API keys: test vs live
Updated June 29, 2026
API keys authenticate requests to the Passmint API and any integration that talks to it. There are two kinds, and the key you use decides which mode you're operating in.
Test keys and live keys
- A key beginning with
pmk_test_operates in test mode. Passes it issues are watermarked and don't count toward your plan. - A key beginning with
pmk_live_operates in live mode. Passes it issues are real and count once installed.
There's no separate mode switch for the API. The prefix on the key is the mode. Build against a test key, then swap in a live key when you're ready.
Creating a key
Create keys in Developers → API keys. When you generate one, the full secret is shown only once. Copy it then and store it somewhere safe, like your secrets manager or your tool's credential settings. After that, the dashboard only ever shows the first few characters so you can recognize the key, never the full value again.
If you lose a key's secret, you can't reveal it again. Create a new key and revoke the old one rather than hunting for the original.
Revoking and rotating
- Revoke a key to stop it working immediately. Any integration using it will stop authenticating, so swap in a replacement first.
- Rotate by creating a new key, updating wherever the old one is used, then revoking the old one. Doing it in that order avoids downtime.
The dashboard records when each key was last used, which helps you spot keys that are safe to retire.
Keep keys secret
Treat a live key like a password. It can issue, update, and void real passes.
- Never commit a key to source control or paste it into client-side code.
- Use separate keys for separate tools so you can revoke one without disrupting the rest.
- Rotate immediately if a key may have leaked.
To debug what a key is doing, see reading your API request logs.