Skip to content
/
Third-Party Authenticatio...

Public API Reference (2025-07-30)

The Zephr Public API provides common client-side actions tied to a session cookie. Unlike the Admin API, neither users nor other resources can be dereferenced; the only data that can be accessed is owned by the user who is currently signed-in. This design is used to protect other users from malicious attacks.

You can find the base URL for the Public API by navigating to your site domains. To do this, select Sites from the Delivery menu, select your site, and then click the Site Domains button. The base URL is the Live domain.

Zephr forms use the Public API by default, with relative URLs based on the base URL.

Download OpenAPI description
index.json
index.yaml
Languages
Servers
Mock server
https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api
https://{your-domain}

Authentication

Operations

Braintree Payments

Operations

Browser Feature Transformations

Operations

Decision Engine

Operations

Dynamic Offer Decision Engine

Operations

Dynamic Offer Promo Code Decision

Operations

OAuth Flow

Operations

Payments

Operations

Product Sharing

Operations

SDK Feature Decision Engine

Operations

Sessions

Operations

Stripe Payments

Operations

Third-Party Authentication

This section contains the API operations for the OAuth 2.0 Authorization Code Flow.

Operations

Start an authorization code flow

Request

Starts OAuth2 Authorization Code Flow. The resource owner will be authenticated and be presented with the third-party application access request.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Query
client_idstringrequired

Zephr Site Oauth2 Client ID.

response_typestringrequired

Must be set to code.

redirect_uristringrequired

Client's redirection endpoint. Must be an absolute URI.

scopestringrequired

The scope of the access request.

statestringrequired

An opaque value used by the client to maintain state between the request and callback.

curl -i -X GET \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/oauth2?client_id=string&response_type=string&redirect_uri=string&scope=string&state=string' \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

Found

Headers
Locationstring

Returns a list of your user's access scopes

Request

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
clientIdstringrequired

The Zephr site's Oauth2 client ID.

curl -i -X GET \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/oauth2/consent/{clientId}' \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

OK

Bodyapplication/json
consentArray of strings
Response
application/json
{
  "consent": [
    "user.account:read",
    "user.account:write"
  ]
}

Grant the access request

Request

The resource owner will consent or deny the third party application access request, and Zephr will return an authorization code upon user's consent.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Bodyapplication/json
client_idstringrequired

Zephr Site Oauth2 Client ID

Example: "1234567890"
response_typestringrequired

Must be set to code

Example: "code"
redirect_uristringrequired

Client's redirection endpoint. Must be an absolute URI

Example: "https://someUrl.com/callback"
scopestringrequired

The scope of the access request. Supported scopes: user.account:read, user.profile:read and user.profile:update

Example: "user.account:read user.profile:read"
statestringrequired

An opaque value used by the client to maintain state between the request and callback

Example: "abcdefghijklmnopqrstuvwsyz"
allowbooleanrequired

Resource owner consent

Example: true
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/oauth2/grant \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "client_id": "1234567890",
    "response_type": "code",
    "redirect_uri": "https://someUrl.com/callback",
    "scope": "user.account:read user.profile:read",
    "state": "abcdefghijklmnopqrstuvwsyz",
    "allow": true
  }'

Responses

OK. The template variable "BASICAUTH" is set as the authorization header of "$CLIENTID" and "$CLIENTSECRET". The template variable "AUTHCODE" is set to the response body "code" field.

Headers
Locationstring
Body*/*
statestring

State (string)

codestring

Authorization code (string)

Retrieves the oauth2 configured fields

Request

Gets the public oauth2 fields configured on the Third Party Authentication section of the site

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
curl -i -X GET \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/oauth2/config \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

Public OAuth2 fields returned

Body*/*
login_textstring
identifier_placeholderstring
logo_idstring
consent_textstring
backgroundstring

Get the OAuth2 error page

Request

Gets the OAuth2 error page.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
curl -i -X GET \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/oauth2/error \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

OK

Bodytext/html
Response
text/html

User

Operations

V4 Gifts

Create a Gift resource for V4. Gifts can be used to provide access to a particular URL for one session only by appending a gift token ID to the URL as the gift path parameter.

Operations

Web Analytics

Operations

Zephr Features

Operations

Component Library

Operations

Change the Stripe subscription price

Request

Generates a new preview of the price that Stripe will charge the customer if they create a new subscription for the specified plan. Note: This method does not create any entities in Stripe and does not result in any payments being made.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
externalIdstringrequired
Bodyapplication/json
plan_idstring
curl -i -X POST \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/payment/stripe/subscriptions/{externalId}/change-previews' \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "plan_id": "string"
  }'

Responses

OK

Bodyapplication/json
totalnumber

The total amount the user will be initially charged for the subscription in the relevant currency's lowest denomination (e.g. pence), i.e. for a monthly subscription, the first month's cost.

Example: 5000
sub_totalnumber

The total amount minus tax for the initial charge in the relevant currency's lowest denomination (e.g. pence).

Example: 4500
Response
application/json
{
  "total": 5000,
  "sub_total": 4500
}

Oauth2 Access Token

Operations

Subscription

Operations