Zap identifies creators through EIP-191 wallet signatures issued via Thirdweb rather than passwords or OAuth tokens. When you connect your wallet, the app exchanges a signed proof for a Supabase Auth session token that is then attached as a bearer token to every subsequent API call. Live runs use that session token to retrieve your provider API keys from encrypted Supabase storage — your keys never leave the server at runtime, and the browser only ever sees masked metadata.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gratitude5dee/Zap/llms.txt
Use this file to discover all available pages before exploring further.
Connecting Your Wallet
- Navigate to /settings in the Zap web app.
- Click Connect Wallet and complete the Thirdweb wallet connection flow (MetaMask, Coinbase Wallet, WalletConnect, and other injected providers are supported).
- Sign the authentication message when prompted. This signature is an EIP-191 personal sign over a one-time nonce — it does not authorize any on-chain transaction.
- The app calls
POST /api/auth/wallet-proofwith your signed payload. That route proxies the request to thezap-wallet-proofSupabase Edge Function, which:- Verifies the EIP-191 signature
- Records nonce use in the
wallet_auth_noncestable to prevent replay attacks - Creates or reuses a Supabase Auth user mapped in
wallet_auth_users - Returns a Supabase Auth session token
- The session token is stored in the browser and attached as
Authorization: Bearer <token>on all subsequent calls to/api/secretsand/api/zaps/run.
Managing Provider Keys
Navigate to /settings and scroll to the Vault section after connecting your wallet. Each supported provider has a corresponding input field.Supported Secret Types
GMI Cloud API key. Required for routing image and video generation steps to the GMI provider.
GMI Cloud organization ID. Required alongside
gmi_api_key for billing attribution on GMI runs.fal.ai API key. Enables routing to fal.ai for image and video generation steps.
Runware API key. Enables routing to Runware for image generation steps.
Prodia API key. Enables routing to Prodia for image generation steps.
OpenRouter API key. Used for LLM steps that route through OpenRouter.
AI Gateway API key. Used when routing LLM and multimodal steps through an AI Gateway proxy.
How Keys Are Stored
When you save a key through the UI (or viaPUT /api/secrets), the request is forwarded to the zap-user-secrets Supabase Edge Function with your session token. The Edge Function:
- Encrypts the plaintext value using
USER_SECRETS_ENCRYPTION_KEYbefore writing it to theuser_secretstable - Returns only masked metadata (e.g. key type and last-updated timestamp) to the browser — the plaintext is never returned in any browser-facing response
x-zap-server-secret header (ZAP_SECRET_REVEAL_TOKEN). This dual-credential requirement means plaintext keys can only be retrieved by the Zap server acting on behalf of an authenticated owner — not by the browser and not by unauthenticated server paths.
Do not use legacy profiles.*_api_key columns for Zap provider execution. Those columns are not read by the runtime.
API — Secrets Endpoint
All secrets operations require anAuthorization: Bearer <token> header containing a valid Supabase session token obtained from the wallet proof flow.
GET /api/secrets
Returns masked secret metadata for the authenticated creator. If called without a bearer token, returns configuration status only (no secret values).PUT /api/secrets
Upserts (creates or replaces) an encrypted provider key for the authenticated creator.value is encrypted immediately and not echoed back in the response.
DELETE /api/secrets
Removes a stored provider key for the authenticated creator.For Supabase server-side setup — deploying the
zap-user-secrets and zap-wallet-proof Edge Functions and configuring the required encryption secrets — see the Supabase Secrets deployment guide.