Skip to Content
Authentication

Authentication

The Zazmic Agents API supports two authentication methods: API keys and session-based authentication.

API Key Authentication

API keys are the primary method for programmatic access to the Zazmic Agents API.

Getting Your API Key

  1. Log in to your Zazmic Agents account
  2. Navigate to Settings > API Keys
  3. Click Generate New API Key
  4. Copy and securely store your key

Using API Keys

Include your API key in the Authorization header with the Bearer scheme:

curl https://agents.zazmic.com/api/tasks \
  -H "Authorization: Bearer your_api_key_here"

Examples:

# Python
headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}
response = requests.get("https://agents.zazmic.com/api/tasks", headers=headers)
// JavaScript
const headers = {
  'Authorization': `Bearer ${API_KEY}`,
  'Content-Type': 'application/json'
};
const response = await fetch('https://agents.zazmic.com/api/tasks', { headers });

Session Authentication

Session authentication is used by the web interface and supports authenticated browser requests.

How It Works

  1. User logs in via the web interface
  2. NextAuth.js creates a secure session cookie
  3. Subsequent requests automatically include the session

Use Cases

Session authentication is primarily for:

  • Web application integrations
  • Browser-based API testing (via API Playground)
  • Single sign-on (SSO) scenarios

Security Best Practices

Protect Your API Keys

  • Never commit API keys to version control
  • Store keys in environment variables or secure vaults
  • Rotate keys regularly (every 90 days recommended)
  • Use separate keys for development and production

Key Storage Examples

# .env file (add to .gitignore)
ZAZMIC_API_KEY=your_api_key_here
# Python - using python-dotenv
from dotenv import load_dotenv
import os
 
load_dotenv()
API_KEY = os.getenv("ZAZMIC_API_KEY")
// Node.js - using dotenv
require('dotenv').config();
const API_KEY = process.env.ZAZMIC_API_KEY;

Rate Limiting

Both authentication methods are subject to rate limiting:

  • 10 agent executions per minute per user
  • Abuse prevention: Accounts with 10+ failed tasks in 10 minutes are temporarily blocked

Rate limit headers are included in responses:

X-RateLimit-Limit: 10
X-RateLimit-Remaining: 7
X-RateLimit-Reset: 1642252800

Error Responses

401 Unauthorized

Missing or invalid authentication:

{
  "error": "Unauthorized",
  "message": "No authorization header provided"
}

403 Forbidden

Valid authentication but insufficient permissions:

{
  "error": "Forbidden",
  "message": "Insufficient balance. Please add credits to your account."
}

429 Too Many Requests

Rate limit exceeded:

{
  "error": "Rate limit exceeded",
  "message": "You have exceeded the rate limit of 10 requests per minute"
}

Next Steps

QuickstartOverview