Zelt's Public API lets you connect your workspace to other tools and programmatically work with your data. To use the API, you create an app in Zelt, assign it the correct permissions, and generate an access token. Every API request must include this token in the Authorization header.
Credential types
| Credential | Description | Usage |
|---|---|---|
| Client ID | Public identifier for your app | OAuth flow only, not in API calls |
| Client secret | Private key for your app | OAuth flow only, never in API calls |
| Authorization code | Short-lived one-time code (expires in 3 minutes) | Exchanged once for an access token |
| Access token | The token you use to authenticate API calls | Authorization: Bearer header on every request |
| Refresh token | Long-lived token to get new access tokens | Token refresh endpoint only |
You cannot make API calls until you have completed step 3 and obtained an access token. Client ID and Client secret are not substitutes for an access token.
Prerequisites
- A Zelt account with admin access
- Permission to create and manage apps
- Basic familiarity with HTTP requests and JSON
What you’ll do next
Complete these steps in order; each step depends on the previous one:
- Create an app and get your Client ID and Client secret
- Choose the permissions (scopes) your app needs
- Generate an authorization code and exchange it for an access token and refresh token
- Use the access token to authenticate your API calls
- Use the refresh token to get new access tokens without repeating the full flow
You must complete steps 1-3 before making any API calls.
After that, you can move on to the individual endpoint pages to read and update data from your Zelt account.
Quick test: verify your token works
Once you have your access token, run this before building anything else:
curl -X GET "https://go.zelt.app/apiv2/users/me" \
-H "Authorization: Bearer <your_access_token>"
200 OK- your token is valid and working401 Unauthorized- token is missing, malformed, or expired (see Common Errors)
Common errors
| HTTP status | Likely cause | Fix |
|---|---|---|
401 Unauthorized | Token missing, expired, or malformed | Check the Authorization: Bearer <token> header format; re-generate token if expired |
403 Forbidden | Token is valid but lacks the required scope | Add the needed scope to your app and regenerate the token |
200 OK with empty results | Token is valid, but no scopes are assigned | Go to the Permissions page and assign scopes before generating the token |
400 Bad Request | Malformed request body | Check JSON formatting and required fields for that endpoint |