Skip to main content

Overview

Zupy uses API key authentication for secure access to all loyalty program APIs. This guide covers the complete authentication process, from initial setup through API key generation and usage.

Quick Start

Get authenticated and make your first API call in 5 minutes

Authentication Flow

The Zupy authentication process ensures secure partner access through a two-step verification:
1

OTP Verification

Verify your partner account using One-Time Password sent to your registered contact
2

API Key Generation

Generate secure API keys with specific permissions for your integration
3

API Usage

Include API key in request headers to access loyalty program endpoints

Quick Start

Step 1: Access Developer Dashboard

Navigate to your Zupy developer dashboard to begin the authentication process: 
https://app.zupy.com/developers/api-keys
Partner Account Required: You need an active Zupy partner account. Contact [email protected] if you don’t have access.

Step 2: OTP Verification Process

Before generating API keys, you’ll need to verify your identity using our OTP system:
  1. Request OTP: Click “Verify Account” in your dashboard
  2. Receive Code: Check your registered WhatsApp for a 6-digit verification code
  3. Enter Code: Input the code within 5 minutes
  4. Confirmation: Successful verification unlocks API key generation
Code Format: 123456 (6 digits, expires in 5 minutes)
If WhatsApp is unavailable, request email verification:
  1. Click “Send via Email” in the verification dialog
  2. Check your registered email for the verification code
  3. Enter the 6-digit code to complete verification
  4. Email codes are valid for 10 minutes
Backup Option: Email OTP is available if WhatsApp delivery fails

Step 3: Generate API Keys

After successful OTP verification, generate your API keys: 
{
  "name": "Production Integration",
  "permissions": [
    "customer:read",
    "customer:write", 
    "loyalty:read",
    "loyalty:write",
    "coupons:validate",
    "coupons:redeem"
  ],
  "rate_limit": 1000,
  "environment": "production"
}
Secret Key Security: Your API key is shown only once during generation. Store it securely and never commit it to version control.

API Key Management

Key Generation Options

When creating API keys, you can configure several important settings:
name
string
required
Descriptive name for the API key (e.g., “Production PDV Integration”)
permissions
array
required
Array of permission scopes for the API key
[
  "customer:read",      // Read customer profiles and data
  "customer:write",     // Create/update customer information  
  "loyalty:read",       // Access loyalty program data
  "loyalty:write",      // Award/redeem points and rewards
  "coupons:validate",   // Validate coupon codes
  "coupons:redeem",     // Redeem and use coupons
  "webhooks:manage",    // Configure webhook endpoints
  "admin:read"          // Administrative read access
]
rate_limit
integer
Requests per minute limit (default: 100, max: 2000)
environment
string
Environment type for the key
staging | production
ip_restrictions
array
Optional array of allowed IP addresses/CIDR blocks
["192.168.1.0/24", "10.0.0.15"]
expires_at
string
Optional expiration date (ISO 8601 format). Default: 1 year from creation

Key Format and Structure

Zupy API keys follow a structured format for easy identification: 
zup_{environment}_{type}_{identifier}

Examples:
zup_live_sk_1a2b3c4d5e6f7g8h9i0j    // Production secret key
zup_test_sk_9z8y7x6w5v4u3t2s1r0q    // Staging/test secret key
Format Components:
  • zup: Zupy platform identifier
  • live/test: Environment indicator (production/staging)
  • sk: Secret key type
  • identifier: 20-character random string

Permission Scopes Explained

customer:read
  • Search customers by phone, email, CPF
  • Retrieve customer profiles and RFM data
  • Access customer balance and transaction history
customer:write
  • Create new customer profiles
  • Update existing customer information
  • Manage customer preferences and verification status
loyalty:read
  • Access reward catalog and availability
  • Retrieve loyalty program configuration
  • View points balance and transaction history
loyalty:write
  • Award points for transactions
  • Redeem rewards and generate coupons
  • Modify points balance (admin operations)
coupons:validate
  • Validate coupon codes for redemption
  • Check coupon status and usage limits
  • Calculate discount amounts and eligibility
coupons:redeem
  • Mark coupons as used/redeemed
  • Track coupon usage and order association
  • Handle coupon reversal operations
webhooks:manage
  • Register webhook endpoints for events
  • Configure webhook authentication and filters
  • View webhook delivery status and retry logs
admin:read
  • Access administrative reports and analytics
  • View system health and performance metrics
  • Export customer data and audit logs

