API Key Rotation Policy
Last updated: 24/06/2026
Purpose
This policy establishes the mandatory requirements for the periodic rotation of Monnify Application Programming Interface (API) keys used by merchants to access Monnify's disbursement and payment services.
The purpose of this policy is to:
- Reduce the risk of unauthorised access arising from long-lived or compromised API credentials.
- Establish a consistent, enforceable minimum security standard for all active Monnify API integrations.
- Ensure merchants maintain awareness of and responsibility for the security of their integration credentials.
- Support Monnify's compliance with applicable security standards and regulatory expectations.
Scope
This policy applies to:
- All merchants with active Monnify disbursement API integrations.
- Monnify internal teams responsible for merchant onboarding, integration support, operations, compliance, and customer service.
This policy applies to live (production) and not test (sandbox) environment API keys.
Note: This policy does not apply to merchants who access Monnify services exclusively through the dashboard (non-API channel). Dashboard access is governed by separate authentication and access control policies.
Policy Statement
Monnify requires all merchants operating API integrations to rotate their API keys at a minimum interval of once every six (6) months.
Key obligations under this policy are:
- All active API keys must be rotated at least once every 6 months.
- Merchants are responsible for initiating API key rotation via the Monnify dashboard or API.
- Monnify will notify merchants in advance of their key rotation deadline via email.
- API keys that are not rotated within the required period will be subject to enforced deactivation in accordance with the enforcement schedule defined in this policy.
- Upon rotation, the previous API key will enter a grace period before permanent deactivation to allow merchants to complete their integration updates.
Definitions
| Term | Definition |
|---|---|
| API Key | A unique alphanumeric credential issued to a merchant by Monnify, used to authenticate programmatic requests to Monnify's services via the API. |
| API Key Rotation | The process by which a merchant generates a new API key to replace an existing one, after which the previous key is deactivated following a defined grace period. |
| Secret Key | A confidential key paired with the API key and used for HMAC-based request signing and callback validation. The Secret Key is displayed only once at time of creation and must be stored securely by the merchant. |
| Grace Period | A defined window of time following API key rotation during which the previous API key remains temporarily active, allowing merchants to complete integration updates before the old key is deactivated. |
| Rotation Deadline | The date by which a merchant must rotate their API key. This date is calculated as 6 months from the date of the merchant's last key rotation or initial key issuance. |
| Enforced Deactivation | The automatic or manual disabling of an API key by Monnify upon a merchant's failure to rotate within the required period, following all prior notifications. |
| Monnify Dashboard | The web-based merchant portal through which merchants manage their Monnify account, including API key management, transactions, and settings configuration. |
Rotation Frequency
All active Monnify API keys must be rotated at least once every six (6) months. The rotation deadline for each merchant is calculated from the date of their most recent key rotation or, for new merchants, the date of initial key issuance.
Note: Merchants may rotate their API keys more frequently than the minimum required interval. Monnify encourages early rotation in response to any suspected compromise, security incident, personnel changes involving staff who had access to the key, or significant changes to the merchant's technical infrastructure.
How to Rotate an API Key
Merchants may rotate their API key via the Monnify Dashboard:
- Log in to the Monnify dashboard at app.monnify.com.
- Navigate to Developer > API Keys & Contracts.
- Select Reset API Key.
- Input the reason for API key rotation.
- Enter your password.
- Complete the Two-Factor Authentication (2FA) challenge to confirm the action.
- The new API key and Secret Key will be displayed.
- Update all integration systems and services with the new credentials before the grace period expires.
Warning: Monnify does not store or have the ability to retrieve the Secret Key after it is issued. Merchants who lose their Secret Key must rotate again to obtain a new one.
Grace Period for Old Keys
Upon successful rotation, the previous API key will remain active for a period of 7 days to allow merchants to update their integration systems without service disruption. During the grace period:
- Both the old and new API keys will be active simultaneously.
- Merchants should complete all integration updates and test their systems using the new key before the grace period ends.
- At the end of the grace period, the old API key will be permanently deactivated. Requests made using the deactivated key will be rejected.
