Skip to main content
Every request to /v1 authenticates with an API key Jenzy issues at onboarding, sent as a bearer token:
curl https://api.jenzy.com/v1/ping \
  -H "Authorization: Bearer jz_live_AbC123XyZ..."

Keys

  • Keys are opaque: jz_live_ followed by a long random body. Only the first 16 characters (the prefix, e.g. jz_live_AbC123Xy) ever appear again — in your portal, in audit trails, in support conversations. Refer to keys by prefix when talking to Jenzy.
  • The full key is shown exactly once, at issuance. It cannot be recovered — store it in your secrets manager immediately. A lost key means rotating to a new one.
  • jz_test_ keys exist in the format but are not issued during the pilot — every key is live. See Testing your integration.
Treat your key like money: it can spend your balance. Never put it in client-side code, logs, or URLs. If you suspect a leak, contact Jenzy immediately to revoke it — revocation is instant.

Rotation

Rotation is overlap, not an event: your org can hold several active keys. Ask Jenzy to issue a new key, switch your systems over, then have the old one revoked. At no point are you keyless, so there is no downtime window to schedule.

IP allowlisting (optional)

An org admin can restrict your key to an exact list of IPs in the Jenzy portal (Integration settings). With a non-empty allowlist, requests from any other address get 403 forbidden — the key alone is no longer enough. Entries are exact IPv4/IPv6 addresses (no CIDR ranges). The allowlist is managed by portal session only, never by API key: a leaked key cannot widen its own allowlist.

Rate limits

Requests are rate-limited per org. Over the limit you get:
{ "error": { "code": "rate_limited", "message": "rate limit exceeded" } }
with HTTP 429 and a Retry-After header (seconds). Honor it and back off — polling GET /balance and GET /payouts/{id} at a modest cadence stays comfortably under the limit. Note org_limit_exceeded is different: that’s a payout-creation velocity/daily cap, not a request rate — see Errors.