API Reference

Authentication

API keys and Bearer token authentication.

Overview

Authenticate every API request with a Bearer token in the Authorization header. API keys are created in Admin Center → Developer → API keys and inherit the permissions of the creating user's role unless scoped further.

Rotate keys on a defined schedule (quarterly recommended for production) and immediately revoke any key suspected of exposure. Use separate keys per environment and per integration.

Who should read this

  • QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.

When to use this workflow

  • Onboarding new team members to Zof terminology and workflows
  • Authoring internal runbooks aligned with Console labels
  • Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Create an API key

Admin Center → Developer → API keys → Create key.

Name the key by purpose (e.g., "GitHub Actions staging").

Copy the key once, it may not be shown again.

Store securely

Save as a CI secret or vault entry, never commit to git.

Restrict access to pipeline and service principals that need it.

Send with requests

Include header: Authorization: Bearer YOUR_API_KEY.

Use Content-Type: application/json for POST/PATCH bodies.

Key concepts

Organization scope
All Zof Console and API operations are isolated to your authenticated tenant.
Governed execution
Agent output and remediation follow policy packs with human approval when configured.

Best practices

  • Use least-privilege service accounts for automation
  • Monitor Admin audit log for key creation and revocation
  • Never embed keys in browser or mobile client code

Example request

curl -s https://api.zof.ai/v1/projects \
  -H "Authorization: Bearer $ZOF_API_KEY" \
  -H "Content-Type: application/json"

Was this page helpful?

Authentication | Zof AI Documentation