Skip to content

Public API Reference (2025-07-30)

The Zephr Public API provides common client-side actions tied to a session cookie. Unlike the Admin API, neither users nor other resources can be dereferenced; the only data that can be accessed is owned by the user who is currently signed-in. This design is used to protect other users from malicious attacks.

You can find the base URL for the Public API by navigating to your site domains. To do this, select Sites from the Delivery menu, select your site, and then click the Site Domains button. The base URL is the Live domain.

Zephr forms use the Public API by default, with relative URLs based on the base URL.

Download OpenAPI description
Languages
Servers
Mock server
https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api
https://{your-domain}

Authentication

Operations

Braintree Payments

Operations

Browser Feature Transformations

Operations

Decision Engine

Operations

Dynamic Offer Decision Engine

Operations

Dynamic Offer Promo Code Decision

Operations

OAuth Flow

Operations

Payments

Operations

Product Sharing

Operations

SDK Feature Decision Engine

Operations

Sessions

Operations

Stripe Payments

Operations

Third-Party Authentication

This section contains the API operations for the OAuth 2.0 Authorization Code Flow.

Operations

User

Operations

Save Extended Profile

Request

Extended Profile is used to store additional user information that is not part of the core profile. This endpoint will create an Extended Profile for the App ID if one did not exist already, or overwrite an existing Extended Profile for the App ID. The body can be any valid JSON.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
appIdstringrequired

Unique, caller-provided path parameter that represents the context under which the end user's data is stored within a tenant. This cannot start with '_restricted'.

Headers
cookiestring

The session cookie.

Example: `blaize_session=...` (string)
Bodyapplication/json
One of:
object
curl -i -X PUT \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/profile/{appId}' \
  -H 'Content-Type: application/json' \
  -H 'cookie: `blaize_session=...` (string)' \
  -b '`blaize_session=...` (string)' \
  -d '{
    "first_name": "John",
    "last_name": "Doe",
    "user_details": {
      "email_address": "john.doe@zuora.com",
      "employment": {
        "company": "Zuora",
        "job_title": "Software Engineer"
      }
    },
    "consent_prefs": {
      "email": false,
      "sms": true
    },
    "interests": [
      "Reading",
      "Coding",
      "Hiking"
    ]
  }'

Responses

Extended Profile is used to store additional user information that is not part of the core profile. This endpoint is designed to be used for updating the user's Extended Profile.

Bodyapplication/json
messagestring
Example: "User extended profile updated"
Response
application/json
{ "message": "User extended profile updated" }

Create an authorization challenge

Request

Authorization Challenge against array of entitlement IDs.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Headers
cookiestring

The session cookie.

Example: blaize_session=5562c0cf-b07a-42d0-ac1a-c0e29735e73a;...
Bodyapplication/json
contentIdentifierstring
endUserIPAddressstring
entitlementIdsArray of strings
giftTokenstring
referrerstring
trustedReferrerTokenstring
curl -i -X POST \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/authorization/challenge \
  -H 'Content-Type: application/json' \
  -H 'cookie: blaize_session=5562c0cf-b07a-42d0-ac1a-c0e29735e73a;...' \
  -b 'blaize_session=5562c0cf-b07a-42d0-ac1a-c0e29735e73a;...' \
  -d '{
    "contentIdentifier": "string",
    "endUserIPAddress": "string",
    "entitlementIds": [
      "string"
    ],
    "giftToken": "string",
    "referrer": "string",
    "trustedReferrerToken": "string"
  }'

Responses

OK

Bodyapplication/json
property name*booleanadditional property
Response
application/json
{ "68cc48be-e47e-4707-8958-1249d87fca86": false }

Retrieve the user schema

Request

Retrieves the user attribute schema for the tenant. This includes all fields configured in the admin console for the user schema.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
curl -i -X GET \
  https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/blaize/schema/users \
  -b blaize_session=YOUR_API_KEY_HERE

Responses

OK. Returns a list of schema fields.

Bodyapplication/jsonArray [
tenantIdstring
Example: "company"
subTenantIdstring
Example: "company|demo"
slugstring

The unique identifier for the schema field.

Example: "first-name"
visibilityany

The visibility of the schema field. This is used to determine who can see the field. By default, all fields are PUBLIC. Those fields are visible to all users.

Value"PUBLIC"
Example: "PUBLIC"
contextstring

The context of the schema field. It is used to group fields together into different contexts. By default, all fields are used in the null context.

Example: "ZUORA_BILLING"
labelstring
Example: "First Name"
requiredboolean
Example: true
internal-descriptionstring
Example: "The first name of the user"
public-descriptionstring
Example: "The first name of the user"
validation-expressionstring
Example: "[a-z]+$"
input-typeany
Enum"text""color""number""range""time""datetime-local""date""week""month""email"
Example: "text"
select-optionsArray of objects
Example: "[ {key1: value1}, {key2: value2} ]"
range-startnumber
Example: 0
range-endnumber
Example: 100
range-stepnumber
Example: 1
decision-pointboolean

The decision point of the schema field. It determines whether the field is used in the decision engine. If set to true, this field will be evaluated by the decision engine to influence the outcome of decisions. For example, a field marked as a decision point might be used to grant or deny access to a specific feature.

Example: true
publicly-writableboolean
Example: true
form-useboolean
Example: false
]
Response
application/json
[ { "tenantId": "company", "subTenantId": "company|demo", "slug": "first-name", "visibility": "PUBLIC", "context": "ZUORA_BILLING", "label": "First Name", "required": true, "internal-description": "The first name of the user", "public-description": "The first name of the user", "validation-expression": "[a-z]+$", "input-type": "text", "select-options": "[ {key1: value1}, {key2: value2} ]", "range-start": 0, "range-end": 100, "range-step": 1, "decision-point": true, "publicly-writable": true, "form-use": false } ]

V4 Gifts

Create a Gift resource for V4. Gifts can be used to provide access to a particular URL for one session only by appending a gift token ID to the URL as the gift path parameter.

Operations

Web Analytics

Operations

Zephr Features

Operations

Component Library

Operations

Change the Stripe subscription price

Request

Generates a new preview of the price that Stripe will charge the customer if they create a new subscription for the specified plan. Note: This method does not create any entities in Stripe and does not result in any payments being made.

Security
CookieBlaizeSession or JwtQuery or JwtHeaderXBlaizeJwt or JwtHeaderXZephrJwt or JwtBearer or JwtCookie
Path
externalIdstringrequired
Bodyapplication/json
plan_idstring
curl -i -X POST \
  'https://developer.zuora.com/_mock/zephr-api-reference/zephr-public-api/zephr/payment/stripe/subscriptions/{externalId}/change-previews' \
  -H 'Content-Type: application/json' \
  -b blaize_session=YOUR_API_KEY_HERE \
  -d '{
    "plan_id": "string"
  }'

Responses

OK

Bodyapplication/json
totalnumber

The total amount the user will be initially charged for the subscription in the relevant currency's lowest denomination (e.g. pence), i.e. for a monthly subscription, the first month's cost.

Example: 5000
sub_totalnumber

The total amount minus tax for the initial charge in the relevant currency's lowest denomination (e.g. pence).

Example: 4500
Response
application/json
{ "total": 5000, "sub_total": 4500 }

Oauth2 Access Token

Operations

Subscription

Operations