Using API Keys

Request Header Format

Include your API key in every request using the Authorization header: 
curl -X GET "https://api.zupy.com/v1/loyalty/customers/search?whatsapp=+5511965958122" \
  -H "Authorization: Bearer zup_live_sk_1a2b3c4d5e6f7g8h9i0j" \
  -H "Content-Type: application/json"

Environment URLs

Use the appropriate base URL for your environment:
production
Production Environment: https://api.zupy.com/v1/Use this for live integrations with actual customer data
staging
Staging Environment: https://api-staging.zupy.com/v1/Use this for development and testing with sample data

Security Best Practices

API Key Storage

Implement regular key rotation for enhanced security:
  1. Generate New Key: Create new API key with same permissions
  2. Update Applications: Deploy updated key to all integration points
  3. Monitor Usage: Verify new key is working correctly
  4. Revoke Old Key: Delete previous key after successful migration
Recommended Frequency: Rotate keys every 90 days for production
Add IP restrictions to limit access from specific networks:
{
  "name": "Production Restricted Key",
  "permissions": ["customer:read", "loyalty:read"],
  "ip_restrictions": [
    "203.0.113.0/24",     // Office network
    "198.51.100.15"       // Production server IP
  ]
}
Benefits: Prevents unauthorized usage even if key is compromised

Error Handling

Handle authentication errors gracefully in your integration: 
{
  "error": "authentication_failed",
  "message": "Invalid or expired API key",
  "details": {
    "error_code": "INVALID_API_KEY",
    "documentation_url": "https://docs.zupy.com/authentication"
  }
}

Implementation Example

Here’s a complete authentication implementation with error handling: 
class ZupyAPI {
  constructor(apiKey, baseUrl = 'https://api.zupy.com/v1') {
    this.apiKey = apiKey;
    this.baseUrl = baseUrl;
  }

  async makeRequest(endpoint, options = {}) {
    const url = `${this.baseUrl}${endpoint}`;
    
    const config = {
      ...options,
      headers: {
        'Authorization': `Bearer ${this.apiKey}`,
        'Content-Type': 'application/json',
        ...options.headers,
      },
    };

    try {
      const response = await fetch(url, config);
      
      if (!response.ok) {
        const error = await response.json();
        throw new Error(`API Error: ${error.message}`);
      }
      
      return await response.json();
    } catch (error) {
      console.error('Zupy API Error:', error);
      throw error;
    }
  }

  // Example usage methods
  async searchCustomer(whatsapp) {
    return this.makeRequest(`/loyalty/customers/search?whatsapp=${encodeURIComponent(whatsapp)}`);
  }

  async validateCoupon(couponCode, orderData) {
    return this.makeRequest('/loyalty/validate-coupon', {
      method: 'POST',
      body: JSON.stringify({ coupon_code: couponCode, order: orderData })
    });
  }
}

// Usage
const zupy = new ZupyAPI(process.env.ZUPY_API_KEY);

Rate Limits and Quotas

Default Rate Limits

Rate limits are applied per API key and are designed to ensure fair usage:
Standard Keys
100 requests per minuteSuitable for most integrations and development purposes
Premium Keys
1,000 requests per minuteFor high-volume integrations and production systems
Enterprise Keys
2,000+ requests per minuteCustom limits available for enterprise partnerships

