Renew Secret API

All requests to MyPVit APIs must be authenticated via the HTTP header `X-Secret`

Using the Secret Key (X-Secret)

A unique secret key is associated with each operation account.
It is used to authenticate all API requests.
It is temporary and must be renewed periodically.

Header example

X-Secret: sk_live_87e1f459-35e7-4047-8847-20c0d69da13c

Endpoint

Method POST

Base URL https://api.mypvit.pro/v2

Path /{codeUrl}/renew-secret

Prerequisites

Your merchant profile is validated.
You have the required operation password for rotation.

Renewal sequence

You call the `renew-secret` endpoint with the required parameters.
MyPVit generates a new key

Required parameters

Send parameters as `application/x-www-form-urlencoded`.

Parameters

Name	Location	Type	Required	Description
`accountOperationCode`	query	string	Yes	Operation account code
`password`	query	string	Yes	Password associated with the API
`codeUrl`	path	string	Yes	Merchant URL code

Examples

Sample request

curl --location 'https://api.mypvit.pro/v2/XXXXXXXX/renew-secret' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'operationAccountCode=ACC_PROD_001' \
--data-urlencode 'password=********'

Confirmation response

{
  "operation_account_code": "ACC_PROD_001",
  "secret": "sk_live_xxxxxxxxxxxxxxxxxxx",
  "expires_in": 3600
}

Behavior & idempotency

Each validated call generates a new key. By default, consider the old key obsolete once the new one is activated.
If you implement a grace period (overlap), document the duration and switchover mode on your server side.
In case of repeated (duplicate) calls, the last received key is the one to use.

Security best practices

Never expose the key on the client side (web, mobile).
Use a secrets manager (e.g., Vault, AWS Secrets Manager).
Allow only trusted IPs to access your reception URL.
Monitor failed attempts and rate-limit rotations.
React to `401 Unauthorized` by triggering a controlled renewal.

Environments

Test: use your test URLs and operation accounts.
Production: replace test URL/account/key with your production equivalents.

Common errors

HTTP Code Cause Example

401

AUTHENTICATION_FAILED

Expired or incorrect key

{
  "date": "23102024-153045",
  "status_code": 401,
  "error": "AUTHENTICATION_FAILED",
  "message": "Invalid or expired secret key.",
  "path": "/{codeUrl}/renew-secret"
}

403

SECRET_KEY_RECEPTION_URL_NOT_ACTIVE

Reception URL is not active

{
  "date": "23102024-153045",
  "status_code": 403,
  "error": "SECRET_KEY_RECEPTION_URL_NOT_ACTIVE",
  "message": "Reception URL is disabled for this account.",
  "path": "/{codeUrl}/renew-secret"
}

400

INVALID_SECRET_KEY_RECEPTION_URL_CODE

Invalid reception URL code in the request

{
  "date": "23102024-153045",
  "status_code": 400,
  "error": "INVALID_SECRET_KEY_RECEPTION_URL_CODE",
  "message": "Provided receptionUrlCode is not valid.",
  "path": "/{codeUrl}/renew-secret"
}

FAQ

Do I need to respond to the key delivery? → Yes, reply with 200 to confirm receipt.
How long is the key valid? → Define a clear internal policy (e.g., monthly rotation).
What should I do if the key is lost? → Renew immediately and purge the compromised key.