API keys allow your backend services to authenticate with the Yativo API without the magic-link flow. Each key can be scoped to specific permissions and rotated independently.
interface ApiKey { id : string ; name : string ; key_prefix : string ; // first 8 characters of the key, e.g. "yat_live" permissions : string []; is_active : boolean ; last_used_at ?: string ; created_at : string ; expires_at ?: string ; } interface CreateApiKeyRequest { name : string ; permissions ?: string []; expires_at ?: string ; // ISO 8601; omit for non-expiring keys } interface ApiKeyResponse extends ApiKey { key : string ; // full key — only returned once on creation }
List API keys curl -X GET 'https://api.yativo.com/api/business/api-keys' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
{ "status" : "success" , "data" : [ { "id" : "key_01HX9KZMB3F7VNQP8R2WDGT4E5" , "name" : "Production Backend" , "key_prefix" : "yat_live" , "permissions" : [ "transactions:read" , "payouts:write" ], "is_active" : true , "last_used_at" : "2026-03-25T18:42:00Z" , "created_at" : "2026-01-10T10:00:00Z" } ] }
Create API key A label to identify this key (e.g. "Production Backend", "Staging").
Optional list of permission scopes. Omit to grant all permissions available to your account. Scope Access transactions:readView transactions payouts:writeInitiate payouts customers:readView customers customers:writeCreate/update customers virtual-accounts:writeCreate virtual accounts webhooks:writeManage webhooks
Expiry date in ISO 8601 format. Omit for a non-expiring key.
curl -X POST 'https://api.yativo.com/api/business/api-keys' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "name": "Production Backend", "permissions": ["transactions:read", "payouts:write", "customers:read"] }'
{ "status" : "success" , "data" : { "id" : "key_01HX9KZMB3F7VNQP8R2WDGT4E6" , "name" : "Production Backend" , "key" : "yat_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ123456789" , "key_prefix" : "yat_live" , "permissions" : [ "transactions:read" , "payouts:write" , "customers:read" ], "is_active" : true , "created_at" : "2026-03-26T10:00:00Z" } }
The full key value is only returned once. Copy it immediately and store it in a secrets manager — it cannot be retrieved again.
Revoke API key DELETE /business/api-keys/{id}
The API key ID to revoke.
curl -X DELETE 'https://api.yativo.com/api/business/api-keys/key_01HX9KZMB3F7VNQP8R2WDGT4E6' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
Using an API key Include the key in the Authorization header of every request:
Authorization: Bearer yat_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ123456789
const axios = require ( 'axios' ); const client = axios . create ({ baseURL: 'https://api.yativo.com/api' , headers: { Authorization: `Bearer ${ process . env . YATIVO_API_KEY } ` , 'Content-Type' : 'application/json' , }, }); const { data } = await client . get ( '/business/transactions/index' );
Store API keys as environment variables or in a secrets manager. Never commit them to source control.
