Authentication overview

The ZoomInfo API employs a token-based authentication system to secure access to its B2B data and intelligence services. This system relies on API keys, which are unique identifiers issued to each authorized developer or application. These keys function as bearer tokens, meaning the bearer of the token is granted access, provided the token is valid and active. When making requests to ZoomInfo API endpoints, the API key must be included in the HTTP request header, specifically in the Authorization header with the Bearer scheme. This mechanism ensures that only authenticated and authorized applications can retrieve data from the ZoomInfo platform, protecting sensitive B2B information and maintaining data integrity. The ZoomInfo API documentation provides specific guidance on how to structure these authenticated requests ZoomInfo API authentication guide.

The use of API keys as bearer tokens is a common practice in RESTful API design, offering a balance between security and ease of implementation. Developers integrate these keys into their application's code, allowing programmatic access to functionalities such as retrieving company profiles, contact details, intent signals, and technographic data. Proper management and protection of these API keys are crucial to prevent unauthorized access and potential misuse of data. ZoomInfo's approach aligns with established industry practices for API security, emphasizing the importance of secure credential handling throughout the development and deployment lifecycle.

Supported authentication methods

The ZoomInfo API primarily supports API key authentication. This method is suitable for most integration scenarios, from server-to-server communications to client applications where the API key can be securely stored and managed. The API key acts as a secret token that verifies the identity of the calling application.

API Key (Bearer Token)

For the ZoomInfo API, an API key is provided as a long, randomly generated string. This string is then passed in the Authorization header of each HTTP request. The format typically follows the RFC 6750 Bearer Token specification.

GET /enrich/query HTTP/1.1
Host: api.zoominfo.com
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

This method offers:

  • Simplicity: Easy to implement in various programming languages and HTTP clients.
  • Direct Access: Provides immediate access to authorized resources upon successful key validation.
  • Statelessness: Each request carries its own authentication information, simplifying server-side processing.

Authentication Method Comparison

The table below summarizes the primary authentication method supported by the ZoomInfo API, including its typical use cases and security considerations.

Method When to Use Security Level
API Key (Bearer Token) Server-side applications, backend services, secure environments where the key can be stored securely. Moderate to High (depends on key management practices). Requires secure transmission (HTTPS) and storage.

Getting your credentials

To obtain the necessary API key for authenticating with the ZoomInfo API, you must have an active ZoomInfo API subscription. The process typically involves accessing the ZoomInfo developer portal or your account management interface. Specific steps for retrieving your API key are outlined in the official ZoomInfo developer documentation ZoomInfo developer documentation.

  1. Access the Developer Portal: Navigate to the ZoomInfo developer portal and log in with your account credentials.
  2. Locate API Key Section: Within the portal, there is usually a dedicated section for API keys, credentials, or integrations.
  3. Generate or Retrieve Key: Depending on your account setup, you may need to generate a new API key or retrieve an existing one. Follow the instructions provided on the portal.
  4. Securely Store Your Key: Once generated, copy your API key and store it in a secure location. Treat this key as a sensitive secret, similar to a password. Do not hardcode it directly into your application's source code, especially in client-side applications or publicly accessible repositories.
  5. Environment Variables or Secret Management: For server-side applications, it is recommended to store API keys in environment variables, a dedicated secrets manager (e.g., AWS Secrets Manager, Google Secret Manager), or a secure configuration file that is not committed to version control.

If you encounter any issues during this process or require assistance with your account, refer to ZoomInfo's support resources or contact their customer service team.

Authenticated request example

Once you have obtained your API key, you can use it to make authenticated requests to the ZoomInfo API. The following examples demonstrate how to include the API key as a Bearer token in the Authorization header using common programming languages. These examples target a hypothetical /enrich/query endpoint, which is representative of many data retrieval operations within the ZoomInfo API.

