Skip to main content

API Keys

All API requests require authentication using a Bearer token in the Authorization header.

Key Types

Test keys (zv_test_) simulate message sending but don’t actually deliver messages. Use them for development and testing.

Creating API Keys

  1. Log in to your Zavu Dashboard
  2. Navigate to SettingsAPI Keys
  3. Click Create API Key
  4. Give it a descriptive name (e.g., “Production Server”, “Development”)
  5. Copy and securely store the key
API keys are only shown once at creation. If you lose a key, you’ll need to create a new one.

Using API Keys

In HTTP Requests

Include the key in the Authorization header:

In SDKs

Optional Headers

Zavu-Sender Header

Override the default sender for a specific request:

Idempotency Keys

Prevent duplicate message sends due to network retries:
If you retry this request with the same idempotencyKey, you’ll receive a 409 Conflict with the original message instead of sending a duplicate.

Security Best Practices

Never expose your API keys in client-side code, public repositories, or browser applications.

Do’s

  • Store keys in environment variables
  • Use different keys for development and production
  • Rotate keys periodically (every 90 days recommended)
  • Use the minimum permissions needed
  • Monitor key usage in your dashboard

Don’ts

  • Don’t commit keys to version control
  • Don’t share keys via email or chat
  • Don’t use production keys in development
  • Don’t embed keys in mobile apps or frontends

Frontend Integration

The Zavu API uses secret API keys that must never be exposed in client-side code. If you include your key in a browser app, anyone can open DevTools and steal it. Instead, use the Backend-for-Frontend (BFF) pattern: your frontend calls your own server endpoint, and your server calls the Zavu API.

Server-side proxy examples

Frontend example

React
Add your own authentication and validation to the proxy endpoint. The examples above are simplified for clarity.

Key Permissions

API keys can be scoped to specific permissions:

Revoking Keys

If a key is compromised:
  1. Go to SettingsAPI Keys
  2. Find the compromised key
  3. Click Revoke
  4. Create a new key
  5. Update your applications
Revoked keys are immediately invalidated and cannot be restored.

Error Responses