Skip to main content
API keys are the gateway to your ZendFi account. Understanding how they work and how to protect them is critical for a secure integration.

Key Anatomy

Every ZendFi API key follows a predictable format:
The prefix serves a dual purpose: it lets you instantly identify the mode of a key, and it allows security scanners (like GitHub’s secret scanning) to detect accidentally committed keys.

Key Lifecycle

Creation

When a key is created, the full key value is returned exactly once. After that, only the prefix is available through the API or CLI.

Storage on the Server

ZendFi never stores your raw API key:
  1. The key prefix is stored in plaintext for display purposes.
  2. A SHA-256 hash is stored for fast lookup during authentication.
  3. An Argon2id hash is stored for brute-force-resistant verification.
This means even a complete database breach would not expose usable API keys.

Rotation

Rotation generates a new key and immediately invalidates the old one:
The rotation is atomic — there is no window where both keys are valid simultaneously. Plan your rotation to minimize downtime:
  1. Generate the new key
  2. Update all services and environments
  3. Verify the new key works
  4. The old key is already invalid

Revocation

Keys can be permanently revoked through the dashboard or API. Revoked keys cannot be restored.

Storage Best Practices

Environment Variables

The simplest and most portable approach:
The SDK auto-detects ZENDFI_API_KEY from the environment. No configuration code needed.

Secrets Managers

For production deployments, use a dedicated secrets manager:

What NOT to Do

Never do any of the following:
  • Hardcode API keys in source code
  • Commit keys to version control (even in private repos)
  • Log API keys in application output
  • Share keys over email, Slack, or other messaging
  • Store keys in client-side code (browser JavaScript)
  • Use the same key for test and production

Key Scoping

Keys can be scoped to limit their permissions. This follows the principle of least privilege: Scoped keys are created through the dashboard or the API. The CLI creates full-access keys by default.

Example: Read-Only Key for Analytics

Create a key that can only read payment data for your analytics dashboard:
This key can call GET /payments and GET /payments/:id but will receive a 403 Forbidden if it tries to create a payment.

Rate Limits

API key operations have their own rate limits, separate from general API limits: When you hit a rate limit, the API returns 429 Too Many Requests with headers indicating when you can retry:

Audit Trail

Every key operation is logged in the audit trail:
  • Key creation (who, when, name, mode)
  • Key rotation (who, when, key ID)
  • Key usage (timestamp, endpoint, IP address, response status)
Access the audit log through the ZendFi Dashboard under Settings > API Keys > Activity Log.

Incident Response

If you suspect a key has been compromised:
  1. Rotate immediately: zendfi keys rotate <key-id>
  2. Check the audit log for any unauthorized usage
  3. Update all services with the new key
  4. Review access to determine how the key was exposed
  5. Harden storage based on findings (move to secrets manager, add IP restrictions, etc.)