| **Created**     | The date the key was generated.                                                          |
| **Type**        | One of `Program M2M`, `Injector`, `Connector`.                                           |
| **API Key**     | The token value. Hidden by default; reveal or copy from the row actions.                 |
| **Description** | Free-form label you set when generating the key. Use it to identify the consumer system. |

Row actions let you copy the key to the clipboard, reveal it, or delete it.

## Generate an API key

<Steps>
  <Step title="Open the generator">
    In **My account** > **Developer tools** > **API Keys**, click **Generate new API key**.
  </Step>

  <Step title="Select the type">
    Pick `Program M2M`, `Injector`, or `Connector` based on the system that will use the token. One key serves one role: do not reuse a Connector token for M2M calls.
  </Step>

  <Step title="Add a description">
    Enter a description that names the consumer system clearly, for example `Bank Lyra mobile app, production` or `Yuna Money ingestion job`. Future operators rely on this label to know what they would break by revoking the key.
  </Step>

  <Step title="Confirm">
    Click **Confirm**. The new key appears in the list and is ready to use immediately.
  </Step>
</Steps>

<Warning>
  Paylead tokens are **JWTs**: three Base64URL segments separated by dots (`header.payload.signature`). Paylead does **not** prefix tokens with `pk_`, `sk_`, or any other marker. If a token in your secret store looks different, it is not a Paylead token. Verify before using.
</Warning>

## Rotation and revocation

Treat API keys like any other production secret.

* **Store them in a secret manager** (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). Never commit a token to Git, paste it in a ticket, or share it over chat.
* **Rotate periodically**: generate a new key, deploy it to the consumer system, confirm traffic flows on the new token, then revoke the old one from Shift.
* **Revoke immediately on suspicion**: if a token may have leaked, delete it from the API Keys list. Calls using the revoked token return `401 Unauthorized` instantly.
* **One key per consumer system**: do not share a single key across services. Per-system keys make rotation and incident response straightforward.

<Tip>
  Sandbox and production use distinct API keys generated from the matching Shift environment. A sandbox token cannot reach production endpoints, and vice versa.
</Tip>

## What's next

<CardGroup cols={2}>
  <Card title="Authentication reference" icon="key" href="/program/user-journey/authentication">
    Token format, headers, and scopes for the public API.
  </Card>

  <Card title="Configure your Program" icon="settings" href="/program/shift/configure-your-program">
    Program details, Segments, and the Brand catalog.
  </Card>
</CardGroup>
