Quick Start

Integrate ZYKAY in 3 steps with the v4 loader.

1. Get your credentials

Create your account at partners.zykay.com (opens in a new tab).

Identifier	Format	Use
`partner_id`	`pk_live_xxx`	Frontend + backend
`partner_secret`	Base64	Backend only

⚠️

The partner_secret is base64 encoded. You need to decode it before HMAC signing.

2. Add the v4 loader (frontend)

<script src="https://widget-app.zykay.com/v4/loader.min.js"
        data-partner-id="pk_live_xxx"
        data-success-path="/verified"
        data-scopes="isAdult"></script>

Behavior:

Desktop: QR code to scan with the ZYKAY app
Mobile: direct opening of the app (deep link)
Success: redirect to data-success-path#grant_code=...

3. Swap the grant on the backend side

// POST /api/zykay/exchange (votre backend)
// Body: { "grant_code": "g_xxx" }
 
const response = await fetch('https://api.zykay.com/v1/exchange', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-Partner-ID': partnerId,
    'X-Partner-Timestamp': timestamp,
    'X-Partner-Nonce': nonce,
    'X-Partner-Signature': signature,
  },
  body: JSON.stringify({ grant_code }),
});

Get `grant_code` from URL

const hash = new URLSearchParams(window.location.hash.slice(1));
const grantCode = hash.get('grant_code');
if (grantCode) {
  await fetch('/api/zykay/exchange', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ grant_code: grantCode }),
  });
}

The #grant_code=... fragment is used to avoid data leaking in the Referer header.

Next steps

Full frontend: /integration/script-tag
Full backend: /integration/backend
CSP/CORS: /guides/csp-cors

Quick Start

Quick Start

1. Get your credentials

2. Add the v4 loader (frontend)

3. Swap the grant on the backend side

Get grant_code from URL

Next steps

Get `grant_code` from URL