Key Management
Rotate and revoke MyStocks Partner API keys and manage scoped read-only data keys. Revoke uses a Firebase ID token so it stays callable even after a key is compromised.
Rotate, revoke, and manage scoped read-only data keys. The revoke endpoint uses a Firebase ID token
— not a partner key — so it remains accessible even after a key is compromised.
Rotate a key
POST /api-keys/rotate
Generate a new pk_live_ key. The old key is suspended immediately. All registered webhooks and
sub-accounts are automatically migrated to the new key. A key.rotated audit event is logged.
Update all services with the new key before discarding the response — the old key is suspended
immediately and the new key is shown only once. Data keys (pk_data_) are unaffected by rotation.
Revoke a key
POST /api-keys/revoke
Permanently revoke a partner API key. This action cannot be undone. A new key must be issued by
MyStocks operations. This endpoint uses a Firebase ID token (Authorization: Bearer <firebase-id-token>),
not a partner key, so it remains callable even after a key compromise. A key.revoked audit event is logged.
Data key
POST GET DELETE /api-keys/data-key
Create, fetch, or delete a read-only pk_data_ key for market-data access (no trading, funds, or
PII). For production apps, proxy through your backend rather than embedding the key in client bundles.
Only one data key exists per partner at a time — creating a new one replaces the previous. GET
returns a masked version of the key (maskedKey); the full key is only shown on POST. See
Authentication for the allowed endpoint list.