The Login with Zip API uses a number of values to identify and authorise the merchant.

In order to use the API you will need to first request your merchant credentials.
Once registered you will be provided with: - A Zip API key - To be used to place /charges - A Zip client_id and client_secret - to be used for linking customer accounts and refreshing tokens

Make sure to keep your API key and client_secret store securely, they should not be placed anywhere publicly available such as open source repositories or client side code.

var apiKey = read.from.config('ZipAPIKey');
request.headers.add("X-Zip-API-Key", apiKey);

For /charges calls

Content - Typeapplication/jsonYes
AuthorizationBearer + [customer access_token]Yes
  • The Content-Type entity header is used to indicate the media type of the resource.
  • The X-Zip-API-Key header is where you will pass your merchant API key. Details on where to find your API key are outlined in the 'Preparing for Integration' section of this documentation.
  • The Idempotency-Key is a unique random string for each request. If a request times out or provides invalid response you can attempt to repeat exact same request with same idempotency key to avoid any duplication.
  • The Authorization header is where you will pass your customer access_token obtained in the linking process.

For /tokens calls

The authenticating values for these calls (client_id and client_secret)are passed in the form body rather than the header.

Depending if you are creating a token or refreshing one, the customer auth code or the customer refresh_token are also passed in the form body of this request.


For /authorize calls

The authenticating values for this call client_id , is passed in the endpoint query string rather than the header.