Authentication
All ezylegal API requests require authentication using API keys. This guide covers how to authenticate requests, manage your API keys, and follow security best practices.
API Keys
API keys are used to authenticate requests to the ezylegal API. Each key is associated with your Partner account and has full access to all API endpoints.
Key Format
API keys are prefixed with ezc_ followed by a random string:
ezc_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Test vs Live Keys
ezylegal provides two types of API keys:
| Key Type | Prefix | Purpose |
|----------|--------|---------|
| Test | ezc_test_ | For development and testing |
| Live | ezc_live_ | For production use |
Test keys work identically to live keys but:
- Sessions created with test keys are marked as test
- No billing is incurred for test sessions
- Webhooks still fire normally
Authenticating Requests
Include your API key in the Authorization header using the Bearer scheme:
curl https://api.ezy-forms.com.au/v1/sessions \
-H "Authorization: Bearer ezc_live_your_api_key_here"
JavaScript Example
const headers = {
'Authorization': `Bearer ${process.env.EZYCOLLECT_API_KEY}`,
'Content-Type': 'application/json',
};
const response = await fetch('https://api.ezy-forms.com.au/v1/sessions', {
method: 'GET',
headers,
});
Python Example
import os
import requests
headers = {
'Authorization': f'Bearer {os.environ["EZYCOLLECT_API_KEY"]}',
'Content-Type': 'application/json',
}
response = requests.get(
'https://api.ezy-forms.com.au/v1/sessions',
headers=headers,
)
Managing API Keys
Creating a New Key
- Log in to your Partner Dashboard
- Navigate to Settings → API Keys
- Click Create New Key
- Give your key a descriptive name (e.g., "Production Server")
- Copy the key immediately - it won't be shown again
Rotating Keys
To rotate your API key:
- Create a new API key
- Update your application to use the new key
- Verify the new key works correctly
- Delete the old key
Tip: Keep both keys active during the transition period to avoid downtime.
Revoking Keys
To revoke an API key:
- Go to Settings → API Keys
- Find the key you want to revoke
- Click the Delete button
- Confirm the deletion
Revoked keys immediately stop working for all requests.
Security Best Practices
Never Expose Keys in Client-Side Code
API keys should only be used in server-side code. Never include them in:
- JavaScript running in the browser
- Mobile app source code
- Public repositories
- Client-side configuration files
Use Environment Variables
Store your API key in environment variables:
# .env file (never commit this!)
EZYCOLLECT_API_KEY=ezc_live_your_key_here
// Access in your code
const apiKey = process.env.EZYCOLLECT_API_KEY;
Use Different Keys for Different Environments
Maintain separate keys for:
- Development: Test key for local development
- Staging: Test key for pre-production testing
- Production: Live key for production use
Monitor Key Usage
Regularly review your API usage in the Partner Dashboard to detect unusual activity:
- Unexpected spikes in requests
- Requests from unknown IP addresses
- High error rates
Rotate Keys Regularly
Rotate your API keys periodically (e.g., every 90 days) as a security best practice.
Error Responses
Missing Authentication
{
"error": {
"code": "unauthorized",
"message": "Missing or invalid Authorization header"
}
}
HTTP Status: 401 Unauthorized
Invalid API Key
{
"error": {
"code": "invalid_api_key",
"message": "The provided API key is invalid or has been revoked"
}
}
HTTP Status: 401 Unauthorized
Insufficient Permissions
{
"error": {
"code": "forbidden",
"message": "This API key does not have permission to access this resource"
}
}
HTTP Status: 403 Forbidden
Next Steps
- Quickstart Guide - Start making API calls
- Sessions API - Create and manage sessions
- Webhooks Security - Verify webhook signatures