Overview
AppKeys are long-lived credentials used to authenticate API requests. Each key is scoped to your account and can be revoked at any time.
AppKeys have the prefix sk-mm- followed by a random token.
Creating an AppKey
- Log in at the dashboard
- Navigate to API Keys
- Click Create Key
- Enter a name and optional webhook signing secret
- Copy the key — it is shown only once
The AppKey and its signing_secret are shown only at creation time. Store them securely — they cannot be retrieved later.
Key status
| Status | Description |
|---|
| Active | Accepts API requests |
| Disabled | Requests return 1003 — key disabled |
| Deleted | Requests return 1004 — key deleted |
Webhook signing secret
If you use callback_url, verify incoming webhooks using the signing_secret associated with the AppKey:
import hmac, hashlib
def verify(body: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature)
X-Signature request header.
