API Overview
The Zero API provides programmatic access to manage devices, policies, users, and organizations. This RESTful API uses JSON for requests and responses.
Base URLs:
- Production:
https://api.zero.io - Staging:
https://api.staging.zero.io - Self-hosted:
https://api.yourdomain.com
Quick Start
# Get an API token from the dashboard, then:
# Health check
curl https://api.zero.io/api/v1/health
# List devices (authenticated)
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.zero.io/api/v1/devicesAPI Versioning
The API is versioned via URL path. Current version: v1
https://api.zero.io/api/v1/...We maintain backward compatibility within major versions. Breaking changes will be released as new major versions (v2, v3, etc.).
Request Format
Required Headers
| Header | Value | Description |
|---|---|---|
Authorization | Bearer <token> | JWT access token |
Content-Type | application/json | For POST/PUT/PATCH requests |
Accept | application/json | Expected response format |
Example Request
POST /api/v1/devices/enroll HTTP/1.1
Host: api.zero.io
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Content-Type: application/json
{
"device_name": "John's Laptop",
"platform": "linux",
"agent_version": "1.0.0"
}Response Format
Success Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"device_name": "John's Laptop",
"platform": "linux",
"status": "online",
"created_at": "2026-02-12T10:30:00Z"
}Error Response
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"code": 400,
"message": "invalid request body",
"details": "device_name is required"
}Paginated Response
{
"data": [...],
"total": 150,
"page": 1,
"page_size": 20,
"total_pages": 8
}HTTP Status Codes
| Code | Description |
|---|---|
200 OK | Request succeeded |
201 Created | Resource created successfully |
204 No Content | Request succeeded, no content returned |
400 Bad Request | Invalid request parameters |
401 Unauthorized | Invalid or missing authentication |
403 Forbidden | Insufficient permissions |
404 Not Found | Resource not found |
429 Too Many Requests | Rate limit exceeded |
500 Internal Server Error | Server error |
Rate Limiting
API requests are rate limited to protect service availability:
| Tier | Limit |
|---|---|
| Authenticated requests | 1,000 requests/minute |
| Unauthenticated requests | 100 requests/minute |
| Enterprise | 10,000 requests/minute |
Rate limit headers are included in all responses:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 998
X-RateLimit-Reset: 1707734400API Endpoints
Core Resources
| Resource | Description | Documentation |
|---|---|---|
| Authentication | Login, tokens, SSO | Auth API |
| Devices | Enrollment, management, wipe | Devices API |
| Policies | Create, update, assign policies | Policies API |
| Users | User management | Users Guide |
| Audit Logs | Activity logs | Audit Logs |
Endpoint Quick Reference
# Health
GET /api/v1/health
# Authentication
POST /api/v1/auth/login
POST /api/v1/auth/refresh
POST /api/v1/auth/logout
# Devices
GET /api/v1/devices
POST /api/v1/devices/enroll
GET /api/v1/devices/:id
PUT /api/v1/devices/:id/status
POST /api/v1/devices/:id/wipe
DELETE /api/v1/devices/:id
# Policies
GET /api/v1/policies
POST /api/v1/policies
GET /api/v1/policies/:id
PUT /api/v1/policies/:id
DELETE /api/v1/policies/:id
# GDPR
GET /api/v1/gdpr/export
DELETE /api/v1/gdpr/delete
POST /api/v1/gdpr/restrict
POST /api/v1/gdpr/objectSDKs & Libraries
Official SDKs are available for common languages:
- Go:
go get sdk.zero.xaltrax.com/go - Python:
pip install zero - JavaScript:
npm install @zero/sdk
SDK Example (Go)
import "sdk.zero.xaltrax.com/go"
client := zero.NewClient("YOUR_API_TOKEN")
// List devices
devices, err := client.Devices.List(ctx, nil)
if err != nil {
log.Fatal(err)
}
for _, device := range devices {
fmt.Printf("%s: %s\n", device.Name, device.Status)
}Webhooks
Configure webhooks to receive real-time notifications:
POST /api/v1/webhooks
{
"url": "https://your-server.com/webhook",
"events": ["device.enrolled", "device.wiped", "policy.updated"],
"secret": "your-webhook-secret"
}Webhook Payload
POST https://your-server.com/webhook
X-Zero-Signature: sha256=abc123...
{
"event": "device.enrolled",
"timestamp": "2026-02-12T10:30:00Z",
"data": {
"device_id": "550e8400-e29b-41d4-a716-446655440000",
"device_name": "John's Laptop",
"platform": "linux"
}
}OpenAPI Specification
Download our complete OpenAPI 3.1 specification for code generation, testing, and documentation:
Next Steps
- Authentication API - Token management
- Devices API - Device operations
- Policies API - Policy management
- Quick Start - Get started quickly