# Authentication

### API key format <a href="#api-key-format" id="api-key-format"></a>

Each environment has its own key pair:

| Key Type        | Prefix                  | Use                                   | Visibility     |
| --------------- | ----------------------- | ------------------------------------- | -------------- |
| Publishable Key | `pk_live_` / `pk_test_` | Identify your account                 | Safe to expose |
| Secret Key      | `sk_live_` / `sk_test_` | Authenticate server-side API requests | Keep secret    |

### Making authenticated requests <a href="#making-authenticated-requests" id="making-authenticated-requests"></a>

Pass your secret key in the `x-api-key`  header on every request:

```shellscript
 curl -X POST https://zynta-lastmile-api.up.railway.app/api/v1/quotes \
  -H "x-api-key: sk_live_your_secret_key_here" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: unique-request-id" \
  -d '{"recipientId": "...", "sourceChain": "SOLANA", ...}'
```

{% hint style="warning" %}
Never expose your secret key in client-side code, public repositories, or browser requests. Use it only in server-to-server calls.
{% endhint %}

### Scopes <a href="#scopes" id="scopes"></a>

Each API key is assigned scopes that control which endpoints it can access. The `all` scope grants full access.

| Scope              | Access                                |
| ------------------ | ------------------------------------- |
| `recipients:read`  | Read recipient data                   |
| `recipients:write` | Create and update recipients          |
| `quotes:read`      | Read quotes                           |
| `quotes:write`     | Create quotes                         |
| `transfers:read`   | Read transfers                        |
| `transfers:write`  | Create off-ramp and on-ramp transfers |
| `webhooks:read`    | Read webhook subscriptions            |
| `webhooks:write`   | Create and manage webhooks            |
| `all`              | Full access to all endpoints          |

If your key lacks the required scope for an endpoint, the API returns a `403 Forbidden` error with a message indicating which scope is needed.

### IP allowlisting <a href="#ip-allowlisting" id="ip-allowlisting"></a>

API keys can be restricted to specific IP addresses or CIDR ranges. Configure this in the dashboard when creating or updating a key.

When an allowlist is set, requests from IPs not on the list are rejected with:

```json
{
  "code": "forbidden",
  "message": "Request origin IP is not in the API key allowlist."
}
```

### Country restrictions  <a href="#country-restrictions" id="country-restrictions"></a>

API keys can be restricted to specific destination countries. If a request targets a country not in the key's allowed list, the API returns a `403` error.

This is useful for partners who only operate in specific markets (e.g. Nigeria and Kenya only).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.zynta.com/api-services-getting-started/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.