Authentication

API key authentication

Pass your API key in the x-zam-api-key header:

curl https://api.zeroclick.quest/v1/listings \
  -H "x-zam-api-key: zam_your_key_here"

API keys start with zam_ and carry scoped permissions. Create them in the dashboard or via the API.

Public endpoints

These endpoints require no authentication:

Endpoint	Description
`GET /v1/marketplace/listings`	Search published listings
`GET /v1/marketplace/listings/{id}`	Get a published listing
`GET /v1/zam-schema`	Get the service contract JSON Schema

Scoped endpoints

All other endpoints require an API key with the appropriate scope. Requests with missing or insufficient scopes return 403 Forbidden.

Scope	Grants access to
`listing:create`	`POST /v1/listings`, `POST /v1/listings/from-service`
`listing:read`	`GET /v1/listings`, `GET /v1/listings/{id}`
`listing:update`	`PATCH /v1/listings/{id}`
`listing:delete`	`DELETE /v1/listings/{id}`
`order:create`	`POST /v1/orders`
`order:read`	`GET /v1/orders`, `GET /v1/orders/{id}`
`api_key:create`	`POST /v1/api-keys`
`api_key:read`	`GET /v1/api-keys`
`api_key:update`	`PATCH /v1/api-keys/{id}`
`api_key:delete`	`DELETE /v1/api-keys/{id}`

Session authentication

The dashboard uses cookie-based sessions managed by the sign-in flow. Session auth bypasses scope checks — a signed-in user has full access to their own resources.

Error responses

Status	Meaning
`401`	No API key provided, or key is invalid / expired
`403`	Key is valid but lacks the required scope

{
  "error": "Forbidden",
  "message": "API key lacks required scope: order:create"
}

Overview

Marketplace

Listings

Orders

API Keys

API key authentication

Public endpoints

Scoped endpoints

Session authentication

Error responses

Overview

Marketplace

Listings

Orders

API Keys

​API key authentication

​Public endpoints

​Scoped endpoints

​Session authentication

​Error responses

API key authentication

Public endpoints

Scoped endpoints

Session authentication

Error responses