x-api-key header.
Key format
Keys follow the patternz2_{scope}_{type}_{random} (256 bits of entropy):
| Part | Values | Meaning |
|---|---|---|
| Scope | psp, chk, stl, af | Product (PSP, Checkout, Settle, Anti-fraud). |
| Type | sk (secret), pk (publishable) | Access level. |
Secret (sk) vs. Publishable (pk)
Secret key (sk)
Full access (create, read, update, refund). Backend only.
Publishable key (pk)
Restricted to public-facing operations (e.g., tokenization in the frontend). Safe to
expose in the browser.
How to get your key
- Go to the Z2Pay Dashboard.
- For test keys, switch to the sandbox environment and generate credentials there.
- For production keys, generate them in the production environment.
- Copy the key at creation time — for security reasons, it is displayed only once (afterwards
it is masked, e.g.,
z2_psp_sk_KxY8…3pQ1).
Sandbox and production keys share the same format, but are generated in separate
environments and are not interchangeable. A sandbox key only works against
*.sandbox.z2pay.com.Authentication responses
| Situation | Status | Response |
|---|---|---|
x-api-key header missing or invalid | 401 | { "error": { "code": "UNAUTHORIZED", ... } } |
| Valid key, but insufficient permission for the operation | 403 | { "error": { "code": "FORBIDDEN", ... } } |
Best practices
Use environment variables
Load your key from an environment variable or secret manager — never hardcode it in your source.
Rotate on suspected leak
Think your key was compromised? Generate a new one and revoke the old key in the Dashboard.
One key per environment
Keep sandbox and production keys clearly separated in your application.
Restrict in the frontend
In the browser or mobile app, use only the
pk. The sk must never leave the server.