Passmint
TemplatesDocsPricingBlog
Log inGet started
Passmint

Apple and Google Wallet passes from one API. Built for people who ship.

Product
  • Pass Designer
  • Developers
  • Distribution
  • Analytics
  • Templates
  • Pricing
Developers
  • Documentation
  • API reference
  • Node SDK
  • Webhooks
Company
  • Changelog
  • About
  • Contact
  • Support
  • Security
  • Terms
  • Privacy
Social
  • GitHub
  • X

© 2026 Passmint. Built for indie makers.

Apple Wallet & Google Wallet, one API.

For developers

API keys: test vs live

Updated June 29, 2026

API keys authenticate requests to the Passmint API and any integration that talks to it. There are two kinds, and the key you use decides which mode you're operating in.

Test keys and live keys

  • A key beginning with pmk_test_ operates in test mode. Passes it issues are watermarked and don't count toward your plan.
  • A key beginning with pmk_live_ operates in live mode. Passes it issues are real and count once installed.

There's no separate mode switch for the API. The prefix on the key is the mode. Build against a test key, then swap in a live key when you're ready.

Creating a key

Create keys in Developers → API keys. When you generate one, the full secret is shown only once. Copy it then and store it somewhere safe, like your secrets manager or your tool's credential settings. After that, the dashboard only ever shows the first few characters so you can recognize the key, never the full value again.

If you lose a key's secret, you can't reveal it again. Create a new key and revoke the old one rather than hunting for the original.

Revoking and rotating

  • Revoke a key to stop it working immediately. Any integration using it will stop authenticating, so swap in a replacement first.
  • Rotate by creating a new key, updating wherever the old one is used, then revoking the old one. Doing it in that order avoids downtime.

The dashboard records when each key was last used, which helps you spot keys that are safe to retire.

Keep keys secret

Treat a live key like a password. It can issue, update, and void real passes.

  • Never commit a key to source control or paste it into client-side code.
  • Use separate keys for separate tools so you can revoke one without disrupting the rest.
  • Rotate immediately if a key may have leaked.

To debug what a key is doing, see reading your API request logs.

Related articles

Where to find the API & SDK docsA signpost to the developer documentation for the API, SDK, and webhooks.Reading your API request logsInspect recent API requests to debug what your integration is sending.

On this page

  • Test keys and live keys
  • Creating a key
  • Revoking and rotating
  • Keep keys secret