Skip to content
/Authentication

Public API Reference (2025-07-30)

The Zephr Public API provides common client-side actions tied to a session cookie. Unlike the Admin API, neither users nor other resources can be dereferenced; the only data that can be accessed is owned by the user who is currently signed-in. This design is used to protect other users from malicious attacks.

You can find the base URL for the Public API by navigating to your site domains. To do this, select Sites from the Delivery menu, select your site, and then click the Site Domains button. The base URL is the Live domain.

Zephr forms use the Public API by default, with relative URLs based on the base URL.

Download OpenAPI description
index.json
index.yaml
Languages
Servers
Mock server
https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api
https://{your-domain}

Authentication

Operations

Log in to the user account

Request

This endpoint is utilized for user authentication, granting access to secured endpoints that mandate authentication. Following successful authentication, a blaize_session is generated for the user, enabling them to access the secure endpoints.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Headers
cookiestring

The session cookie is employed to ascertain whether a user is already authenticated or has an active session.

Example: blaize_session=... (optional)
Bodyapplication/json
identifiersobjectrequired
Example: {"email_address":"abc@company.com"}
identifiers.​email_addressstring
Example: "abc@company.com"
validatorsobjectrequired
Example: {"password":"securepassword@123"}
validators.​passwordstring
Example: "securepassword@123"
validators.​use_ssoboolean

When this is present there should be no identifiers in the body. The user is identified through a blaize_session cookie.

curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/login \
  -H 'Content-Type: application/json' \
  -H 'cookie: blaize_session=... (optional)' \
  -b 'blaize_session=... (optional)' \
  -d '{
    "identifiers": {
      "email_address": "abc@company.com"
    },
    "validators": {
      "password": "securepassword@123"
    }
  }'

Responses

OK. The user has logged in successfully.

Headers
Set-Cookiestring

The authenticated user session.

Example: "blaize_session=443ed68f-0b44-4f32-8443-553d584cb0dd; Expires=Fri, 16 Nov 2024 12:35:56 GMT; Path=/;"
Set-Cookiestring

The user tracking ID.

Example: "blaize_tracking_id=b117093c-e1f7-4ee0-8dda-6b5205f7fbee; Expires=Fri, 16 Nov 2024 12:35:56 GMT; Path=/;"
Set-Cookiestring

The anonymous user session before authentication.

Example: "blaize_prev_anon_session=b117093c-e1f7-4ee0-8dda-6b5205f7fbee; Expires=Fri, 16 Nov 2024 12:35:56 GMT; Path=/;"
Bodyapplication/json
cookiestring

The authenticated user session.

Example: "blaize_session=443ed68f-0b44-4f32-8443-553d584cb0dd; Expires=Fri, 16 Nov 2018 12:35:56 GMT; Path=/;"
messagestring
Example: "Login successful"
tracking_idstring

The user tracking ID.

Example: "4fac49a6-e423-4ac1-b0ad-d678979344422"
Response
application/json
{
  "cookie": "blaize_session=443ed68f-0b44-4f32-8443-553d584cb0dd; Expires=Fri, 16 Nov 2018 12:35:56 GMT; Path=/;",
  "message": "Login successful",
  "tracking_id": "4fac49a6-e423-4ac1-b0ad-d678979344422"
}

Log out of the user account

Request

Logs out of the user account.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Headers
cookiestring

The session cookie.

Example: `blaize_session=...` (string)
Bodyapplication/json
wherestring

An enum of describing which sessions/devices to log out of.

Options are JUST_HERE, THIS_DEVICE, OTHER_DEVICES, EVERYWHERE. These options are only valid when Single Sign-On is configured. When SSO is configured as autoLogin, then the default behaviour is THIS_DEVICE. When SSO is configured as optIn, then the default behaviour is JUST_HERE. JUST_HERE is not a valid option when SSO is configured as autoLogin.

Example: "EVERYWHERE"
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/logout \
  -H 'Content-Type: application/json' \
  -H 'cookie: `blaize_session=...` (string)' \
  -b '`blaize_session=...` (string)' \
  -d '{
    "where": "EVERYWHERE"
  }'

Responses

OK

Headers
Set-Cookiestring
Bodyapplication/json
messagestring
Example: "Session deleted"
Response
application/json
{
  "message": "Session deleted"
}

Retrieve the SSO status

Request

Retrieves the SSO status and metadata of the current user.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
curl -i -X GET \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/public/sso/v1/status \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

SSO status was retrieved successfully.

Bodyapplication/json
statusstringrequired

The SSO status of the current user session. This can be:

  • unknown: The SSO token is not authenticated anywhere, or the current session is not associated with an SSO token.

  • known: The current session is anonymous, but the SSO token is authenticated on another site.

  • authenticated: The current session is authenticated through an SSO token.

Example: "authenticated"
metacustomer-meta (object) or (string or null)
One of:
object(customer-meta)
Response
application/json
{
  "status": "authenticated",
  "meta": {}
}

Braintree Payments

Operations

Browser Feature Transformations

Operations

Decision Engine

Operations

Dynamic Offer Decision Engine

Operations

Dynamic Offer Promo Code Decision

Operations

OAuth Flow

Operations

Payments

Operations

Product Sharing

Operations

SDK Feature Decision Engine

Operations

Sessions

Operations

Stripe Payments

Operations

Third-Party Authentication

This section contains the API operations for the OAuth 2.0 Authorization Code Flow.

Operations

User

Operations

V4 Gifts

Create a Gift resource for V4. Gifts can be used to provide access to a particular URL for one session only by appending a gift token ID to the URL as the gift path parameter.

Operations

Web Analytics

Operations

Zephr Features

Operations

Component Library

Operations

Change the Stripe subscription price

Request

Generates a new preview of the price that Stripe will charge the customer if they create a new subscription for the specified plan. Note: This method does not create any entities in Stripe and does not result in any payments being made.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
externalIdstringrequired
Bodyapplication/json
plan_idstring
curl -i -X POST \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/payment/stripe/subscriptions/{externalId}/change-previews' \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "plan_id": "string"
  }'

Responses

OK

Bodyapplication/json
totalnumber

The total amount the user will be initially charged for the subscription in the relevant currency's lowest denomination (e.g. pence), i.e. for a monthly subscription, the first month's cost.

Example: 5000
sub_totalnumber

The total amount minus tax for the initial charge in the relevant currency's lowest denomination (e.g. pence).

Example: 4500
Response
application/json
{
  "total": 5000,
  "sub_total": 4500
}

Oauth2 Access Token

Operations

Subscription

Operations