API Keys & Quickstart
Mint a personal API key from the portal, then call /rpc or /mcp from any external
client. Each key is bound to your user account — you can list, revoke, and rotate from your profile at
any time.
Get a key in 60 seconds
- Sign in at app.zdfz.live and open Profile → Personal API Keys.
- Enter a key name (e.g.
my-laptop), confirm with your account password, click Generate API Key. - Copy the plaintext key — it starts with
fz_u_and is shown exactly once.
If you lose the plaintext, revoke the key and generate a fresh one. The platform only stores the SHA-256 hash — it can never be recovered from storage.
Call /rpc
The JSON-RPC endpoint accepts either a session JWT (for first-party flows) or your personal API key passed in
the X-API-Key header. External scripts should use the key:
curl https://api.zdfz.live/rpc \
-H "Content-Type: application/json" \
-H "X-API-Key: fz_u_..." \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "digitalresidentservice.get",
"params": {}
}'
When a personal key authenticates, the platform injects your caller_user_id into the request
automatically — user-context-sensitive handlers (like contractservice.get_company_contract or
invoiceservice.list) behave exactly as they would for your logged-in session.
Call /mcp
Model Context Protocol (MCP) tools accept the same X-API-Key header. Point your MCP client at:
https://api.zdfz.live/mcp
Tool access is gated by the key's MCP scope (read or readwrite) and tier
policies on the key row — daily spending limit, rate limits, allowed/blocked tool patterns, and approval threshold.
Configure these in the AI Settings card on your profile.
Machine-readable spec
The full JSON-RPC surface is published as an OpenRPC document at a stable URL — use it to generate typed clients or introspect available methods:
https://api.zdfz.live/api/v1/freezone/main/openrpc.json Lifecycle
- List — your profile page shows every key you own, its name, scope, and status.
- Revoke — click Revoke, confirm with your password. The key stops authenticating immediately. Revoke is idempotent: a second click on an already-revoked key is a no-op.
- Rotate — click Rotate, confirm with your password. The old key is revoked, a new key is minted with the same flags (scope, limits, patterns), and the new plaintext is shown once.
Security
- Treat API keys like passwords. Never commit them to git. Use environment variables or secret managers.
- If a key leaks, revoke it immediately from your profile. Then rotate every machine that held it.
- The platform audits every revoke and rotate against your user. You can query your audit log from the portal.
- Keys expire 365 days after creation. Rotate before expiry to maintain continuity.