Secure Key Vault
Hifadhi Salama ya Funguo
Your API keys are secured with SHA-256 hashing. Keys are only shown once at creation time. Roll keys without downtime, revoke compromised keys instantly.
SHA-256 Hashing
Keys are hashed before storage. Even we cannot see your full key after creation.
One-Time Reveal
Your full API key is displayed only once when created. Copy it immediately and store securely.
Zero-Downtime Rotation
Generate a new key before revoking the old one. Both keys work during the transition period.
Key Scoping
Each key has a prefix (mkz_live_ or mkz_test_) that determines its environment scope.
Audit Trail
Every key usage is logged with timestamp, IP address, and endpoint accessed.
Multiple Keys
Create separate keys for different applications or team members. Revoke individually.
Key Lifecycle
Create
Generate a new key from the API Management dashboard. Name it for easy identification.
Copy & Store
Copy the full key immediately. Store in your environment variables or secrets manager.
Use
Include the key in the X-API-Key header for all API requests.
Rotate
When needed, create a new key first, update your apps, then revoke the old key.
Security Best Practices
- Never expose API keys in client-side code or public repositories
- Use environment variables or a secrets manager (e.g., AWS Secrets Manager, Vault)
- Rotate keys every 90 days as a security hygiene measure
- Use test keys (mkz_test_) during development — they create listings invisible to users
- Set up IP allowlists for production keys when possible