Python Example

Using the requests library for a simple GET request:

import requests
import os

# It's best practice to load your API key from environment variables
ZOOMINFO_API_KEY = os.environ.get("ZOOMINFO_API_KEY")

if not ZOOMINFO_API_KEY:
    raise ValueError("ZOOMINFO_API_KEY environment variable not set.")

url = "https://api.zoominfo.com/enrich/query"
headers = {
    "Authorization": f"Bearer {ZOOMINFO_API_KEY}",
    "Content-Type": "application/json"
}

# Example query parameters for enriching a company
params = {
    "companyName": "ZoomInfo",
    "country": "US"
}

try:
    response = requests.get(url, headers=headers, params=params)
    response.raise_for_status()  # Raise an HTTPError for bad responses (4xx or 5xx)
    print(response.json())
except requests.exceptions.HTTPError as err:
    print(f"HTTP error occurred: {err}")
except requests.exceptions.RequestException as err:
    print(f"Other error occurred: {err}")

Node.js Example

Using the native fetch API (available in Node.js 18+ or via polyfill):

// Load environment variables (e.g., using dotenv package)
require('dotenv').config();

const ZOOMINFO_API_KEY = process.env.ZOOMINFO_API_KEY;

if (!ZOOMINFO_API_KEY) {
    throw new Error("ZOOMINFO_API_KEY environment variable not set.");
}

const url = "https://api.zoominfo.com/enrich/query";
const queryParams = new URLSearchParams({
    companyName: "ZoomInfo",
    country: "US"
}).toString();

fetch(`${url}?${queryParams}`, {
    method: 'GET',
    headers: {
        'Authorization': `Bearer ${ZOOMINFO_API_KEY}`,
        'Content-Type': 'application/json'
    }
})
.then(response => {
    if (!response.ok) {
        throw new Error(`HTTP error! status: ${response.status}`);
    }
    return response.json();
})
.then(data => {
    console.log(data);
})
.catch(error => {
    console.error('Error fetching data:', error);
});

For more detailed examples across various SDKs and specific endpoints, consult the ZoomInfo API reference documentation.

Security best practices

Securing your API keys and ensuring the integrity of your interactions with the ZoomInfo API is paramount. Adhering to security best practices helps prevent unauthorized access to your data and API usage.

1. Protect Your API Keys

  • Do Not Hardcode: Never embed API keys directly into your source code. This is a common vulnerability, especially if the code is committed to version control systems like Git.
  • Environment Variables: Store API keys as environment variables on your server or deployment environment. This keeps them out of your codebase.
  • Secret Management Services: Utilize cloud-based secret management services such as AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault. These services provide secure storage, rotation, and access control for sensitive credentials.
  • Configuration Files: If environment variables are not feasible, use configuration files that are explicitly excluded from version control (e.g., via .gitignore).

2. Use HTTPS/TLS Always

All communications with the ZoomInfo API should occur over HTTPS (HTTP Secure). This encrypts the data in transit, protecting your API key and any sensitive data exchanged from eavesdropping or man-in-the-middle attacks. The ZoomInfo API inherently enforces HTTPS for all its endpoints, so ensure your client applications are configured to use it.

Data encryption in transit is a fundamental security measure, as highlighted by organizations like the Internet Engineering Task Force (IETF) in their TLS 1.3 specification, which underpins HTTPS.

3. Implement Least Privilege

If ZoomInfo API offers granular permissions (check their documentation), configure your API keys with the minimum necessary permissions required for your application's functionality. This limits the potential damage if a key is compromised.

4. Monitor and Audit API Usage

  • Logging: Implement comprehensive logging for all API calls made by your application. This includes request and response details (excluding sensitive data from logs).
  • Anomaly Detection: Monitor API usage patterns for unusual activity, such as a sudden spike in requests, requests from unexpected IP addresses, or access to unauthorized endpoints.
  • Rate Limiting: While ZoomInfo API has its own rate limits, ensure your application handles these gracefully to avoid unnecessary errors and potential account flags.

5. Key Rotation and Revocation

  • Regular Rotation: Periodically rotate your API keys. This reduces the window of opportunity for a compromised key to be exploited.
  • Immediate Revocation: If you suspect an API key has been compromised, revoke it immediately through your ZoomInfo account portal and generate a new one.

6. Secure Your Development Environment

Ensure that your development machines and build pipelines are secure. Implement strong access controls, regular security updates, and antivirus software to prevent malware that could steal credentials.

7. Error Handling and Disclosure

Implement robust error handling in your application. Avoid verbose error messages that might accidentally disclose sensitive information (like API keys or internal system details) to end-users or logs that are publicly accessible.

By following these best practices, developers can significantly enhance the security posture of their applications integrating with the ZoomInfo API, protecting both their own systems and the valuable data accessed through the platform.