API Keys — create and rotate authentication keys

API keys authenticate every request to the Borga API. Each key has a type of either publishable (safe to expose in client-side code) or secret (server-side only), and a mode of either test or live. You can manage keys here or through the dashboard.

A rotated or revoked key cannot be recovered. Update your integrations with the new key immediately after rotating, as the old key is invalidated at the moment of rotation.

List API keys

GET /v1/api_keys Returns a list of all API keys for your merchant account.

curl --request GET \
  --url https://api.borga.is/v1/api_keys \
  --header "Authorization: Bearer sk_live_..." \
  --header "X-Merchant-Id: mer_xxx"

Response fields

data

object[]

required

Array of API key objects.

Show key fields

string

required

Unique key identifier.

type

string

required

Key type. One of publishable or secret.

mode

string

required

Key mode. One of test or live.

label

string

Optional label for identifying the key.

last4

string

required

Last four characters of the key value. The full key is only shown once at creation or rotation.

created_at

string

required

ISO 8601 timestamp of when the key was created.

{
  "data": [
    {
      "id": "key_01hx9z3k2mfq7nbvd4cw8ej5rt",
      "type": "secret",
      "mode": "live",
      "label": "Production server",
      "last4": "x9kZ",
      "created_at": "2026-04-29T10:15:00Z"
    }
  ]
}

Create an API key

POST /v1/api_keys Creates a new API key. The full key value is returned only in this response — store it securely before continuing.

Request parameters

type

string

required

Key type. One of publishable or secret.

mode

string

required

Key mode. One of test or live.

label

string

Optional label to help identify the key’s purpose (e.g. "Production server", "Mobile app").

curl --request POST \
  --url https://api.borga.is/v1/api_keys \
  --header "Authorization: Bearer sk_live_..." \
  --header "X-Merchant-Id: mer_xxx" \
  --header "Content-Type: application/json" \
  --data '{
    "type": "secret",
    "mode": "live",
    "label": "Production server"
  }'

Response fields

string

required

Unique key identifier.

type

string

required

Key type: publishable or secret.

mode

string

required

Key mode: test or live.

label

string

Key label.

key

string

required

The full key value. This is the only time it is returned in plaintext — save it now.

last4

string

required

Last four characters of the key value.

created_at

string

required

ISO 8601 timestamp of when the key was created.

{
  "id": "key_01hx9z3k2mfq7nbvd4cw8ej5rt",
  "type": "secret",
  "mode": "live",
  "label": "Production server",
  "key": "sk_live_...",
  "last4": "x9kZ",
  "created_at": "2026-04-29T10:15:00Z"
}

Rotate an API key

POST /v1/api_keys/{id}/rotate Generates a new value for an existing key and immediately invalidates the old one. Use this to rotate credentials without deleting and re-creating the key object.

The old key is invalidated immediately. Update every integration using this key before rotating.

Path parameters

string

required

The ID of the key to rotate.

curl --request POST \
  --url https://api.borga.is/v1/api_keys/key_01hx9z3k2mfq7nbvd4cw8ej5rt/rotate \
  --header "Authorization: Bearer sk_live_..." \
  --header "X-Merchant-Id: mer_xxx"

Response fields

Returns the updated key object with the new key value in plaintext. After this response, the new value is only available via last4.

string

required

Unique key identifier.

type

string

required

Key type.

mode

string

required

Key mode.

label

string

Key label.

key

string

required

The new full key value. Save this now — it will not be shown again.

last4

string

required

Last four characters of the new key value.

created_at

string

required

ISO 8601 timestamp of the original key creation.

{
  "id": "key_01hx9z3k2mfq7nbvd4cw8ej5rt",
  "type": "secret",
  "mode": "live",
  "label": "Production server",
  "key": "sk_live_...",
  "last4": "m3Pq",
  "created_at": "2026-04-29T10:15:00Z"
}

Revoke an API key

DELETE /v1/api_keys/{id} Permanently revokes an API key. Any requests using this key will be rejected immediately.

Path parameters

string

required

The ID of the key to revoke.

curl --request DELETE \
  --url https://api.borga.is/v1/api_keys/key_01hx9z3k2mfq7nbvd4cw8ej5rt \
  --header "Authorization: Bearer sk_live_..." \
  --header "X-Merchant-Id: mer_xxx"

Response fields

Returns an empty body with a 204 No Content status on success.

{}

Overview

Payments

Subscriptions

Billing

Configuration

API Keys — create and rotate authentication keys

List API keys

Response fields

Create an API key

Request parameters

Response fields

Rotate an API key

Path parameters

Response fields

Revoke an API key

Path parameters

Response fields

Overview

Payments

Subscriptions

Billing

Configuration

Documentation Index

​List API keys

​Response fields

​Create an API key

​Request parameters

​Response fields

​Rotate an API key

​Path parameters

​Response fields

​Revoke an API key

​Path parameters

​Response fields

List API keys

Response fields

Create an API key

Request parameters

Response fields

Rotate an API key

Path parameters

Response fields

Revoke an API key

Path parameters

Response fields