Documentation Index
Fetch the complete documentation index at: https://docs.getzenstep.com/llms.txt
Use this file to discover all available pages before exploring further.
Two authentication schemes
The Zenstep API uses two different authentication mechanisms depending on who is making the request:| Scheme | Used by | Routes |
|---|---|---|
| Snippet key | Your snippet, Chrome Extension, backend event ingestion | /api/v1/flows, /api/v1/events, /api/v1/heartbeat, and most public routes |
| Session token | Dashboard (browser session) | /api/v1/flows/[id]/analytics, /api/v1/flows/[id]/analytics/export.csv |
Snippet key authentication
Your snippet key is a 32-character alphanumeric string visible on the Install page of the dashboard.Bearer token (recommended)
Query parameter
For contexts where you cannot set request headers (such asnavigator.sendBeacon):
The query parameter form exists specifically because
sendBeacon cannot send
custom headers. Use the Authorization header in all other cases.Finding your snippet key
- Log into the Zenstep dashboard.
- Go to Install in the left sidebar.
- Your snippet key is shown in the install code snippet.
Session token authentication (dashboard API)
Analytics and export endpoints require a valid Supabase session token. These endpoints are called by the Zenstep dashboard itself — you do not need to use them from your own code. If you’re building a custom integration that reads analytics data, authenticate via the Supabase auth flow and pass the JWT as a Bearer token:Rate limits
See the rate limits page for limits per endpoint and how to handle429 responses.
Errors
All authentication errors return a401 Unauthorized response:
- Missing
Authorizationheader and no?key=query param - Typo in snippet key
- Using a snippet key from a different organisation
- Session token expired (for session-authenticated routes)