Authentication
Every request to /v1/* requires a bearer token in the Authorization header.
Authorization: Bearer zk_AbCdEf...Get a key
Sign in → API keys → Create new key. The plaintext is shown once. We only store the SHA-256 hash on our side — there is no way to recover the original. If you lose it, revoke and create a new one.
Key format
| Part | Example | Notes |
|---|---|---|
| Prefix | zk_ | Identifies the key type |
| Body | 43 chars (URL-safe base64 of 32 random bytes) | The secret |
| Total length | 46 chars |
Rotate a key
- Create a new key in the dashboard.
- Roll it into your environment.
- Confirm traffic on the new key in Usage.
- Revoke the old key.
Revocation is immediate — calls using the old key start returning 401 invalid_api_key within seconds.
Errors
| Status | Code | Cause |
|---|---|---|
| 401 | missing_api_key | No Authorization header |
| 401 | invalid_api_key | Bad format, unknown key, or revoked |
| 403 | account_suspended | Account is suspended or closed |
| 429 | quota_exceeded | Monthly result quota hit — see Rate limits |
| 429 | rate_limited | Per-minute rate limit hit |
Storing keys
- Server-side only. Never embed in browser/mobile code that ships to users.
- Per-environment. One key for staging, one for production.
- Per-service. Different microservices = different keys; revoke independently.