Skip to main content
Zenovay
Free5 minutesBeginner

How does the API work, and how do I get an API key?

Zenovay's REST API uses Bearer tokens that start with zv_. Here's how to generate, scope, rotate, and revoke them, plus a 30-second hello-world request.

apiapi-keyauthenticationrestbearer
Last updated:

Zenovay's REST API is documented at docs.zenovay.com. Every request authenticates with a Bearer token (an "API key") that you generate in the dashboard.

Generating an API key

  1. Open API keys settings

    In app.zenovay.com, go to Settings → API keys.

  2. Click 'Create API key'

    Pick a name that describes the integration (e.g. Slack alerts, Internal data export).

  3. Choose the scope

    • Team scope — the key can read/write across every website in the team.
    • Site scope — the key is locked to one specific website. Ideal for embedding in a per-customer integration.

  4. Choose the role

    • Read — analytics queries only. Cannot create goals, funnels, or modify settings.
    • Write — can create/edit goals, funnels, alerts, and team-level resources (if team-scoped).

  5. Copy the key once

    The key starts with zv_ and is shown only once at creation time. Copy it into your secrets manager immediately. We only store a hash — we cannot recover a lost key.

Hello-world request

Every API call sends the key as a Bearer token in the Authorization header.

curl https://api.zenovay.com/v1/websites \
  -H "Authorization: Bearer zv_your_actual_key_here"

A successful response returns the websites the key has access to as JSON. If the key is invalid or revoked, you'll get 401 Unauthorized.

Rate limits

Each API key respects per-plan rate limits:

PlanPer-minutePer-day
Free601,000
Pro30050,000
Scale1,000500,000
EnterpriseCustomCustom

The response includes X-RateLimit-Remaining and X-RateLimit-Reset headers — read them and back off when you're nearing the limit. See API rate limits for details.

Rotating and revoking keys

  • Rotation — go to Settings → API keys, click Rotate next to the key. The old key works for 5 minutes after rotation to give you time to deploy the new one.
  • Revocation — click Revoke. The key stops working immediately.
  • Audit — every key shows last-used timestamp and last-used IP (hashed). If a key hasn't been used in 90 days and you don't recognize the integration, revoke it.

MCP server

Zenovay also speaks the Model Context Protocol — your API key can be used to connect Claude Desktop, Cursor, or any MCP client directly to your analytics. See the MCP documentation on the developer site for the connection URL and tool list.

Best practices

  • Never commit a key to a public repo. GitHub auto-scans for zv_ prefixed strings and we will auto-revoke detected keys.
  • One key per integration. If a vendor is compromised, you only revoke their key.
  • Use read-only keys unless the integration explicitly needs to write. Writes can create or modify goals, funnels, alerts, and (on team-scoped keys) settings.
  • Site-scope keys for per-customer integrations — even if leaked, the blast radius is limited to one site.

Related articles

API Overview

Introduction to the Zenovay API - capabilities, authentication, and getting started with programmatic access. Learn about api in this API integrations guide.

Authentication & API Keys

Manage API authentication - create keys, set permissions, and secure your API access. Learn about api in this API integrations guide.

REST API Reference

Complete REST API reference - all endpoints, parameters, and response formats for the Zenovay API. Learn about api in this API integrations guide.

Was this article helpful?