The Zip Instore API uses a secure API key to identify and authorise the merchant.

In order to use the API you will need to first request your merchant credentials.
Once registered an API key will be provided to you. Make sure to keep your API key secret, it is a secure key that should not be placed anywhere publicly available such as open source repositories or client side code.

var EncodedKey = base64_encode(API_KEY + “:”);
request.headers.add("Authorization", "Basic " + EncodedKey);


Enconding type must be UTF8

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
A breakdown of the full required header info is as below:
AuthorizationBasic [Encoded Key]Yes
  • The Content-Type entity header is used to indicate the media type of the resource.
  • The Authorization header is where you will pass your merchant API key. Details on where to find your API key are outlined in the 'Preparing for Integration' section of this documentation.
  • The Client-Request-Id is a unique random string for each purchase or refund request. If a request times out or provides invalid response you can attempt to repeat exact same request with same Client-Request-Id to avoid any duplication.