Merchant Notification Schedule
Monnify will issue automated notifications to merchants ahead of their rotation deadline via the email address registered to their Monnify account. The notification schedule is as follows:
| Notification | Timing | Content |
|---|---|---|
| First Reminder | 30 days before rotation deadline | Advance notice of upcoming rotation requirement with step-by-step instructions. |
| Urgent Reminder | 7 days before rotation deadline | Urgent notice confirming that key deactivation will occur if rotation is not completed. |
| Final Notice | 1 day before rotation deadline | Final warning. Notification that enforced deactivation is imminent. |
| Deactivation Notice | On or after rotation deadline | Confirmation that the API key has been deactivated and instructions for reactivation. |
Merchants are advised to ensure that the registered contact email address on their Monnify account is accurate and monitored. Monnify is not responsible for notifications that are undelivered due to incorrect or unmonitored email addresses.
Enforced Deactivation
Where a merchant has not rotated their API key by the rotation deadline, notwithstanding all prior notifications, Monnify reserves the right to enforce deactivation of the overdue API key. Enforced deactivation will result in:
- Immediate rejection of all API requests authenticated with the deactivated key.
- Disruption to any live integrations or services relying on that key until a new key is generated and deployed by the merchant.
To restore API access following enforced deactivation, the merchant must log in to the Monnify dashboard and generate a new API key.
Compromised Keys
A merchant who suspects or confirms that their API key has been compromised must:
- Immediately rotate the API key via the Monnify dashboard or API.
- Notify Monnify's support team at [email protected] or via the dedicated merchant support channel.
- Review recent transactions for any unauthorised activity and report any suspicious transactions to Monnify.
Monnify may, at its discretion, proactively deactivate an API key if activity patterns suggest compromise, notifying the merchant immediately.
Security Best Practices for API Keys
In addition to mandatory rotation, merchants are expected to follow these best practices:
- Store API keys and Secret Keys in secure, encrypted credential management systems or environment variables.
- Never commit API keys to version control systems (e.g. Git) or expose them in client-side code.
- Restrict access to API keys to only those team members and systems that require them.
- Regularly audit which internal team members have access to Monnify API credentials and revoke access when no longer required.
- Rotate API keys immediately following any staff departure where the departing employee had access to the credentials.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Merchant | Initiate API key rotation within the required period. Ensure integration systems are updated before the grace period expires. Notify Monnify of any suspected compromise. Maintain accurate contact details on the Monnify account. |
| Monnify Product Team | Maintain and improve API key management features on the Monnify platform. Ensure the rotation notification system functions correctly. Own this policy and review it periodically. |
| Monnify Operations & Customer Service | Support merchants experiencing difficulties with key rotation. Handle inbound queries related to key deactivation. Escalate compromise incidents to the security team. |
| Monnify Compliance & Audit | Monitor adherence to this policy across the merchant base. Include API key rotation compliance in periodic audit reviews. Flag instances of non-compliance for remediation. |
| Monnify Security Team | Investigate suspected or confirmed API key compromise incidents. Advise on and enforce emergency deactivations where required. Maintain technical security controls supporting this policy. |
| Monnify Legal / Risk | Review and approve this policy. Advise on liability and regulatory implications of non-compliance by merchants. |
Monitoring
Monnify will track the age of all active API keys and monitor rotation compliance across the merchant base. Compliance reports will be made available to the Compliance and Audit teams on a periodic basis.
Internal Compliance
Monnify internal teams (Operations, Customer Service, Compliance) are expected to be familiar with this policy in order to:
- Accurately advise merchants on key rotation requirements and processes.
- Identify and escalate merchants at risk of non-compliance.
- Handle inbound queries and complaints arising from enforced deactivations.
Merchant Non-Compliance
Merchants who fail to rotate their API keys within the required period, following all prior notifications, will be subject to enforced key deactivation as described in the Enforced Deactivation section.
In cases where a non-compliant API key is determined to have been involved in a security incident or unauthorised transaction activity, Monnify reserves the right to take further action in accordance with the Merchant Services Agreement, including but not limited to account suspension.
Exceptions Process
Merchants who require a temporary extension to their rotation deadline due to exceptional operational circumstances may submit a written request to their Monnify account manager or to [email protected].
Exception requests must include:
- The reason for the requested extension.
- The merchant's business name and Monnify account identifier.
- The proposed revised rotation date.
- A confirmation of the security measures currently in place to mitigate risk during the extension period.
Exceptions are subject to review and approval by the Monnify Product and Compliance teams. Approval is not guaranteed. Approved exceptions will be documented and communicated to the merchant in writing. Extensions will not typically exceed 30 days beyond the original deadline.
Internal teams requesting exceptions to this policy on behalf of a merchant must route the request through the Compliance team for formal approval.
