API credentials
Rotate a merchant's API password — the credential used to call the Remote API, Querying Transactions, and other transactional APIs.
This page covers rotation of the merchant's API password — the credential a merchant uses on Basic-Auth calls to the Remote API, Querying transactions, and other Scan to Pay transactional APIs. It's separate from the Portal login credential and separate from the webhook encryption key.
For the broader credential story, see Authentication.
Endpoint
| Method | Path | Purpose | Allowed callers |
|---|---|---|---|
| POST | /restful/merchant/renewApiKey | Generate a new API password for a merchant | PSP, Acquirer |
Merchant must be in ACTIVE state.
Rotate the API password
Request:
curl -X POST https://qa.scantopay.io/portal/restful/merchant/renewApiKey \
-u 'PSP_42:yourPspApiPassword' \
-H 'Content-Type: application/json' \
-d '{ "merchantId": 25 }'Request fields:
| Field | Required | Description |
|---|---|---|
merchantId | yes | Merchant whose API password is being rotated |
Response:
{
"merchantId": 25,
"apiKey": "4F8B2A6C1D3E9F7B2A6C1D3E9F7B2A6C"
}The new password is a 32-character hex string (16 random bytes, base16-encoded, uppercase). It's the only time the password is returned — store it securely.
Rotation is immediate. The previous password stops working the instant this call returns. Coordinate your deploy so the new password is in your config before the rotation, or schedule a maintenance window.
Common errors
| HTTP | Body | Cause |
|---|---|---|
400 | "Merchant not in 'ACTIVE' state" | Suspended, terminated, or waiting-activation merchants can't have their API key rotated |
400 | "Invalid 'merchantId'" | Ownership check failed — you don't own this merchant |
401 | (empty) | ROLE_REMOTE not granted, or caller-prefix not allowed |
A safe rotation flow
To avoid downtime when rotating in production:
- Decide on a cutover window — typically a low-traffic period
- Update your application config / secret manager with the new password slot, but keep the old one active
- Call
/restful/merchant/renewApiKey— capture the response, push the new password into the active slot - Verify by making a benign call against the Remote API with the new password (e.g.
getTransactionStatefor a recent transaction) - Decommission the old password (you don't need to do anything — it's invalid the moment the rotation completes)
If your application caches credentials in-memory, restart workers / pods after the rotation so they pick up the new password.
Related credentials
| Credential | Purpose | How to rotate |
|---|---|---|
| Merchant API password | Authenticates Remote API and other transactional API calls | This endpoint |
| Webhook encryption key | Decrypts webhook payloads sent by Scan to Pay | Rotate the webhook key |
| Portal login password | Authenticates the Portal web UI (and Portal API if ROLE_REMOTE granted) | Portal UI → email dropdown → Change Password |
| Lib Lite token | In-app SDK authentication | Generate Lib Lite tokens — supports multiple active tokens simultaneously |
| JWT (Bearer) + PKI | Alternative to Basic Auth on the Remote API | Authentication — handshake protocol |
What's next
- Use the new password against the Remote API → Remote API overview
- Rotate the webhook key too → Notifications
- Generate in-app SDK tokens → Lib Lite tokens
- Cross-cutting rules → Business rules
Updated about 23 hours ago