Authentication

Passing your key

Either header works:

http
Authorization: Bearer zm_live_aB12C3...
# or
X-Api-Key: zm_live_aB12C3...

Prefer Authorization: Bearer — it works with proxies, OpenAPI generators, and most HTTP-client middleware out of the box.

Who can mint a key

PlanMint keys
Freeno
Proyes
Enterpriseyes

All keys are prefixed zm_live_.

Key cap

You can hold two active keys at once — enough for zero-downtime rotation: mint the new key, deploy, then revoke the old one. A third active key returns 409 key_limit_reached.

Rotation

  1. Create a second key in Profile → API keys.
  2. Deploy it. Both keys are valid in parallel.
  3. Watch lastUsedAt on the old key. Once stale, revoke it.

Storage

Plaintext is never stored. Each key is hashed with a per-key salt using SHA-256; only the hash and the public prefix live in the database. The plaintext is shown exactly once, at creation.

Errors

Statuserror.codeCause
401invalid_api_keyMissing, malformed, or revoked.
403plan_forbiddenPlan lacks API access or a specific endpoint feature (e.g. hourly-data).
409key_limit_reachedTried to mint a third active key.
429quota_exceededMonthly hard cap hit.

See Errors for the full envelope.

CORS

All data endpoints respond with Access-Control-Allow-Origin: * and Allow-Credentials: false. The bearer key is the auth boundary; origin restrictions add no meaningful protection and would break notebook and AI-agent clients.