API key revoked or expired
Your integration is returning 401 Unauthorized or 403 Forbidden, or the API key in your API keys list shows a “Revoked” or “Expired” status badge.
What’s happening
Section titled “What’s happening”Revoked: An admin explicitly revoked this key using Revoke in the API keys list. Revocation is permanent and immediate — the token is invalidated the moment it is revoked. A revoked key can never be restored; you must issue a new key.
Expired: The key’s expiresAt date has passed. The server transitions the key to expired automatically. Like a revoked key, an expired key cannot be re-activated — issue a new key.
The two statuses are distinct: revoked is always an administrative action; expired is a lifecycle event based on the key’s TTL.
How to fix it
Section titled “How to fix it”For a revoked key:
- Go to Admin & Security > Integrations > API keys.
- Select New API key.
- Configure the name, scopes, and expiry as before. Select Create API key.
- Copy the new token when it is shown — it is displayed exactly once.
- Update your integration with the new token.
For an expired key:
- Go to Admin & Security > Integrations > API keys. Expired keys show an “Expired” status badge.
- Issue a new key following the steps above.
If you want to extend the key’s TTL rather than replace it — for example, a key that expires in a few days — use Rotate on the active key now (while it is still active), and the new token will have a fresh TTL. You cannot rotate an already-expired key.
If that didn’t work
Section titled “If that didn’t work”If you have issued a new key and are still getting 401, verify that:
- You copied the full token (it starts with
mg_). - Your integration is sending the token in the
Authorization: Bearer <token>header. - The token is for the correct environment (live vs. test).
If you continue to see 403 after using a valid, active token, your key may not have the scope required for the operation you are calling. Check the key’s scopes in the API keys list and compare them to the required scopes in the API docs.
Contact your organization’s owner if you don’t have permission to issue new keys.