API key management

Zapat API keys let you interact with the Zapat API programmatically — for example, to trigger jobs from your own CI system, read job status, or manage configuration from scripts.

Creating an API key

• Go to Settings > API Keys in the dashboard.
• Click "Create API key".
• Give the key a descriptive name (e.g., "CI pipeline" or "GitHub Actions").
• Select the permissions the key needs (see below).
• Optionally set an expiration date.
• Click "Create" — the full key is shown once. Copy it now; it cannot be retrieved again.

Available permissions

• jobs:read — List and view jobs, events, and job details.
• jobs:write — Create new jobs and trigger pipeline runs.
• config:read — Read org and repo configuration.
• config:write — Update org and repo configuration.
• repos:read — List connected repositories.

Using an API key

Pass the API key in the Authorization header as a Bearer token:

curl -H "Authorization: Bearer zapat_..." https://api.zapat.ai/orgs/{orgId}/jobs

Rotating an API key

There is no in-place rotation. To rotate a key: create a new key with the same permissions, update your systems to use the new key, then delete the old key from the API Keys list in the dashboard.

Security best practices

• Use the minimum permissions needed — never give a read-only integration jobs:write.
• Set an expiration date for keys used in CI systems.
• Never commit API keys to source code. Use GitHub secrets or an encrypted secrets vault.
• Rotate keys immediately if you suspect they have been exposed.
• Use separate keys for separate integrations so you can revoke one without affecting others.