ReferenceUpdated May 28, 2026
API keys
Mozaca API keys identify the environment, organization, product surface, and permission scope allowed for a request.
Keys are issued for sandbox or pilot environments after review. Production keys are issued only after launch controls and partner dependencies are accepted.
- Never ship API keys in browser code, mobile apps, screenshots, public repositories, or support tickets.
- Use separate keys for sandbox, pilot, and production.
- Rotate keys when team access changes or when a key may have been exposed.
Request headers
Authenticated requests use bearer tokens. Write requests should include an idempotency key so retries do not create duplicate operations.
Required headershttp
Authorization: Bearer MOZACA_SANDBOX_KEY
Content-Type: application/json
Idempotency-Key: unique-write-operation-idScopes
Scopes control which products and actions a key can use. Scopes are intentionally narrow during sandbox review.
| Scope | Allows | Typical use |
|---|---|---|
| wallets:read | Read wallet state and balances | Fedha customer and operator dashboards |
| wallets:write | Create wallets and funding routes | Fedha client deployments |
| transfers:write | Create and review transfers | Fedha P2P, merchant, and agent flows |
| treasury:write | Create approvals and payment batches | Hazina treasury pilots |
| corridors:write | Create corridor quotes or payout movement | Zent digital finance flows |
| webhooks:write | Manage subscriptions | Backend event delivery |
Related docs
Getting startedUnderstand Mozaca's representative integration model for Fedha, Zent, Hazina, access review, base URLs, and the path from product walkthrough to sandbox integration.Sandbox and OpenAPIWhat qualified teams receive after sandbox review: approved OpenAPI artifacts, sample data, webhook replay, SDK expectations, and launch-gate evidence.Errors and idempotencyHandle validation errors, rail failures, retries, duplicate prevention, and durable API behavior.