> ## Documentation Index
> Fetch the complete documentation index at: https://docs.credzu.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Credzu API

## API Key Authentication

All API requests require authentication using a Partner API Key. Credzu uses a simple, secure key-based authentication that's consistent with systems like Shape, TotalExpert, and Velocify.

### Header Format

Include your API key in the `Authorization` header:

```
Authorization: Credzu-Key {YOUR_API_KEY}
```

### Example Request

```bash theme={null}
curl -X POST https://credzu.com/wp-json/credzu/v1/create-lead \
  -H "Authorization: Credzu-Key pk_live_abc123xyz789" \
  -H "Content-Type: application/json" \
  -d '{
    "first_name": "John",
    "last_name": "Smith",
    "email": "john.smith@example.com",
    "phone": "555-123-4567"
  }'
```

### Getting Your API Key

Each referral partner receives:

* **Production API key** - For live transactions
* **Sandbox API key** (optional) - For testing

Contact Credzu to obtain your API credentials. Keys can be rotated at any time by Credzu staff.

<Warning>
  Keep your API keys secure. Never share them in public repositories, client-side code, or unsecured channels.
</Warning>

## Environments

| Environment    | Base URL                                       | Purpose                                                  |
| -------------- | ---------------------------------------------- | -------------------------------------------------------- |
| **Production** | `https://credzu.com/wp-json/credzu/v1`         | Live data, real credit scans, actual escrow transactions |
| **Sandbox**    | `https://sandbox.credzu.com/wp-json/credzu/v1` | Test data, simulated events, mock score updates          |

<Info>
  Always use the sandbox environment for initial integration testing before going live.
</Info>

## Security Requirements

### Transport Security

* **HTTPS required** - All API requests must use HTTPS
* **TLS 1.2+** - Minimum TLS version supported

### Data Protection

Partners must protect:

* API keys
* Returned lead IDs
* Any score or milestone data received via webhooks

<Note>
  No full credit reports are exchanged via API. All sensitive credit data remains inside Credzu's secure environment.
</Note>

## Authentication Errors

If the API key is invalid or missing, requests will fail with an `AUTH_FAILED` error:

```json theme={null}
{
  "success": false,
  "error": {
    "code": "AUTH_FAILED",
    "message": "Invalid API key"
  }
}
```

Common causes:

* Missing `Authorization` header
* Incorrect key format (must use `Credzu-Key` prefix)
* Expired or revoked API key
* Using production key on sandbox or vice versa
