Skip to content
Partner API Docs

Key Management

Rotate and revoke MyStocks Partner API keys and manage scoped read-only data keys. Revoke uses a Firebase ID token so it stays callable even after a key is compromised.

Rotate, revoke, and manage scoped read-only data keys. The revoke endpoint uses a Firebase ID token — not a partner key — so it remains accessible even after a key is compromised.

Rotate a key

POST /api-keys/rotate

Generate a new pk_live_ key. The old key is suspended immediately. All registered webhooks and sub-accounts are automatically migrated to the new key. A key.rotated audit event is logged.

curl -X POST "https://mystocks.africa/api/v1/partner/api-keys/rotate" \
  -H "Authorization: Bearer pk_live_<current_key>"
{
  "apiKey": "pk_live_new_xxxxxxxxxxxxxxxx",
  "createdAt": "2026-06-09T10:00:00Z",
  "migrated": { "webhooks": 3, "subAccounts": 142, "deliveries": 0 }
}

Update all services with the new key before discarding the response — the old key is suspended immediately and the new key is shown only once. Data keys (pk_data_) are unaffected by rotation.

Revoke a key

POST /api-keys/revoke

Permanently revoke a partner API key. This action cannot be undone. A new key must be issued by MyStocks operations. This endpoint uses a Firebase ID token (Authorization: Bearer <firebase-id-token>), not a partner key, so it remains callable even after a key compromise. A key.revoked audit event is logged.

curl -X POST "https://mystocks.africa/api/v1/partner/api-keys/revoke" \
  -H "Authorization: Bearer <firebase-id-token>"
{ "message": "Key revoked. Contact support@mystocks.africa to issue a replacement.", "revokedAt": "2026-06-09T10:05:00Z" }

Data key

POST GET DELETE /api-keys/data-key

Create, fetch, or delete a read-only pk_data_ key for market-data access (no trading, funds, or PII). For production apps, proxy through your backend rather than embedding the key in client bundles. Only one data key exists per partner at a time — creating a new one replaces the previous. GET returns a masked version of the key (maskedKey); the full key is only shown on POST. See Authentication for the allowed endpoint list.

curl -X POST "https://mystocks.africa/api/v1/partner/api-keys/data-key" \
  -H "Authorization: Bearer pk_live_<key>"
{ "dataKey": "pk_data_xxxxxxxxxxxxxxxx", "maskedKey": "pk_data_xxxxxxxx...", "createdAt": "2026-06-09T10:00:00Z" }

On this page