Authentication
The zSignals API uses Bearer token authentication to secure endpoints and track usage. All API requests must include a valid API key.
API Key Authentication
Include your API key in the Authorization header of every request:
Authorization: Bearer YOUR_API_KEY
Example Request
curl -X GET "https://api.zsignals.xyz/v1/market/trending" \
-H "Authorization: Bearer sk_live_51H2fGbC4dEfGHiJkLmN8oPqR" \
-H "Accept: application/json"
Security Note: Never expose your API key in client-side code or public repositories. Keep it secure on your backend servers.
Getting Your API Key
- Subscribe: Get API access at zsignals.xyz/api_subscriptions/new
- Choose Plan: Select monthly ($299) or annual ($1,999 - save 44%)
- Complete Payment: Pay via Stripe (card) or Coinbase Commerce (crypto)
- Sign In: Check your email for authentication link
- Account Dashboard: Visit zsignals.xyz/account
- Generate Key: Click "Generate New API Key" in the API Access section
- Save Securely: Copy your key - you can create multiple keys for different environments
API Key Format
API keys are 64-character hexadecimal strings:
Example: a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
Authentication Errors
The API returns specific error codes for authentication issues:
| Error Code | HTTP Status | Description |
|---|---|---|
MISSING_API_KEY |
401 | No API key provided in request |
INVALID_API_KEY |
401 | API key is invalid or malformed |
EXPIRED_API_KEY |
401 | API key has expired |
SUSPENDED_API_KEY |
403 | API key has been suspended |
RATE_LIMIT_EXCEEDED |
429 | Too many requests for this API key |
Example Error Response
{
"error": {
"code": "INVALID_API_KEY",
"message": "The API key provided is invalid",
"details": {
"provided_key": "sk_live_invalid123",
"help": "Please check your API key and try again"
}
}
}
Rate Limiting
API subscriptions include generous rate limits for production applications:
| Monthly Limit | Hourly Burst | Price |
|---|---|---|
| 500,000 requests/month | 5,000 requests/hour | $299/month or $1,999/year |
Note: Rate limits are enforced per user account, shared across all your API keys. Subscribe now →
Rate Limit Headers
Every API response includes rate limit information in the headers:
HTTP/2 200 OK
X-RateLimit-Limit-Month: 500000
X-RateLimit-Remaining-Month: 487234
X-RateLimit-Limit-Hour: 5000
X-RateLimit-Remaining-Hour: 4821
X-RateLimit-Reset-Month: 1730419200
X-RateLimit-Reset-Hour: 1729180800
| Header | Description |
|---|---|
X-RateLimit-Limit-Month |
Monthly request limit (500,000) |
X-RateLimit-Remaining-Month |
Requests remaining this month |
X-RateLimit-Limit-Hour |
Hourly burst limit (5,000) |
X-RateLimit-Remaining-Hour |
Requests remaining this hour |
X-RateLimit-Reset-Month |
Unix timestamp when monthly limit resets |
X-RateLimit-Reset-Hour |
Unix timestamp when hourly limit resets |
Security Best Practices
✓ DO
- Store API keys in environment variables
- Use different keys for development and production
- Rotate keys regularly
- Implement request caching to reduce API calls
- Handle rate limit errors gracefully
✗ DON'T
- Hardcode API keys in your source code
- Commit keys to version control
- Share keys between applications
- Include keys in client-side JavaScript
- Log API keys in error messages
Using Environment Variables
Store your API key securely using environment variables:
# .env file
ZSIGNALS_API_KEY=sk_live_51H2fGbC4dEfGHiJkLmN8oPqR
# Load in bash
export ZSIGNALS_API_KEY="sk_live_51H2fGbC4dEfGHiJkLmN8oPqR"
# Use in curl
curl -H "Authorization: Bearer $ZSIGNALS_API_KEY" \
https://api.zsignals.xyz/v1/market/trending
// Install: npm install dotenv
require('dotenv').config();
const API_KEY = process.env.ZSIGNALS_API_KEY;
const response = await fetch('https://api.zsignals.xyz/v1/market/trending', {
headers: {
'Authorization': `Bearer ${API_KEY}`
}
});
# Install: pip install python-dotenv
from dotenv import load_dotenv
import os
import requests
load_dotenv()
API_KEY = os.getenv('ZSIGNALS_API_KEY')
response = requests.get(
'https://api.zsignals.xyz/v1/market/trending',
headers={'Authorization': f'Bearer {API_KEY}'}
)
# Add to Gemfile: gem 'dotenv'
require 'dotenv/load'
require 'net/http'
api_key = ENV['ZSIGNALS_API_KEY']
uri = URI('https://api.zsignals.xyz/v1/market/trending')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Get.new(uri)
request['Authorization'] = "Bearer #{api_key}"
response = http.request(request)
API Key Management
Manage all your API keys from your account dashboard at zsignals.xyz/account
Account Dashboard Features
Your account page provides comprehensive API key management:
Subscription Overview
- Status: View your subscription status (Active/Inactive)
- Plan Details: See your current plan (Monthly or Annual)
- Rate Limits: 500K requests/month • 5K requests/hour
- Expiration Date: Track when your subscription renews
- Manage Subscription: Update payment method, change plans, or cancel (Stripe customers only)
API Keys Table
View and manage all your API keys in one place:
- Name: Custom names to identify each key (e.g., "Production", "Staging")
- Token: Masked API key with copy-to-clipboard functionality
- Created: When the key was generated
- Last Used: Timestamp of most recent API call
- Requests: Total request count per key (for monitoring)
- Actions: Revoke compromised or unused keys
Creating Multiple API Keys
Generate separate keys for different environments or applications:
- Visit your account at zsignals.xyz/account
- Scroll to the "API Access" section
- Click "Generate New API Key"
- The system automatically names it with current timestamp
- Copy your new key immediately (shown in full only once)
Tip: Create separate keys for production, staging, and development. This makes it easy to rotate or revoke keys without affecting all environments.
Revoking Keys
Immediately deactivate compromised or unused API keys:
- Navigate to your API keys table at zsignals.xyz/account
- Locate the key you want to revoke
- Click the red "Revoke" button in the Actions column
- Confirm the revocation (this cannot be undone)
- The key is immediately deactivated and will return 401 errors
Important: All your API keys share the same rate limits (500K/month, 5K/hour). Rate limiting is per user account, not per key.
This means if you have 3 active keys and they collectively make 500,000 requests in a month, you'll hit the monthly limit regardless of which key made the requests.