Rate Limit Headers

Every API response includes rate limit information: 
HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1693833600
X-RateLimit-Window: 60
Header Descriptions:
  • X-RateLimit-Limit: Total requests allowed in the window
  • X-RateLimit-Remaining: Requests remaining in current window
  • X-RateLimit-Reset: Timestamp when the limit resets (Unix time)
  • X-RateLimit-Window: Rate limit window in seconds

Handling Rate Limits

Implement exponential backoff when rate limits are exceeded: 
async function makeRequestWithRetry(apiCall, maxRetries = 3) {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    try {
      return await apiCall();
    } catch (error) {
      if (error.status === 429 && attempt < maxRetries) {
        // Exponential backoff: 2^attempt seconds + jitter
        const delay = Math.pow(2, attempt) * 1000 + Math.random() * 1000;
        console.log(`Rate limited. Retrying in ${delay}ms...`);
        await new Promise(resolve => setTimeout(resolve, delay));
        continue;
      }
      throw error;
    }
  }
}

Troubleshooting

Common Authentication Issues

Error: authentication_failed - Invalid API key formatCauses:
  • Missing Bearer prefix in Authorization header
  • Malformed API key (not following zup_* format)
  • Extra spaces or characters in the key
Solution:
# Correct format
Authorization: Bearer zup_live_sk_1a2b3c4d5e6f7g8h9i0j

# Common mistakes to avoid  
Authorization: zup_live_sk_1a2b3c4d5e6f7g8h9i0j          # Missing "Bearer"
Authorization: Bearer  zup_live_sk_1a2b3c4d5e6f7g8h9i0j   # Extra space
Authorization: Bearer "zup_live_sk_1a2b3c4d5e6f7g8h9i0j"  # Unnecessary quotes
Error: authentication_failed - API key has expiredCauses:
  • API key has reached its expiration date
  • Key was manually revoked in the dashboard
Solution:
  1. Generate a new API key in your dashboard
  2. Update your application configuration
  3. Test the new key with a simple API call
Error: permission_denied - Insufficient permissions for this operationCauses:
  • API key doesn’t have required permission scope
  • Operation requires higher-level permissions (e.g., admin)
Solution:
  1. Check the endpoint documentation for required permissions
  2. Update your API key permissions in the dashboard
  3. Or create a new key with appropriate permissions

OTP Verification Issues

WhatsApp Issues:
  • Verify your registered WhatsApp number is correct
  • Check if WhatsApp Business API messages are blocked
  • Try requesting email OTP as alternative
Email Issues:
  • Check spam/junk folders for the verification email
  • Verify your registered email address is correct
  • Ensure zupy.com domain is not blocked
Solutions:
  • Wait 60 seconds before requesting a new code
  • Contact [email protected] if issues persist
Error: verification_failed - OTP code has expiredCauses:
  • WhatsApp codes expire after 5 minutes
  • Email codes expire after 10 minutes
  • Code was already used successfully
Solution:
  1. Request a new OTP code
  2. Complete verification within the time limit
  3. Use the most recently received code

Testing Authentication

Use these test endpoints to verify your authentication setup: 
# Test API key validity
curl -X GET "https://api.zupy.com/v1/auth/verify" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Expected response for valid key
{
  "authenticated": true,
  "key_id": "key_abc123def456",
  "permissions": ["customer:read", "loyalty:read"],
  "rate_limit": {
    "limit": 1000,
    "remaining": 999,
    "reset_at": "2025-09-04T11:30:00Z"
  }
}

Support and Resources

Getting Help

Developer Support

Email our developer support team for authentication issues and API questions

API Status Page

Check real-time API availability and authentication service status

Community Forum

Connect with other developers and share integration experiences

Additional Resources

  • API Reference: Complete endpoint documentation with examples
  • SDKs: Official client libraries for popular programming languages
  • Postman Collection: Ready-to-use API collection for testing
  • Integration Guides: Platform-specific integration tutorials
Security Notice: Never share your API keys publicly or commit them to version control. Contact support immediately if you suspect a key has been compromised.