Skip to main content
All API requests to Zentra must be authenticated using API keys. This guide explains how to obtain and use your API keys securely.

API Keys

Zentra uses API keys to authenticate requests. You can obtain your API keys from the Developer Console.

Key Types

Secret Key

Format: sk_sandbox_... or sk_live_...Used for server-side API calls. Never expose this in client-side code!

Public Key

Format: pk_sandbox_... or pk_live_...Can be used in client-side code for specific operations like initializing payments.

Environments

Zentra provides two environments:
Always use sandbox keys during development and testing. Only use live keys in production.

Making Authenticated Requests

Include your API key in the Authorization header using Bearer authentication:

Example Requests

The examples below intentionally use reviewed transfer endpoints rather than draft customer or wallet surfaces.

Keeping Your Keys Safe

  • Store keys in environment variables
  • Use different keys for development and production
  • Rotate keys regularly
  • Use a secrets manager (AWS Secrets Manager, Azure Key Vault, etc.)
  • Restrict API key permissions to only what’s needed
  • Monitor API usage for unusual activity
  • Never commit keys to version control
  • Don’t hardcode keys in your application
  • Don’t share keys via email or chat
  • Don’t use production keys in development
  • Don’t expose secret keys in client-side code
  • Don’t share keys across multiple applications

Environment Variables

Store your API keys in environment variables:
Then load them in your application:

Error Responses

If authentication fails, you’ll receive a 401 Unauthorized response:
Common authentication errors:

API Key Management

Rotating Keys

To rotate your API keys:
  1. Generate a new key in the Developer Console
  2. Update your application with the new key
  3. Test thoroughly
  4. Revoke the old key
We recommend rotating keys every 90 days as a security best practice.

Revoking Keys

If you suspect a key has been compromised:
  1. Go to Dashboard → API Keys
  2. Click Revoke next to the compromised key
  3. Generate and deploy a new key immediately

Key Permissions

You can create API keys with limited permissions:
  • Read-only: Only GET requests
  • Write: POST, PUT, PATCH, DELETE requests
  • Admin: Full access including sensitive operations

IP Whitelisting (Optional)

For additional security, you can whitelist IP addresses:
  1. Go to Dashboard → Security
  2. Add your server IP addresses
  3. Save changes
Be careful with IP whitelisting if your application runs on dynamic infrastructure (like cloud functions).

Rate Limiting

API keys are subject to rate limits: See Rate Limits for more details.

Next Steps

Make Your First Request

Follow our quickstart guide

API Reference

Explore all available endpoints

Error Handling

Learn about error responses

Webhooks

Set up webhook authentication