API Key Lifecycle

This page describes how an API Key moves through its lifecycle: from creation and active use to expiry or rotation and removal. For the steps to create or delete keys in the Client Portal, see API Keys. For keeping keys safe, see Security.

Creation

You create an API Key in the Client Portal per environment. At creation you set a name (to identify it later) and an expiry (30, 90, or 365 days). Zwapgrid does not store the key after creation—copy it when it is shown and store it securely. From that point the key is active and can be used for API.1 requests.

Active use

While the key is within its expiry period and has not been deleted, you use it to authenticate API.1 calls (Consent API and Accounting API). Use a Development key for Development consents and sandbox data; use a Production key for Production consents and live data. See Usage for how to pass the key in requests.

Expiry and rotation

When the key approaches its expiry date, or when you want to rotate for security, create a new API Key in the Client Portal. Update your applications or scripts to use the new key, then delete the old key. Rotating before deleting avoids downtime: the old key continues to work until you remove it.

If you do not rotate before expiry, the key will no longer work for new requests once the expiry date has passed. Any applications still using it will receive authentication errors. Create a new key and update your integration.

Deletion

Deleting an API Key in the Client Portal removes it immediately. That key can no longer be used for API.1 requests. There is no way to restore a deleted key—create a new one if you need to continue calling API.1.