> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zbdpay.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Generate and secure your keys to unlock Lightning-fast payments

API keys are your passport to the ZBD platform. With a single key, you can send payments globally, create invoices, manage wallets, and build the future of digital payments.

<Warning>
  **Security First** - API keys are server-side only and grant full access to your project's wallet. Never expose them in client-side code, mobile apps, or public repositories.
</Warning>

## Your First API Key

Navigate to your project's **API** tab to view and manage your API keys.

<Frame caption="ZBD Developer Dashboard | API Tab">
  <img src="https://mintcdn.com/zbd/NzvYJh9FFidtNwO3/img/v3/api-key.png?fit=max&auto=format&n=NzvYJh9FFidtNwO3&q=85&s=229a5364034b2f34f9e013f24d6553a7" alt="ZBD Developer Dashboard | API Tab" width="1538" height="1056" data-path="img/v3/api-key.png" />
</Frame>

### What You Can Do With API Keys

<CardGroup cols={2}>
  <Card title="Send Payments" icon="paper-plane">
    Pay any Lightning Address or invoice instantly
  </Card>

  <Card title="Receive Payments" icon="inbox">
    Generate invoices and process incoming payments
  </Card>

  <Card title="Manage Wallets" icon="wallet">
    Check balances and transaction history
  </Card>

  <Card title="Create Vouchers" icon="ticket">
    Issue redeemable payment links
  </Card>
</CardGroup>

## Quick Start Example

Once you have your API key, you're ready to send your first payment:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X POST https://api.zbdpay.com/v0/payments \
    -H "apikey: YOUR_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "amount": "1000",
      "description": "First payment!",
      "internalId": "test-001",
      "callbackUrl": "https://myapp.com/webhook"
    }'
  ```

  ```javascript Node.js theme={null}
  const payment = await fetch('https://api.zbdpay.com/v0/payments', {
    method: 'POST',
    headers: {
      'apikey': process.env.ZBD_API_KEY,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      amount: '1000',
      description: 'First payment!',
      internalId: 'test-001'
    })
  });
  ```
</CodeGroup>

## Security Best Practices

### 🔐 Secure Storage

<Tabs>
  <Tab title="Environment Variables">
    ```bash theme={null}
    # .env file (never commit this!)
    ZBD_API_KEY=your_api_key_here

    # Access in code
    const apiKey = process.env.ZBD_API_KEY;
    ```

    **Best for**: Local development and deployment platforms
  </Tab>

  <Tab title="Secret Management">
    Use dedicated secret management services:

    * **AWS Secrets Manager**
    * **Google Secret Manager**
    * **HashiCorp Vault**
    * **Azure Key Vault**

    **Best for**: Production environments
  </Tab>

  <Tab title="CI/CD">
    Configure secrets in your deployment pipeline:

    * **GitHub Actions**: Repository secrets
    * **Vercel**: Environment variables
    * **Heroku**: Config vars
    * **Docker**: Build secrets

    **Best for**: Automated deployments
  </Tab>
</Tabs>

### 🛡️ IP Allowlisting

Restrict API access to specific IP addresses for maximum security:

<Frame caption="ZBD Developer Dashboard | Allowed IPs">
  <img src="https://mintcdn.com/zbd/NzvYJh9FFidtNwO3/img/v3/api-key-3.png?fit=max&auto=format&n=NzvYJh9FFidtNwO3&q=85&s=402eab8e2c24377f971d5c30f7c8e33e" alt="ZBD Developer Dashboard | Allowed IPs" width="1538" height="1056" data-path="img/v3/api-key-3.png" />
</Frame>

**How to Configure:**

1. Navigate to your project's API tab
2. Click "API Access Controls"
3. Add your server's IP addresses
4. Save changes

<Info>
  **Dynamic IPs?** If your infrastructure uses dynamic IPs (like serverless functions), consider using a proxy service with static IPs or contact our team for alternative security options.
</Info>

## Key Rotation & Regeneration

Regular key rotation is a security best practice. Here's when and how to do it:

### When to Rotate Keys

* ⏰ **Scheduled**: Every 90 days as a best practice
* 🚨 **Immediately if**:
  * Key exposed in client code
  * Committed to version control
  * Employee with access leaves
  * Suspicious activity detected

### How to Regenerate

<Frame caption="ZBD Developer Dashboard | Regenerate API Key">
  <img src="https://mintcdn.com/zbd/NzvYJh9FFidtNwO3/img/v3/api-key-2.png?fit=max&auto=format&n=NzvYJh9FFidtNwO3&q=85&s=9c2ca55ba40de8426e43401164cd08ff" alt="ZBD Developer Dashboard | Regenerate API Key" width="1538" height="1056" data-path="img/v3/api-key-2.png" />
</Frame>

<Warning>
  **Important**: Regenerating creates a new key and immediately disables the old one. Update your applications before regenerating to avoid downtime.
</Warning>

### Zero-Downtime Rotation Strategy

<Steps>
  <Step title="Plan the Rotation">
    Schedule during low-traffic period
  </Step>

  <Step title="Update Staging First">
    Test new key in staging environment
  </Step>

  <Step title="Deploy to Production">
    Update production with new key
  </Step>

  <Step title="Regenerate Key">
    Once deployed, regenerate in dashboard
  </Step>

  <Step title="Monitor">
    Watch logs for any failed authentications
  </Step>
</Steps>

## API Key Permissions (Coming Soon)

<Info>
  **Scoped Permissions** - Soon you'll be able to create keys with limited permissions:

  * Read-only keys for analytics
  * Payment-only keys for point-of-sale
  * Receive-only keys for donation pages
</Info>

## Testing Your API Key

Use this simple test to verify your key is working:

<CodeGroup>
  ```bash cURL theme={null}
  curl https://api.zbdpay.com/v0/wallet \
    -H "apikey: YOUR_API_KEY"
  ```

  ```javascript Node.js theme={null}
  // Quick test script
  const testApiKey = async () => {
    const response = await fetch('https://api.zbdpay.com/v0/wallet', {
      headers: { 'apikey': process.env.ZBD_API_KEY }
    });
    
    if (response.ok) {
      console.log('✅ API key is valid!');
      const wallet = await response.json();
      console.log('Balance:', wallet.data.balance, 'sats');
    } else {
      console.error('❌ API key test failed:', response.status);
    }
  };

  testApiKey();
  ```
</CodeGroup>

## Ready to Build?

You now have everything needed to start integrating ZBD payments into your application.

<CardGroup cols={2}>
  <Card title="Send First Payment" icon="rocket" href="/payments/sdk/typescript">
    Use our SDKs to send your first Lightning payment
  </Card>

  <Card title="API Reference" icon="code" href="/payments/api">
    Explore all available endpoints
  </Card>
</CardGroup>