Zaptickdocs
Get started

Authentication

API keys, test vs live environments, and how to rotate credentials safely.

#Bearer-style key headers

Every request to the Zaptick API must carry your API key in the X-API-Key header.

HTTP
GET /api/contacts HTTP/1.1
Host: zaptick.io
X-API-Key: zaptick_live_01J3xkx7...

The SDK attaches this header for you automatically, but you can override it per-request for tooling that rotates across multiple tenants.

#Test vs live

Keys are prefixed so you can tell them apart at a glance and grep your logs for leaks:

  • zaptick_test_… — test environment. Never charges your wallet. Messages are accepted, dispatched and simulated end-to-end.
  • zaptick_live_… — production. Deducts from your wallet per message.
The playground accepts both — it introspects the prefix and tags each request so you always know what environment you're hitting.

#Key hygiene

  • Keys are shown exactly once on creation. We store only a SHA-256 hash + a short display prefix.
  • Rotate compromised keys instantly from the dashboard. Revocation is immediate — subsequent requests receive 401 invalid_api_key.
  • Keys are scoped to the workspace ("company") they were created in — there's no cross-workspace access.

#Error responses

When a key is missing, malformed, or revoked you'll receive a 401:

JSON
{
  "error": {
    "code": "invalid_api_key",
    "message": "API key is missing or invalid.",
    "docs": "https://developers.zaptick.io/docs/authentication"
  }
}