Skip to main content

Introduction

API keys are used to authenticate all requests to the Zepl API. Each key has a permission level that controls what operations it can perform. Keys are scoped to a workspace and can be created, listed, and deleted through the API.

Initial Setup Key

When a workspace is created, an initial setup key with ADMIN permission is provided. This key expires after 24 hours and should be used to create longer-lived API keys for your application.

Permission Levels

Each API key has one of three permission levels:
PermissionDescription
ADMINFull access — can manage API keys, tenants, integration accounts, and all other resources
WRITERead and write access — can create and update resources but cannot manage API keys or tenants
READRead-only access — can only retrieve data
Permissions are hierarchical: ADMIN includes all WRITE capabilities, and WRITE includes all READ capabilities.

Creating an API Key

Requires ADMIN permission. 
POST /api/v1/api-key

{
  "name": "Production Key",
  "permission": "WRITE",
  "description": "Key for the production booking engine",
  "expiresAt": "2026-01-01T00:00:00.000Z"
}
FieldTypeRequiredDescription
namestringYesUnique name for the key within the workspace
permissionenumYesOne of ADMIN, WRITE, READ
descriptionstringNoDescription of the key’s purpose
expiresAtDateNoExpiration date (defaults to 180 days from now)
The response contains the API key string and its expiration date: 
{
  "key": "zepl.key-id.random-component.workspace-component",
  "expiresAt": "2026-01-01T00:00:00.000Z"
}
The full API key is only returned once at creation time. Store it securely — it cannot be retrieved later.

Listing API Keys

Requires READ permission. 
GET /api/v1/api-key
Returns all API keys for the workspace with their metadata (but not the key strings): 
[
  {
    "id": "key-uuid",
    "name": "Production Key",
    "description": "Key for the production booking engine",
    "permission": "WRITE",
    "expiresAt": "2026-01-01T00:00:00.000Z",
    "createdAt": "2025-06-01T00:00:00.000Z",
    "createdBy": "API_KEY"
  }
]

Deleting an API Key

Requires ADMIN permission. 
DELETE /api/v1/api-key/{keyId}
You cannot delete the API key that you are currently using to make the request.

Key Format

API keys follow the format: zepl.{keyID}.{random}.{workspace} The zepl prefix identifies it as a Zepl API key. The key is hashed before storage — Zepl does not store plaintext keys.

API Reference

For detailed API documentation, refer to the following endpoints: