Skip to main content

Manage and rotate your API key

How to manage your Mintsoft API key lifecycle, including rotating keys, switching between expiring and static keys, and what to do if a key is compromised.

Written by Tom Higgs

This article covers how to manage your Mintsoft API key lifecycle — including rotating keys, switching between expiring and static keys, understanding key scope, and what to do if your key is compromised. For initial authentication setup, see the API - Authenticate requests article.


API key types

Mintsoft supports two types of API key:

Key type

How it works

Best for

24-hour expiring key

Generated on each request via POST /api/Auth and expires after 24 hours.

Systems that authenticate automatically on each session.

Static (non-expiring) key

Generated once and remains valid until manually replaced.

Automated scripts, third-party tools, or integrations that cannot re-authenticate automatically.

Note: Static keys do not expire automatically. If a static key is compromised, you must generate a replacement immediately — there is no automatic expiry to limit exposure.


Rotate your API key

Rotating your API key means generating a new key and replacing the current one across all systems that use it. Rotate your key if you suspect it has been exposed, shared unintentionally, or as part of a regular security review.

  1. Generate a new API key by sending a POST request to /api/Auth with your Mintsoft username and password. See the API - Authenticate requests article for the request format.

  2. Update every system, script, and integration that uses the current API key with the new value. Common locations include third-party platform settings, server environment variables, and configuration files.

  3. Test each integration after updating to confirm the new key is accepted and requests are succeeding.

  4. For static keys: the old key remains valid until it is replaced — complete steps 2 and 3 before decommissioning the old key to avoid service interruptions.

Important: Update all systems with the new key before decommissioning the old one. The old key continues to work until it expires or is explicitly replaced.


Switch to a static key

If your integration cannot re-authenticate every 24 hours, configure a static non-expiring key.

  1. Go to Settings then User Settings in Mintsoft.

  2. Follow the steps in the API - Set a static API key article to configure a static key for your account.

  3. Update your integration with the static key value. The key does not expire unless you regenerate it.


API key scope and client-level access

An API key’s access is determined by the permissions and client assignment of the user account that generated it.

  • If API requests return 403 Forbidden errors, the user account may not have the correct role permissions for the endpoint. See the Integration - Roles and Permissions article.

  • If API requests return empty or unexpected data in a 3PL environment, the user account may not be assigned to the correct client account. Contact your system administrator to verify the user’s client assignment.

  • API keys cannot be scoped to a subset of endpoints — access is controlled entirely through the user’s role settings.


What to do if your API key is compromised

If you suspect your API key has been exposed — for example, committed to a public code repository, shared in plain text, or logged insecurely — act immediately.

  1. Generate a new API key immediately using your Mintsoft credentials.

  2. Update all systems and integrations with the new key.

  3. Review any available API call logs for activity you did not initiate.

  4. Contact the Mintsoft support team if you identify suspicious activity on your account.

Note: Treat your API key with the same care as a password. Do not share it, commit it to a public repository, or include it in client-side code.

Did this answer your question?