This page explains how to view, renew and revoke the keys used for the technical integration with Axepta Online from the Merchant Portal.

Key management allows the merchant or technical integrator to secure exchanges between their system and the Axepta Online platform, especially for REST API calls, server-to-server notifications and, depending on the integration mode, exchanges using HMAC keys or the encryption password.

Regular key renewal is recommended for security reasons. A controlled key rotation allows old keys to be replaced without service interruption.

Documentation Axepta BNP Paribas > Key management (optional) > image-2026-5-29_15-15-12.png

Overview of Key management

Documentation Axepta BNP Paribas > Key management (optional) > image-2026-5-29_15-26-31.png

Accessing the Key Management page

From the Axepta Online Merchant Portal, open the Key Management section. The page displays the following information:

the selected merchant;
available access data;
primary and secondary keys;
available actions for each key;
the latest activity history.

Note: depending on your user profile, the Key Management section may not be visible.

At the top right of the screen, the Merchant field allows you to select the relevant merchant account.

Before performing any action, make sure the correct merchant is selected.
Displayed keys and performed actions apply only to the selected merchant.

Once enabled to edit API Credentials, you can

create a new key for empty fields
Status Description
Active The key has been generated, is valid and can be used immediately for API access
Use case temporary migrations or before key rotation
renew an existing key
Status Description
Active The key has been updated, is valid and can be used immediately for API access
Use case if compromise is suspected or without key rotation
revoke an existing key
Status Description
Inactive The key has been immediately deactivated and is irretrievably deleted for API access
Use case temporary migrations or after key rotation

uses API key sets for your MerchantID.

Legacy API (Both used in legacy API)

Encryption Password

Primary HMAC key

REST API (Primary HMAC Key is shared and optionally used for Enhanced Webhook in REST API)

Primary HMAC key

Primary REST API key

Double run in REST API (Both optionally used for double run in REST API)

Secondary HMAC key

Secondary REST API key

In case you have integrated with our REST API you can use two key sets in parallel to rotate keys without downtime.

Using two key sets in parallel is called double run. Double run allows you to switch your systems from one key to another without interrupting live traffic.

Status	Description
Active	The key has been generated, is valid and can be used immediately for API access
Use case	temporary migrations or before key rotation

Status	Description
Active	The key has been updated, is valid and can be used immediately for API access
Use case	if compromise is suspected or without key rotation

Status	Description
Inactive	The key has been immediately deactivated and is irretrievably deleted for API access
Use case	temporary migrations or after key rotation