API Keys

API Keys Overview

Zuplo provides a fully managed API key authentication system that you can add to your API in minutes. Every key is validated at the edge across 300+ data centers, so authentication is fast for your consumers and offloads work from your backend.

To start using Zuplo API Keys in only a few minutes see the quickstart.

Not sure if API keys are the right auth method? See When to Use API Keys. For the practices that define a production-grade implementation, see API Key Best Practices.

What you get with Zuplo API keys

Thoughtful key format — keys use a zpka_ prefix, cryptographically random body, and checksum signature. The prefix enables GitHub secret scanning, the checksum allows instant format validation without a database call, and the underscore formatting means a double-click selects the entire key. See API key format for the full breakdown.
Leak detection — Zuplo is a GitHub secret scanning partner. If a key is committed to any GitHub repository, you are notified immediately.
Self-serve key management — give your API consumers a developer portal where they can create, view, roll, and revoke their own keys. Or build key management into your own product.
Edge validation — keys are validated through a multi-step process at the edge: format check, checksum verification, cache lookup, then key service query. See how validation works for the full flow.
Key rotation with transition periods — the roll-key API creates a new key and sets an expiration on existing keys, so consumers have time to migrate without downtime.

Fully managed global infrastructure

Zuplo builds and manages the API key infrastructure so you don't have to. The service handles key storage, global replication, edge caching, and validation at scale — supporting millions of keys and virtually unlimited throughput.

Keys replicate around the world in seconds. When a key is created, revoked, or deleted, the change propagates to all 300+ edge locations within seconds, ensuring your API is never open to unauthorized access for longer than the configured cache TTL.

Key concepts

The API key system has three core objects. For full details, see the API Keys concepts page.

Consumers — the identities that own API keys. Each consumer has a unique name within its bucket (used as request.user.sub at runtime), optional metadata available on every authenticated request, and optional tags for management queries.
API Keys — the credential strings used to authenticate. Each consumer can have multiple keys. All keys for a consumer share the same identity and metadata. Keys use the zpka_ format by default; enterprise customers can use custom key formats, though custom formats lose leak detection support.
Buckets — group consumers for an environment. Each project has buckets for production, preview, and development. See API Key Buckets for details.

Edit this page

Last modified on April 16, 2026

WebSocket Handler When to Use API Keys

What you get with Zuplo API keys

Thoughtful key format — keys use a zpka_ prefix, cryptographically random body, and checksum signature. The prefix enables GitHub secret scanning, the checksum allows instant format validation without a database call, and the underscore formatting means a double-click selects the entire key. See API key format for the full breakdown.

Leak detection — Zuplo is a GitHub secret scanning partner. If a key is committed to any GitHub repository, you are notified immediately.

Self-serve key management — give your API consumers a developer portal where they can create, view, roll, and revoke their own keys. Or build key management into your own product.

Edge validation — keys are validated through a multi-step process at the edge: format check, checksum verification, cache lookup, then key service query. See how validation works for the full flow.

Key rotation with transition periods — the roll-key API creates a new key and sets an expiration on existing keys, so consumers have time to migrate without downtime.

Fully managed global infrastructure

Key concepts

The API key system has three core objects. For full details, see the API Keys concepts page.

Consumers — the identities that own API keys. Each consumer has a unique name within its bucket (used as request.user.sub at runtime), optional metadata available on every authenticated request, and optional tags for management queries.

API Keys — the credential strings used to authenticate. Each consumer can have multiple keys. All keys for a consumer share the same identity and metadata. Keys use the zpka_ format by default; enterprise customers can use custom key formats, though custom formats lose leak detection support.

Buckets — group consumers for an environment. Each project has buckets for production, preview, and development. See API Key Buckets for details.

Edit this page

Last modified on April 16, 2026