Skip to main content
Every request to the Zexa REST API must be authenticated. Zexa uses API keys passed as Bearer tokens in the Authorization header. There are no sessions or cookies — each request is independently authenticated, making it safe and straightforward to use the API from any server-side environment.

Generate an API Key

Create a dedicated API key for each application or environment that needs access to the Zexa API. This makes it easy to revoke access for a single integration without affecting others.
1

Log in to your dashboard

Go to https://app.zexa.ao and sign in to your account.
2

Open API Keys settings

Navigate to Settings → API Keys from the left sidebar.
3

Create a new key

Click New API Key in the top-right corner of the page.
4

Name and generate the key

Enter a descriptive name for the key — for example, Production or Staging Backend — then click Generate.
5

Copy the key immediately

Your new API key is displayed only once. Copy it now and store it somewhere secure, such as a password manager or secrets vault. You will not be able to view it again after closing the dialog.

Pass Your API Key

Include your API key in the Authorization header of every request using the Bearer scheme:
Authorization: Bearer YOUR_API_KEY
curl https://api.zexa.ao/v1/credits \
  -H "Authorization: Bearer YOUR_API_KEY"

Check Your Credit Balance

Use GET /credits to verify that your API key is valid and to retrieve your current credit balance:
GET https://api.zexa.ao/v1/credits
A successful response returns your current balance:
{
  "credits": 4250,
  "currency": "USD"
}
credits
integer
The number of message credits remaining on your account.
currency
string
The currency in which credits are denominated (e.g. USD).
For a full breakdown of your credit usage and purchase history, visit the Credits page in your dashboard.

Key Security Best Practices

Treat your API keys with the same care as passwords. A leaked key gives anyone full access to your Zexa account, including the ability to send messages and incur charges.
  • Use environment variables — store keys in environment variables like ZEXA_API_KEY rather than hardcoding them in your source files
  • Separate keys per environment — use different keys for development, staging, and production so a leaked dev key cannot affect production
  • Revoke unused keys — delete keys for integrations you no longer use to reduce your attack surface
  • Rotate keys periodically — generate new keys on a schedule (e.g. quarterly) and update your applications accordingly
Never commit API keys to version control or share them in public channels such as GitHub, Slack, or support tickets. If a key is accidentally exposed, revoke it immediately and generate a replacement.
Use environment variables to inject keys at runtime. For example, in Python: api_key = os.environ["ZEXA_API_KEY"]. Most deployment platforms (Railway, Render, AWS, etc.) have a built-in secrets management interface for setting environment variables securely.

Revoke a Key

To revoke an API key:
  1. Go to Settings → API Keys in your dashboard
  2. Find the key you want to revoke
  3. Click Revoke next to the key name and confirm the action
Revocation is immediate — any request using the revoked key will receive a 401 Unauthorized response. Make sure to replace the key in all your applications before revoking it to avoid service interruption.

Authentication Errors