Authorization header. There are no sessions or cookies — each request is independently authenticated, making it safe and straightforward to use the API from any server-side environment.
Generate an API Key
Create a dedicated API key for each application or environment that needs access to the Zexa API. This makes it easy to revoke access for a single integration without affecting others.Log in to your dashboard
Go to https://app.zexa.ao and sign in to your account.
Name and generate the key
Enter a descriptive name for the key — for example,
Production or Staging Backend — then click Generate.Pass Your API Key
Include your API key in theAuthorization header of every request using the Bearer scheme:
Check Your Credit Balance
UseGET /credits to verify that your API key is valid and to retrieve your current credit balance:
The number of message credits remaining on your account.
The currency in which credits are denominated (e.g.
USD).Key Security Best Practices
Treat your API keys with the same care as passwords. A leaked key gives anyone full access to your Zexa account, including the ability to send messages and incur charges.- Use environment variables — store keys in environment variables like
ZEXA_API_KEYrather than hardcoding them in your source files - Separate keys per environment — use different keys for development, staging, and production so a leaked dev key cannot affect production
- Revoke unused keys — delete keys for integrations you no longer use to reduce your attack surface
- Rotate keys periodically — generate new keys on a schedule (e.g. quarterly) and update your applications accordingly
Revoke a Key
To revoke an API key:- Go to Settings → API Keys in your dashboard
- Find the key you want to revoke
- Click Revoke next to the key name and confirm the action
401 Unauthorized response. Make sure to replace the key in all your applications before revoking it to avoid service interruption.
