API Keys
All API requests require authentication using a Bearer token in the Authorization header.
Authorization: Bearer zv_live_xxxxxxxxxxxxxxxxxxxxxxxx
Key Types
| Prefix | Environment | Usage |
|---|
zv_live_ | Production | Real messages, real costs |
zv_test_ | Sandbox | Testing without sending real messages |
Test keys (zv_test_) simulate message sending but don’t actually deliver messages. Use them for development and testing.
Creating API Keys
- Log in to your Zavu Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give it a descriptive name (e.g., “Production Server”, “Development”)
- Copy and securely store the key
API keys are only shown once at creation. If you lose a key, you’ll need to create a new one.
Using API Keys
In HTTP Requests
Include the key in the Authorization header:
curl https://api.zavu.dev/v1/messages \
-H "Authorization: Bearer zv_live_xxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json"
In SDKs
import { Zavu } from '@zavu/node';
const zavu = new Zavu(process.env.ZAVU_API_KEY);
| Header | Description | Example |
|---|
Zavu-Sender | Override the default sender | snd_abc123 |
Idempotency-Key | Prevent duplicate sends | order-12345-confirmation |
curl -X POST https://api.zavu.dev/v1/messages \
-H "Authorization: Bearer zv_live_xxx" \
-H "Zavu-Sender: snd_abc123" \
-H "Content-Type: application/json" \
-d '{"to": "+56912345678", "text": "Hello!"}'
Idempotency Keys
Prevent duplicate message sends due to network retries:
curl -X POST https://api.zavu.dev/v1/messages \
-H "Authorization: Bearer zv_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"to": "+56912345678",
"text": "Your order #12345 has shipped!",
"idempotencyKey": "order-12345-shipped"
}'
idempotencyKey, you’ll receive a 409 Conflict with the original message instead of sending a duplicate.
Security Best Practices
Never expose your API keys in client-side code, public repositories, or browser applications.
Do’s
- Store keys in environment variables
- Use different keys for development and production
- Rotate keys periodically (every 90 days recommended)
- Use the minimum permissions needed
- Monitor key usage in your dashboard
Don’ts
- Don’t commit keys to version control
- Don’t share keys via email or chat
- Don’t use production keys in development
- Don’t embed keys in mobile apps or frontends
Key Permissions
API keys can be scoped to specific permissions:
| Permission | Description |
|---|
* | Full access to all resources |
messages:send | Send messages |
messages:read | Read message status and history |
templates:read | Read templates |
templates:write | Create and update templates |
contacts:read | Read contact information |
contacts:write | Create and update contacts |
Revoking Keys
If a key is compromised:
- Go to Settings → API Keys
- Find the compromised key
- Click Revoke
- Create a new key
- Update your applications
Revoked keys are immediately invalidated and cannot be restored.
Error Responses
| Status | Error | Description |
|---|
401 | unauthorized | Missing or invalid API key |
403 | forbidden | Key lacks required permissions |
429 | rate_limit_exceeded | Too many requests |
{
"error": {
"code": "unauthorized",
"message": "Invalid API key"
}
}