# Settings The Settings section of the Portal is where you manage API keys and configure webhook endpoints for your organisation. ## API Keys Navigate to **Settings → API Keys** to generate and manage API keys for the Monato Direct Debit API. ### Generating a Key 1. Click **Generate New Key**. 2. Select the environment: **Sandbox** or **Production**. 3. Optionally give the key a descriptive label (e.g. the service or integration it will be used for). 4. Click **Create**. The key is displayed once — copy it and store it securely. Key generation is instant and requires no approval. You can generate as many keys as needed per environment. ### Revoking a Key To revoke a key, locate it in the key list and click **Revoke**. This takes effect immediately — any requests using the revoked key will receive a `401 Unauthorized` response. :::warning Revoked keys cannot be restored. If a key is revoked accidentally, generate a new one and update your integration. ::: ### Key Security - Store API keys in environment variables or a secrets manager, never in source code. - Use one key per service or integration so you can revoke individual access without affecting others. - Rotate keys periodically and immediately if you suspect a key has been exposed. For more detail, see [Authentication](/products/directdebit/content/getting-started/authentication). ## Webhooks Navigate to **Settings → Webhooks** to configure the endpoint where the platform will deliver event notifications. ### Adding a Webhook Endpoint 1. Click **Add Endpoint**. 2. Enter the **URL** of your endpoint. It must be a publicly accessible HTTPS URL. 3. Enter the **Authorization header value** the platform should include in every delivery request. This is used by your endpoint to verify that requests originate from Monato. 4. Click **Save**. ### Updating or Removing an Endpoint You can update the URL or Authorization value of an existing endpoint, or remove it entirely, from the webhook settings list. ### Testing Delivery After saving an endpoint, use the **Send Test Event** option to verify that your endpoint is reachable and responding correctly. A successful test will return a `200` or `201` status from your endpoint. For details on event payloads and retry behaviour, see [Webhooks](/products/directdebit/content/guides/api/webhooks).