The Zip web API uses a secure API key to identify and authorise the merchant.

In order to use the API you will need to first request your merchant credentials.
Once registered an API key will be provided to you. Make sure to keep your API key secret, it is a secure key that should not be placed anywhere publicly available such as open source repositories or client side code.

Your API key must be provided in a HTTP Authorization header for all requests. All requests need to be made over https (TLS 1.2).
var apiKey = read.from.config('ZipAPIKey');
request.headers.add("Authorization", "Bearer " + apiKey);
All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
A breakdown of the full required header info is as below:

Key

Value

Required

Content-Type

application/json

Yes

Authorization

Bearer [ApiKey]

Yes

Idempotency-Key

[RandomString]

Required for the following APIs
/charges
/capture
/refund
/cancel

Zip-Version

2021-08-25

Yes

  • The Content-Type entity header is used to indicate the media type of the resource.
  • The Authorization header is where you will pass your merchant API key. Details on where to find your API key are outlined in the 'Preparing for Integration' section of this documentation.
  • The Idempotency-Key is a unique random string for each request. If a request times out or provides invalid response you can attempt to repeat exact same request with same idempotency key to avoid any duplication.