Authentication
Learn how to securely authenticate your API requests using API keys.
Overview
The ZeroCarbon API uses API keys for authentication. All API requests must include an API key in the Authorization header using the Bearer authentication scheme.
Getting an API Key
📋 Prerequisites: API access requires either:
- Professional Plan (₹14,999/month) + API Add-on Pack (₹999-₹2,999/month)
- Enterprise Plan (₹39,999/month) with unlimited API keys included
Trial and Starter plans do not include API access. Upgrade your plan to get started.
Once you have an eligible plan:
- Log in to app.zerocarbon.org.in
- Navigate to Settings → Billing → API Keys
- Click "Create New API Key"
- Choose Test (zc_test_) or Live (zc_live_) mode
- Give your key a descriptive name (e.g., "Production API", "Development")
- Copy the generated key immediately (it will only be shown once)
⚠️ Important Security Notice
Your API key is shown only once during creation. Store it securely in a password manager or environment variable. If you lose it, you'll need to generate a new one.
Making Authenticated Requests
Include your API key in every request using the Authorization header:
cURL Example
curl https://api.zerocarbon.org.in/v1/company/dashboard \
-H "Authorization: Bearer zc_live_abc123xyz789..." \
-H "Content-Type: application/json"Node.js / TypeScript
import { ZeroCarbon } from 'zerocarbon-nodejs-sdk';
import * as dotenv from 'dotenv';
dotenv.config();
const client = new ZeroCarbon({
apiKey: process.env.ZEROCARBON_API_KEY!,
baseUrl: 'https://api.zerocarbon.org.in/v1'
});
// SDK automatically includes the Authorization header
const dashboard = await client.dashboard.get();Python
import os
from zerocarbon import ZeroCarbon
from dotenv import load_dotenv
load_dotenv()
client = ZeroCarbon(
api_key=os.getenv('ZEROCARBON_API_KEY'),
base_url='https://api.zerocarbon.org.in/v1'
)
# SDK automatically includes the Authorization header
dashboard = client.dashboard.get()Raw HTTP Request
const response = await fetch('https://api.zerocarbon.org.in/v1/company/dashboard', {
method: 'GET',
headers: {
'Authorization': `Bearer ${process.env.ZEROCARBON_API_KEY}`,
'Content-Type': 'application/json'
}
});
const data = await response.json();API Key Types
ZeroCarbon provides different types of API keys for different environments:
Live Keys
Start with zc_live_...
Use these in production. All data is real and persisted. Rate limits and billing apply.
Test Keys
Start with zc_test_...
Use these for development and testing. Data is isolated and can be reset. No billing.
API Add-on Packs (Professional Plan)
If you're on the Professional Plan, you must purchase one of the following API add-on packs:
| Pack | Access Level | Endpoints | Price |
|---|---|---|---|
| Pack 1 | Read-only | GET endpoints only | ₹999/month |
| Pack 2 Popular | Read + Write | GET + POST/PUT for activities | ₹1,999/month |
| Pack 3 | Full Access | All endpoints (GET/POST/PUT/DELETE) | ₹2,999/month |
Enterprise Plan: Includes unlimited API keys with full access to all endpoints—no need to purchase add-ons.
Security Best Practices
Use Environment Variables
Never hardcode API keys in your source code. Use environment variables instead:
# .env file (add to .gitignore!)
ZEROCARBON_API_KEY=zc_live_abc123xyz789...Rotate Keys Regularly
Periodically rotate your API keys for better security. Create a new key and update your application before deleting the old one to avoid downtime.
Use Different Keys per Environment
Use separate API keys for development, staging, and production environments. This allows you to rotate keys without affecting other environments.
Restrict Key Permissions
When creating API keys, you can optionally restrict them to specific IP addresses or domains for added security.
Authentication Errors
If authentication fails, you'll receive a 401 Unauthorized response:
{
"success": false,
"error": {
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid or has been revoked",
"status": 401
}
}Common authentication errors:
INVALID_API_KEY- API key is malformed or doesn't existAPI_KEY_REVOKED- API key has been deleted or revokedAPI_KEY_EXPIRED- API key has expired (if set with expiration)RATE_LIMIT_EXCEEDED- Too many requests (see Rate Limiting)