Authentication

Send your API key as a Bearer token:

Authorization: Bearer zb_live_4xK2pQ7nR9sT1vW3yZ5aBd

Keys start with zb_live_ followed by 22 base-62 characters. Anything else is rejected with 401 INVALID_KEY before the database is even consulted.

Open the in-app Settings → API keys page, give the key a label, and click Create key. The full secret is shown once at creation time — copy it immediately into your secret manager. After that, only the prefix (zb_live_xxxx) and last 4 characters are visible.

API access requires a paid plan. The matrix:

A key minted on a Growth org stops working if the org downgrades to Starter — requests return 402 INSUFFICIENT_PLAN until billing is restored.

All authentication errors return JSON with a typed code and a request ID for support tickets:

{
  "error": {
    "code": "INVALID_KEY",
    "message": "Missing or invalid API key. Pass it as `Authorization: Bearer zb_live_...`.",
    "requestId": "req_a1b2c3d4e5f6g7h8"
  }
}

The complete error code list is in the errors reference.

To rotate a key with zero downtime:

1. Mint a new key alongside the existing one.
2. Deploy the new key into your application.
3. Verify traffic is flowing on the new key (it shows a recent Last used timestamp).
4. Revoke the old key from the same settings page.

Revocation is immediate — the next call with a revoked key gets a 401 REVOKED_KEY.

• One key per integration. Easier to revoke when one is leaked.
• Never embed keys in client-side JavaScript, mobile apps, or public git repos. All zb_live_ keys are server-side credentials.
• Set up webhooks so you can react to events without polling — most integrations need both.