Authentication
Every request must include your API key in the Authorization header as a Bearer token. Keys are team-scoped — a key issued for team A cannot access team B's resources.
Key format
zyberspace keys use the format zxk_live_<random>. They are SHA-256 hashed before storage — the plaintext is shown only once at creation and cannot be recovered. Store it in a secrets manager immediately.
Creating a key
Go to Dashboard → [Team] → API Keys, click Create API Key, choose a name and the scopes your key needs, optionally add an IP allowlist and expiry date, then copy the key. The prefix field (first 16 characters) is used to identify the key in logs.
Scopes
Each key carries fine-grained scopes. Available scopes: sites:read — list and get sites. sites:write — create, update, delete sites. deployments:read — list deployments. deployments:write — upload, publish, rollback, delete deployments. domains:read — list and get custom domains. domains:write — add, verify, pause, unpause, remove domains. team:read — get team info. api_keys:read — list API keys.
IP allowlist
Optionally restrict a key to specific IPs or CIDR ranges (up to 20 entries). Requests from unlisted IPs return 403 forbidden_ip. Leave empty to allow all IPs.
Error responses
401 missing_token — Authorization header absent or malformed. 401 invalid_token — Key not found or inactive. 401 expired_token — Key has passed its expiry date. 403 team_mismatch — Key belongs to a different team. 403 forbidden_ip — Request IP not in allowlist. 403 insufficient_scope — Key lacks the required scope for this endpoint.
Code examples
# Pass the key in every request
curl "https://www.zyberspace.com/api/v1/{teamSlug}/team" \
-H "Authorization: Bearer zxk_live_YOUR_API_KEY"// Include on every request
const headers = {
Authorization: "Bearer zxk_live_YOUR_API_KEY",
"Content-Type": "application/json",
};
const res = await fetch(`https://www.zyberspace.com/api/v1/{teamSlug}/team`, { headers });
const { data } = await res.json();Base URL: https://www.zyberspace.com