API keys are your passport to the ZBD platform. With a single key, you can send payments globally, create invoices, manage wallets, and build the future of digital payments.

Security First - API keys are server-side only and grant full access to your project’s wallet. Never expose them in client-side code, mobile apps, or public repositories.

Your First API Key

Navigate to your project’s API tab to view and manage your API keys.

ZBD Developer Dashboard | API Tab

What You Can Do With API Keys

Send Payments

Pay any Lightning Address or invoice instantly

Receive Payments

Generate invoices and process incoming payments

Manage Wallets

Check balances and transaction history

Create Vouchers

Issue redeemable payment links

Quick Start Example

Once you have your API key, you’re ready to send your first payment:

curl -X POST https://api.zebedee.io/v0/payments \
  -H "apikey: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": "1000",
    "description": "First payment!",
    "internalId": "test-001",
    "callbackUrl": "https://myapp.com/webhook"
  }'

Security Best Practices

🔐 Secure Storage

# .env file (never commit this!)
ZBD_API_KEY=your_api_key_here

# Access in code
const apiKey = process.env.ZBD_API_KEY;

Best for: Local development and deployment platforms

🛡️ IP Allowlisting

Restrict API access to specific IP addresses for maximum security:

ZBD Developer Dashboard | Allowed IPs

How to Configure:

  1. Navigate to your project’s API tab
  2. Click “API Access Controls”
  3. Add your server’s IP addresses
  4. Save changes

Dynamic IPs? If your infrastructure uses dynamic IPs (like serverless functions), consider using a proxy service with static IPs or contact our team for alternative security options.

Key Rotation & Regeneration

Regular key rotation is a security best practice. Here’s when and how to do it:

When to Rotate Keys

  • Scheduled: Every 90 days as a best practice
  • 🚨 Immediately if:
    • Key exposed in client code
    • Committed to version control
    • Employee with access leaves
    • Suspicious activity detected

How to Regenerate

ZBD Developer Dashboard | Regenerate API Key

Important: Regenerating creates a new key and immediately disables the old one. Update your applications before regenerating to avoid downtime.

Zero-Downtime Rotation Strategy

1

Plan the Rotation

Schedule during low-traffic period

2

Update Staging First

Test new key in staging environment

3

Deploy to Production

Update production with new key

4

Regenerate Key

Once deployed, regenerate in dashboard

5

Monitor

Watch logs for any failed authentications

API Key Permissions (Coming Soon)

Scoped Permissions - Soon you’ll be able to create keys with limited permissions:

  • Read-only keys for analytics
  • Payment-only keys for point-of-sale
  • Receive-only keys for donation pages

Testing Your API Key

Use this simple test to verify your key is working:

curl https://api.zebedee.io/v0/wallet \
  -H "apikey: YOUR_API_KEY"

Ready to Build?

You now have everything needed to start integrating ZBD payments into your application.

Send First Payment

Use our SDKs to send your first Lightning payment

API Reference

Explore all available endpoints