Skip to content
/User

Public API Reference (2025-07-30)

The Zephr Public API provides common client-side actions tied to a session cookie. Unlike the Admin API, neither users nor other resources can be dereferenced; the only data that can be accessed is owned by the user who is currently signed-in. This design is used to protect other users from malicious attacks.

You can find the base URL for the Public API by navigating to your site domains. To do this, select Sites from the Delivery menu, select your site, and then click the Site Domains button. The base URL is the Live domain.

Zephr forms use the Public API by default, with relative URLs based on the base URL.

Download OpenAPI description
index.json
index.yaml
Languages
Servers
Mock server
https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api
https://{your-domain}

Authentication

Operations

Braintree Payments

Operations

Browser Feature Transformations

Operations

Decision Engine

Operations

Dynamic Offer Decision Engine

Operations

Dynamic Offer Promo Code Decision

Operations

OAuth Flow

Operations

Payments

Operations

Product Sharing

Operations

SDK Feature Decision Engine

Operations

Sessions

Operations

Stripe Payments

Operations

Third-Party Authentication

This section contains the API operations for the OAuth 2.0 Authorization Code Flow.

Operations

User

Operations

Register a user

Request

This endpoint enables clients to initiate the creation of a new user account. If a contact with an identical email address already exists, that contact will be elevated to the status of a registered user. Essential attributes like identifiers.email_address and validators.password are mandatory for this endpoint. If any of these attributes are absent, registration attempts will trigger an error. Upon a successful request, session cookies like blaize_session and blaize_tracking_id are generated and included in the response header.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Bodyapplication/json
identifiersobject(identifiers)required
identifiers.​email_addressstring
Example: "joe.blow@company.com"
validatorsobject(validators)required
validators.​passwordstring
Example: "mysecurepassword123"
validators.​use_ssoboolean

When this is present there should be no identifiers in the body. The user is identified through a blaize_session cookie.

attributesobject(attributes)
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/register \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "identifiers": {
      "email_address": "joe.blow@company.com"
    },
    "validators": {
      "password": "mysecurepassword123",
      "use_sso": true
    },
    "attributes": {
      "property1": "string",
      "property2": "string"
    }
  }'

Responses

OK. The user was registered successfully.

Headers
Set-Cookiestring

The authenticated user session.

Example: "blaize_session=443ed68f-0b44-4f32-8443-553d584cb0dd; Expires=Fri, 16 Nov 2018 12:35:56 GMT; Path=/;"
Set-Cookiestring

The user tracking ID.

Example: "blaize_tracking_id=b117093c-e1f7-4ee0-8dda-6b5205f7fbee; Expires=Fri, 16 Nov 2018 12:35:56 GMT; Path=/;"
Bodyapplication/json
cookiestring
messagestring
tracking_idstring
Response
application/json
{
  "cookie": "string",
  "message": "string",
  "tracking_id": "string"
}

Create or Update a Contact User

Request

This endpoint creates a new contact user or updates the attributes of an existing contact user if one exists with the supplied email address. To use this endpoint, 'contact users' must be enabled in the identity settings page in the console. A contact user is a type of user that has no validators and so no ability to create authenticated sessions. Contact users can be created to capture user information, such as email addresses, without fully registering users. This endpoint cannot be used to update the attributes of a registered user. Attempting to do so will return a 409 response. After creating a contact with an anonomyous session, the session is updated to include a flag to identify that this has happened. In the rules builder, the 'Contact Capture' decision node can be used to test this flag value and so determine if the current anonymous session was used to create a contact. This can be used, for example, to prevent showing a contact form to anonymous users that have already filled in such a form.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Bodyapplication/json
identifiersobject(identifiers)required
identifiers.​email_addressstring
Example: "joe.blow@company.com"
attributesobject(attributes)
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/createContact \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "identifiers": {
      "email_address": "joe.blow@company.com"
    },
    "attributes": {
      "property1": "string",
      "property2": "string"
    }
  }'

Responses

Created or updated a contact user

Bodyapplication/json
tracking_idstring

A unique ID assigned to the created contact for tracking purposes.

messagestring

A human-readable message describing the result of the operation.

Response
application/json
{
  "tracking_id": "0014fdc8-55d1-4916-bbde-5b83b5846766",
  "message": "Creating contact successful"
}

Delete the user data

Request

Deletes user related data like sessions, elasticSearch data, O2Auth tokens according to the provided user_id in the session cookie.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Headers
Cookiestring

The session cookie.

Example: `blaize_session=...` (string)
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/forget-me \
  -H 'Cookie: `blaize_session=...` (string)' \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

OK - User deleted successfully

Bodyapplication/json
messagestring
Response
application/json
{
  "message": "User deleted successfully"
}

V4 Gifts

Create a Gift resource for V4. Gifts can be used to provide access to a particular URL for one session only by appending a gift token ID to the URL as the gift path parameter.

Operations

Web Analytics

Operations

Zephr Features

Operations

Component Library

Operations

Change the Stripe subscription price

Request

Generates a new preview of the price that Stripe will charge the customer if they create a new subscription for the specified plan. Note: This method does not create any entities in Stripe and does not result in any payments being made.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
externalIdstringrequired
Bodyapplication/json
plan_idstring
curl -i -X POST \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/payment/stripe/subscriptions/{externalId}/change-previews' \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "plan_id": "string"
  }'

Responses

OK

Bodyapplication/json
totalnumber

The total amount the user will be initially charged for the subscription in the relevant currency's lowest denomination (e.g. pence), i.e. for a monthly subscription, the first month's cost.

Example: 5000
sub_totalnumber

The total amount minus tax for the initial charge in the relevant currency's lowest denomination (e.g. pence).

Example: 4500
Response
application/json
{
  "total": 5000,
  "sub_total": 4500
}

Oauth2 Access Token

Operations

Subscription

Operations