Automatically Rotate Mambu API Keys

In this example, we will walk you through creating a process that updates and rotates a Mambu API key in Mambu Process Orchestrator (MPO). It is triggered daily by an end-of-day webhook and the newly created API key and secret key are stored in a state diagram. Any MPO process that requires the API key to make calls to Mambu can then retrieve the configuration.

Create the Process

1. Create an API consumer

Create an API consumer and generate an API key and a secret key in the Mambu UI. For more information on how to do this, see API Consumers. The API consumer should have these permissions enabled to allow them to update API keys:

  • View API Consumers and Keys
  • Create API Consumers and Keys
  • Edit API Consumers and Keys
  • Delete API Consumers and Keys

Assigning permissions to use for this process

2. Deploy the MPO process

Download the process in the zip file below and deploy it to your MPO tenant.


3. Configure the MPO process

Find the Set configuration process in the MPO UI. Change the baseURL parameter in the Set Parameters node to be the URL of your Mambu tenant. Make sure to add /api to the end of the address.

4. Execute the set configuration process

Trigger a task manually for the Set configuration process, using the API key and secret key generated in step 1 as parameters for the task.

Uploading the Set Configuration task

For more information on how to manually trigger a task, see Manually trigger a task in the MPO UI.

5. Get the Direct URL of the Renew API Key Process

Get the Direct URL from the Renew API Key process in the MPO UI. Open the process, click the Start node, and then click Copy webhook via JSON. For more information, see Trigger a Task using a Direct URL.

6. Create a webhook

In the Mambu UI, create a webhook to trigger the Renew API Key process. Use the following settings to create the webhook:


  • Target: End of Day Processing
  • On Event: Accounts Updated


  • Web Hook URL: The URL from Step 5.
  • Request Type: POST
  • Authorization: No authorization
  • Content Type: application/json
  • Custom Request Headers: {"apiConsumerId": "Enter the encoded key or ID of the API consumer created in step 1."}

For more information, see Defining a New Webhook in our User Guide.

7. Call the “Retrieve Configuration” process In Other Processes

To use the API key in other processes, use the Call Process node to call the Retrieve Configuration process. To see how this is done in practice, open the Make API request with key (Example Process) process.

Calling the Retrieve Configuration process