API Keys & Quickstart

Mint a personal API key from the portal, then call /rpc or /mcp from any external client. Each key is bound to your user account — you can list, revoke, and rotate from your profile at any time.

Get a key in 60 seconds

  1. Sign in at app.zdfz.live and open Profile → Personal API Keys.
  2. Enter a key name (e.g. my-laptop), confirm with your account password, click Generate API Key.
  3. Copy the plaintext key — it starts with fz_u_ and is shown exactly once.

If you lose the plaintext, revoke the key and generate a fresh one. The platform only stores the SHA-256 hash — it can never be recovered from storage.

Call /rpc

The JSON-RPC endpoint accepts either a session JWT (for first-party flows) or your personal API key passed in the X-API-Key header. External scripts should use the key:

curl https://api.zdfz.live/rpc \
  -H "Content-Type: application/json" \
  -H "X-API-Key: fz_u_..." \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "digitalresidentservice.get",
    "params": {}
  }'

When a personal key authenticates, the platform injects your caller_user_id into the request automatically — user-context-sensitive handlers (like contractservice.get_company_contract or invoiceservice.list) behave exactly as they would for your logged-in session.

Call /mcp

Model Context Protocol (MCP) tools accept the same X-API-Key header. Point your MCP client at:

https://api.zdfz.live/mcp

Tool access is gated by the key's MCP scope (read or readwrite) and tier policies on the key row — daily spending limit, rate limits, allowed/blocked tool patterns, and approval threshold. Configure these in the AI Settings card on your profile.

Machine-readable spec

The full JSON-RPC surface is published as an OpenRPC document at a stable URL — use it to generate typed clients or introspect available methods:

https://api.zdfz.live/api/v1/freezone/main/openrpc.json

Lifecycle

  • List — your profile page shows every key you own, its name, scope, and status.
  • Revoke — click Revoke, confirm with your password. The key stops authenticating immediately. Revoke is idempotent: a second click on an already-revoked key is a no-op.
  • Rotate — click Rotate, confirm with your password. The old key is revoked, a new key is minted with the same flags (scope, limits, patterns), and the new plaintext is shown once.

Security

  • Treat API keys like passwords. Never commit them to git. Use environment variables or secret managers.
  • If a key leaks, revoke it immediately from your profile. Then rotate every machine that held it.
  • The platform audits every revoke and rotate against your user. You can query your audit log from the portal.
  • Keys expire 365 days after creation. Rotate before expiry to maintain continuity.