API keys are your passport to the ZBD platform. With a single key, you can send payments globally, create invoices, manage wallets, and build the future of digital payments.
Security First - API keys are server-side only and grant full access to your project’s wallet. Never expose them in client-side code, mobile apps, or public repositories.
Your First API Key Navigate to your project’s API tab to view and manage your API keys.
What You Can Do With API Keys
Send Payments Pay any Lightning Address or invoice instantly
Receive Payments Generate invoices and process incoming payments
Manage Wallets Check balances and transaction history
Create Vouchers Issue redeemable payment links
Quick Start Example Once you have your API key, you’re ready to send your first payment:
curl -X POST https://api.zbdpay.com/v0/payments \ -H "apikey: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "amount": "1000", "description": "First payment!", "internalId": "test-001", "callbackUrl": "https://myapp.com/webhook" }'
Security Best Practices 🔐 Secure Storage Environment Variables
Secret Management
CI/CD
# .env file (never commit this!) ZBD_API_KEY = your_api_key_here # Access in code const apiKey = process.env.ZBD_API_KEY ;
Best for : Local development and deployment platformsUse dedicated secret management services:
AWS Secrets Manager Google Secret Manager HashiCorp Vault Azure Key Vault Best for : Production environmentsConfigure secrets in your deployment pipeline:
GitHub Actions : Repository secretsVercel : Environment variablesHeroku : Config varsDocker : Build secrets Best for : Automated deployments🛡️ IP Allowlisting Restrict API access to specific IP addresses for maximum security:
How to Configure:
Navigate to your project’s API tab
Click “API Access Controls”
Add your server’s IP addresses
Save changes
Dynamic IPs? If your infrastructure uses dynamic IPs (like serverless functions), consider using a proxy service with static IPs or contact our team for alternative security options.
Key Rotation & Regeneration Regular key rotation is a security best practice. Here’s when and how to do it:
When to Rotate Keys
⏰ Scheduled : Every 90 days as a best practice
🚨 Immediately if :
Key exposed in client code
Committed to version control
Employee with access leaves
Suspicious activity detected
How to Regenerate Important : Regenerating creates a new key and immediately disables the old one. Update your applications before regenerating to avoid downtime.
Zero-Downtime Rotation Strategy
Plan the Rotation
Schedule during low-traffic period
Update Staging First
Test new key in staging environment
Deploy to Production
Update production with new key
Regenerate Key
Once deployed, regenerate in dashboard
Monitor
Watch logs for any failed authentications
API Key Permissions (Coming Soon) Scoped Permissions - Soon you’ll be able to create keys with limited permissions:
Read-only keys for analytics
Payment-only keys for point-of-sale
Receive-only keys for donation pages
Testing Your API Key Use this simple test to verify your key is working:
curl https://api.zbdpay.com/v0/wallet \ -H "apikey: YOUR_API_KEY"
Ready to Build? You now have everything needed to start integrating ZBD payments into your application.
