Skip to content

Authentication

Authenticate Mozaca API requests with backend-held access keys, scoped roles, and environment-specific permissions.

ReferenceUpdated May 28, 2026
ReferenceUpdated May 28, 2026

API keys

Mozaca API keys identify the environment, organization, product surface, and permission scope allowed for a request.

Keys are issued for sandbox or pilot environments after review. Production keys are issued only after launch controls and partner dependencies are accepted.

  • Never ship API keys in browser code, mobile apps, screenshots, public repositories, or support tickets.
  • Use separate keys for sandbox, pilot, and production.
  • Rotate keys when team access changes or when a key may have been exposed.

Request headers

Authenticated requests use bearer tokens. Write requests should include an idempotency key so retries do not create duplicate operations.

Required headershttp
Authorization: Bearer MOZACA_SANDBOX_KEY
Content-Type: application/json
Idempotency-Key: unique-write-operation-id

Scopes

Scopes control which products and actions a key can use. Scopes are intentionally narrow during sandbox review.

ScopeAllowsTypical use
wallets:readRead wallet state and balancesFedha customer and operator dashboards
wallets:writeCreate wallets and funding routesFedha client deployments
transfers:writeCreate and review transfersFedha P2P, merchant, and agent flows
treasury:writeCreate approvals and payment batchesHazina treasury pilots
corridors:writeCreate corridor quotes or payout movementZent digital finance flows
webhooks:writeManage subscriptionsBackend event delivery

Related docs