Integrations & Developer
/
4 min read
Developer settings and API access
Create API keys and manage webhooks on the Developer page to build custom integrations with Zalify — and keep your credentials secure.
API keys and webhooks live on the Developer page in your workspace settings. This is where developers create credentials for custom integrations with Zalify.
Note: The Zalify API is evolving. Capabilities described here are intentionally general — for the current API reference, contact support@zalify.com.
What's on the Developer page
The Developer page has two areas:
- API keys — credentials that let your own code call the Zalify API on behalf of your workspace.
- Webhooks — endpoints on your servers that Zalify can notify when certain events happen.
What API keys are for
An API key identifies and authorizes your code when it talks to Zalify programmatically — for example, a custom script or an internal tool that reads or writes workspace data.
If your goal is covered by a built-in feature, prefer that over the API: pre-built integrations are listed in the integrations overview, on-site tracking comes from the Zalify pixel, and email flows are built in automations — no code required.
Creating an API key
- Open the Developer page.
- Create a new API key.
- Copy the key immediately and store it in a secure location such as a secrets manager.
Keeping your keys secure
An API key grants access to your workspace's data, so treat it like a password:
- Keep it secret. Never commit keys to source control, embed them in client-side code (websites or mobile apps), or share them in chat, email, or screenshots.
- Store it server-side. Load keys from environment variables or a secrets manager; only your servers should ever see them.
- Rotate regularly. Create a new key, switch your code over, then delete the old one. Do this on a schedule and immediately whenever a key may have been exposed or a team member with access leaves.
- Delete unused keys. Every active key is a standing credential; remove ones you no longer need.
- Use one key per system. Give each integration its own key so you can rotate or revoke one without breaking the others.
If you believe a key has leaked, delete it on the Developer page right away and issue a replacement.
About webhooks
Webhooks let Zalify call your servers when events occur, instead of your code polling for changes. The set of available webhook events is currently being reworked — several event categories are moving into Reach's native automation and activity features, which cover most notification use cases without custom code.
Before building on webhooks, check whether a built-in feature already does what you need:
- Email events (sends, opens, clicks) are visible in the email activity feed and broadcast reports.
- Contact and behavior-driven follow-ups are handled by automations.
Who can access the Developer page
API keys carry workspace-level access, so managing them is typically limited to higher-permission roles. See Inviting team members and roles.