Authentication

Two key types.

Platform key (server-to-server, full CRUD)

Use a Bearer token from your backend:

Authorization: Bearer dzpk_live_<key_id>.<secret>

The format is prefix_keyid.secret — both halves are required. The secret is shown once at creation and never again.

Public key (browser / external sites; HMAC-signed)

For tracking end-user signups and custom events from a website you embed our snippet on. You must sign every call from your backend — never expose the signing secret to a browser.

Headers:

Authorization: DZ-Public dzpub_live_<key_id>
X-DZ-Timestamp: <unix_seconds>
X-DZ-Nonce: <32-hex>
X-DZ-Signature: hex(hmac_sha256(signing_secret, key_id + "\n" + nonce + "\n" + ts + "\n" + sha256(body)))

The nonce is single-use per key (1-hour KV window) and prevents replay. The timestamp must be within ±5 minutes.

Scopes

Every key has a list of scopes. Default platform scopes: store:read, store:write, products:read, products:write, orders:read, orders:write, customers:read, landing_pages:read, landing_pages:write, webhooks:read, webhooks:write, usage:read.

Default public scopes: signups:write, events:write.

Platform key (server-to-server, full CRUD)​

Public key (browser / external sites; HMAC-signed)​

Scopes​

Platform key (server-to-server, full CRUD)

Public key (browser / external sites; HMAC-signed)

Scopes