ARYZE Open Finance
Dashboard

API keys

Create, configure, and rotate credentials for the Payment API.

An API key is the credential your backend uses to call the Payment API. Each key is bound to one environment (sandbox or live), one bank destination, and one webhook URL.

Create a key

Open the API keys page

Go to Open Finance → API Keys. Make sure the environment selector in the header matches where you want the key to run — sandbox keys can't be promoted to live later.

Click "Create API key"

Fill in:

  • Name — how the key shows up in the dashboard (e.g. "web-checkout prod").
  • Description — optional notes for teammates.
  • Destination — which bank account will receive payments created with this key.
  • Webhook URL — where ARYZE POSTs payment.status_updated events. Must be HTTPS.
  • Expiration — either "never expires" or a specific date.

Save the client secret

The client secret is shown once immediately after creation. Copy it into your secrets manager or environment variable store before closing the modal.

If you miss the secret, you have to delete the key and create a new one. There is no way to recover a client secret later.

Authenticate from your backend

Send the client secret to POST /v1/auth/token to get a short-lived JWT, then use that JWT for payment calls.

Activation and KYB

  • Sandbox keys are active immediately.
  • Live keys are created as inactive until KYB is approved. Once approval lands, the key flips to active on its own — no action needed.

Update a key

For an existing key you can:

  • Change the webhook URL — takes effect on the next event.
  • Change the description or expiration.
  • Rotate the webhook URL without rotating the secret — useful for migrating webhook handlers.

You cannot change the destination on a live key. Create a new key bound to the new destination, migrate your integration, then revoke the old one.

Rotate or revoke a key

Two separate operations:

  • Rotate — generate a new client secret for the same key. The old secret keeps working until you explicitly expire it, so you can roll it out without downtime.
  • Revoke — immediately disable the key. Any subsequent POST /v1/auth/token with its secret fails with 401 invalid_client. In-flight payments complete normally.

If a secret leaks, revoke first and create a new key with a new secret. Don't rely on rotation alone — a leaked secret can obtain tokens until it's explicitly revoked.

Webhook URL requirements

  • HTTPS endpoint.
  • Reachable from the public internet.
  • Responds with any 2xx status within 10 seconds.
  • Unguessable path recommended (treat the URL as shared secret until HMAC signing ships).

Bank destinations

Connect the bank account where payments are settled.

Sandbox

Send test payments without moving real money.

On this page

Create a key
Open the API keys page
Click "Create API key"
Save the client secret
Authenticate from your backend
Activation and KYB
Update a key
Rotate or revoke a key
Webhook URL requirements