The Key Manager role
Managing API keys over the API requires the Key Manager role. This role is scoped strictly to the API key lifecycle through theapi-key-pairs.read and
api-key-pairs.write permissions. It grants no access to payments or back-office
data. The Administrator role can also manage keys, but Key Manager keeps key
management separate from payments and configuration access.
The Key Manager role is not granted by default and is assignable only to an API
key. Assign it from the dashboard to
the API key that provisions keys.
The Administrator and Key Manager roles can only be assigned by a
dashboard user. An API key cannot create or update another key with either
role, even when it holds the Key Manager role itself.
Create a key
Create a key pair with aPOST to the /api-key-pairs endpoint. A key requires a
display_name and exactly one role in role_ids.
private_key once, in
the response to this request. Store it securely, as it cannot be retrieved again.
See the Create API key reference for
more detail on this endpoint.
Provide your own public key
Rather than have Gr4vy generate the key pair, you can supply your own public key in thepublic_key field on create. When you do, Gr4vy stores the public key and
does not generate or return a private key, so the private key never leaves your
systems.
The public key must be a PEM-encoded ECDSA key on the P-521 (ES512) curve. RSA
keys are not accepted. Set algorithm to match, and note that the public key is
immutable for the life of the key.
Issue a key for multiple merchant accounts
A single key can be scoped to more than one merchant account by passing an array of merchant account IDs inmerchant_account_ids. This is useful when one ISO or
brand groups several merchant accounts.
The list is editable after creation. Add or remove merchant accounts with a PUT
to the key, without regenerating the key or its private key.
To grant a key access to all merchant accounts, pass an empty list or omit
merchant_account_ids. This is only allowed when the caller can already access
all merchant accounts.
Turn a key on or off
Each key has anactive field that you can update over the API and in the
dashboard. Set active to false to turn off a key. A request authenticated
with an off key is rejected with a 401 Unauthorized response, which lets you
revoke access immediately without deleting the key.
Lifecycle webhooks
Gr4vy emits webhook events as keys change, so you can keep an audit trail of provisioning:api-key-pair.createdapi-key-pair.updatedapi-key-pair.deleted
api-key-pair.updated event covers all changes to an existing key, including
enabling or disabling it and editing its merchant accounts. Subscribe to these
events through the existing webhook subscription
mechanism.