Skip to main content
API keys are the primary method of authenticating with the DHMAD API. This guide covers best practices for managing your keys.

Creating API Keys

  1. Log into the Developer Dashboard
  2. Navigate to the “API Keys” section
  3. Click “Create API Key”
  4. Provide:
    • Key Name: Descriptive name (e.g., “Production App”, “Staging Environment”)
    • Environment: Choose between “Live (Production)” or “Sandbox (Testing)”
  5. Copy your key immediately - it won’t be shown again!
API keys are only displayed once when created. Make sure to copy and store them securely.

Key Management

Viewing Keys

In the dashboard, you can see:
  • Key name
  • Environment (Live or Sandbox)
  • Creation date
  • Last used date
  • Active/Inactive status

Regenerating Keys

To regenerate a key:
  1. Find the key in your dashboard
  2. Click the regenerate icon
  3. Confirm the action
  4. Copy the new key immediately
Regenerating a key immediately invalidates the old key. Update your application with the new key before regenerating.

Deactivating Keys

To temporarily disable a key:
  1. Find the key in your dashboard
  2. Toggle the active status
  3. The key will be disabled but not deleted

Deleting Keys

To permanently delete a key:
  1. Find the key in your dashboard
  2. Click the delete icon
  3. Confirm the deletion
Deleting a key is permanent and cannot be undone. Make sure you have a backup key before deleting.

Best Practices

Use Separate Keys

Use sandbox keys (sk_sandbox_) for testing and live keys (sk_live_) for production. See Sandbox.

Name Clearly

Use descriptive names to identify key purposes

Rotate Regularly

Regenerate keys periodically for security

Monitor Usage

Regularly check key usage for suspicious activity

Store Securely

Never commit keys to version control

Limit Access

Only share keys with trusted team members

Environment Variables

Store API keys as environment variables:
# .env file
DHMAD_API_KEY=sk_live_abc123...
Access in your code:
const API_KEY = process.env.DHMAD_API_KEY;

Security Checklist

  • Keys stored in environment variables
  • Keys not committed to version control
  • .env files in .gitignore
  • Different keys for each environment
  • Keys rotated periodically
  • Access limited to necessary team members
  • Monitoring enabled for key usage

Troubleshooting

”Invalid API Key” Error

  • Verify the key is copied correctly (no extra spaces)
  • Check the key is active in the dashboard
  • Ensure you’re using the correct key for your environment: sk_live_ for production (dhmad.tn), sk_sandbox_ for the sandbox (sandbox.dhmad.tn). Using the wrong key type returns a clear 401 message.

Key Not Working

  • Verify the key hasn’t been regenerated
  • Check the key hasn’t been deleted
  • Ensure your developer account is associated with a user account

If a key is compromised, regenerate it immediately and update all applications using it.