API Keys
All API requests require authentication using a Bearer token in the Authorization header.Key Types
Creating API Keys
- Log in to your Zavu Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give it a descriptive name (e.g., “Production Server”, “Development”)
- Copy and securely store the key
API keys are only shown once at creation. If you lose a key, you’ll need to create a new one.
Using API Keys
In HTTP Requests
Include the key in theAuthorization header:
In SDKs
Optional Headers
Zavu-Sender Header
Override the default sender for a specific request:Idempotency Keys
Prevent duplicate message sends due to network retries:idempotencyKey, you’ll receive a 409 Conflict with the original message instead of sending a duplicate.
Security Best Practices
Do’s
- Store keys in environment variables
- Use different keys for development and production
- Rotate keys periodically (every 90 days recommended)
- Use the minimum permissions needed
- Monitor key usage in your dashboard
Don’ts
- Don’t commit keys to version control
- Don’t share keys via email or chat
- Don’t use production keys in development
- Don’t embed keys in mobile apps or frontends
Frontend Integration
The Zavu API uses secret API keys that must never be exposed in client-side code. If you include your key in a browser app, anyone can open DevTools and steal it. Instead, use the Backend-for-Frontend (BFF) pattern: your frontend calls your own server endpoint, and your server calls the Zavu API.Server-side proxy examples
Frontend example
React
Add your own authentication and validation to the proxy endpoint. The examples above are simplified for clarity.
Key Permissions
API keys can be scoped to specific permissions:Revoking Keys
If a key is compromised:- Go to Settings → API Keys
- Find the compromised key
- Click Revoke
- Create a new key
- Update your applications
