Skip to main content

API Keys

API keys authenticate all requests to the ZendFi API. Each key is scoped to either test or live mode, and the prefix tells you which environment it targets.

List API Keys

Returns all API keys for the authenticated merchant. The actual key values are never returned — only metadata.

Response


Create an API Key

Generates a new API key. The key value is returned only once in the response — store it securely.
mode
string
required
Either test or live.

Example

Response

The key field is only included in the create response. There is no way to retrieve it later. If you lose it, rotate the key to generate a new one.

Rotate an API Key

Deactivates the specified key and generates a replacement. The old key stops working immediately, and the new key is returned in the response.
id
string
required
API key ID to rotate.

Response


Key Security

Keys are hashed with both SHA-256 (for fast lookup) and Argon2 (for breach resistance) before being stored. ZendFi never stores plaintext keys.
Always store keys in environment variables or a secrets manager. Never commit them to source control. Use .env files locally and your platform’s secrets management in production.
Rotate keys regularly and immediately if a key may have been exposed. Rotation is atomic — the old key is deactivated the moment the new one is created.
Test keys cannot access live data and vice versa. This prevents accidental production charges during development.

Rate Limits

API keys are rate-limited per merchant: Rate limit headers are included in every response:
When you exceed the limit, the API returns 429 Too Many Requests with a Retry-After header.