TL;DR
- Fuse API (
zap.dzap.io) — no auth. Per-IP rate-limited.
- Trade API (
api.dzap.io) — optional API key. Per-key rate-limited (falls back to per-IP for unauthenticated requests).
Agents can also discover auth requirements through /auth.md, /.well-known/oauth-protected-resource, and /.well-known/oauth-authorization-server.
Getting a Trade API key
API keys are issued by DZap to partners. Reach out via Discord or support@dzap.io with:
- Your project name
- Expected request volume (req/min)
- Endpoints you’ll use most
You’ll receive a key tied to your project. Treat it like a password.
Using a Trade API key
curl -X POST https://api.dzap.io/v1/quotes \
-H "Content-Type: application/json" \
-H "Authorization: Bearer dzap_xxxxxxxxxxxxxxxxxxxxxxxx" \
-d '{ ... }'
import { DZapClient } from '@dzapio/sdk';
const dzap = DZapClient.getInstance('dzap_xxxxxxxxxxxxxxxxxxxxxxxx');
Never put API keys in client-side code. Proxy through your backend. Server-only.
What an API key gives you
- Higher rate limits — defaults plus per-key tiers.
- Per-route configuration — block specific routes, raise limits on others.
- Usage analytics — request counts, latency p50/p95, error rates.
Without a key
You can still call every Trade API endpoint that doesn’t gate on auth — quotes, status, tokens, chains. Per-IP rate limits apply (typically 60 req/min, route-specific). Bursts return 429 Too Many Requests.
Key rotation
Keys can be rotated on request. The old key remains active for 24 hours after a new one is issued, so you have a rollover window.
