Authentication
Every request is authenticated with an API key.
Pass your key in the X-API-Key header on every request:
X-API-Key: zpl_your_keyManaging keys
Create, name, and revoke keys in the dashboard. The full key is shown only at creation — store it securely. Revoking a key takes effect immediately.
Keep keys secret
Treat keys like passwords. Use them only server-side, never in client-side code or public repositories. If a key leaks, revoke it and create a new one.
Rate limits
Each key has a rate limit. Exceeding it returns 429 with a Retry-After header telling you how many seconds to wait. See Errors & Limits.