Zap uses Supabase projectDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/gratitude5dee/Zap/llms.txt
Use this file to discover all available pages before exploring further.
wzrdstudio for creator wallet authentication and bring-your-own-key (BYOK) provider secret storage. All creator API keys are encrypted server-side before being written to the database and are revealed in plaintext only during authenticated live runs — never returned to the browser. The /settings page lets creators connect their wallet and manage BYOK keys; the /api/secrets route proxies all secret operations through the zap-user-secrets edge function.
Environment Variables
The web app requires three Supabase variables. Set them in Vercel and in your local.env.local:
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is the current Supabase naming convention. NEXT_PUBLIC_SUPABASE_ANON_KEY is the equivalent legacy alias — set whichever matches your Supabase dashboard.
Database Migration
Apply the migration atsupabase/migrations/20260703000000_zap_user_secrets.sql before enabling live BYOK runs.
user_secrets table with the full encrypted storage shape:
wallet_auth_users and wallet_auth_nonces tables, unique indexes, and a full set of Row Level Security policies so that each user can only access their own secrets.
Row Level Security
RLS is enabled and forced onuser_secrets, wallet_auth_users, and wallet_auth_nonces. The policies enforce:
SELECT,INSERT,UPDATE,DELETEonuser_secretsare scoped toauth.uid() = user_idSELECTonwallet_auth_usersis scoped toauth.uid() = user_id- No direct browser access to
wallet_auth_nonces— nonce records are written and consumed only by edge functions
x-zap-server-secret header alongside the user JWT.
Edge Functions
Deploy both functions withsupabase functions deploy <name>.
zap-user-secrets
Handles list, save, and delete of encrypted BYOK secrets. Returns masked metadata (e.g. last4) to the browser; returns plaintext only to the Zap server.
Required Supabase secrets:
| Caller | Allowed operations |
|---|---|
| Browser (user JWT) | List masked secrets, save a new key, delete a key |
Zap server (user JWT + x-zap-server-secret) | All of the above, plus plaintext key reveal for a live run |
ZAP_SECRET_REVEAL_TOKEN must match the value set in Vercel’s environment variables. This shared secret is what restricts plaintext reveals to the Zap server only.
zap-wallet-proof
Handles EIP-191 wallet signature verification and Supabase Auth session minting for wallet-based login.
Required Supabase secrets:
- Client submits a signed EIP-191 payload and a one-time nonce to
/api/auth/wallet-proof - The Next.js route proxies the request to
zap-wallet-proof(or the function named inZAP_WALLET_PROOF_FUNCTION) - The function verifies the wallet signature, confirms the nonce has not been used, and records it in
wallet_auth_nonces - It creates or reuses a Supabase Auth user mapped in
wallet_auth_users(keyed by wallet address) - Supabase Auth mints a session token, which is returned to the client
ZAP_WALLET_TOKEN_TTL_SECONDS controls session lifetime; 604800 equals seven days.
SUPABASE_URL and SUPABASE_SECRET_KEYS are injected automatically by the Supabase Edge Function runtime — do not set them manually. The legacy SUPABASE_SERVICE_ROLE_KEY is also supported if your project uses it.BYOK Secret Types
The followingsecret_type values are supported by the zap-user-secrets edge function. Each maps to a provider credential a creator can supply via /settings.
secret_type | Description |
|---|---|
gmi_api_key | GMI (Generative Media Intelligence) API key |
gmi_org_id | GMI organisation ID |
fal_key | Fal.ai API key |
runware_key | Runware API key |
prodia_key | Prodia API key |
openrouter_key | OpenRouter API key |
ai_gateway_api_key | AI gateway API key |
profiles.*_api_key columns for Zap provider execution. All provider credentials for live runs must go through the encrypted user_secrets table and the zap-user-secrets edge function.