# Quickstart

This guide takes you from an existing API to a purchasable, proxied service.
You'll need a ZeroClick dashboard account and the base URL of the API you want
to sell.

## 1. Create a service

In the dashboard, create a **Service** with a name, a description, and your
**upstream URL** (the base URL of your API). Agents read the description when
deciding whether your service can do the job, so be specific about what your
API does.

## 2. Add a product with plans and meters

Create a **Product** on the service and pick its
[shape](/docs/product-shapes), for example *Subscription + included usage*
for a monthly fee that includes a bundle of requests. Then add:

- **Meters** for each usage dimension you charge for (label and unit, e.g.
  "API requests" / "request").
- **Plans** with a billing interval, base price, included units per meter, and
  overage pricing.

See [Plans & meters](/docs/plans-and-meters) for every field in detail.

## 3. Implement the API key exchange

Host one endpoint on your API that ZeroClick calls when a buyer purchases a
plan. It exchanges a buyer ID for an API key in your system:

`POST https://api.example.com/zeroclick/api-key`

```ts
import { createHmac, timingSafeEqual } from "node:crypto";
import express from "express";

const app = express();
const SIGNING_SECRET = process.env.ZEROCLICK_SIGNING_SECRET;

app.post(
	"/zeroclick/api-key",
	express.raw({ type: "application/json" }),
	(req, res) => {
		if (!verifyZeroClickSignature(req)) {
			return res.status(401).end();
		}
		const { userId, plan } = JSON.parse(req.body.toString());
		const apiKey = issueApiKeyForUser(userId, plan);
		res.json({ apiKey });
	},
);

function verifyZeroClickSignature(req) {
	const timestamp = req.header("X-ZeroClick-Timestamp");
	const signature = req.header("X-ZeroClick-Signature");
	if (!timestamp || !signature) return false;

	const expected = `sha256=${createHmac("sha256", SIGNING_SECRET)
		.update(`${timestamp}.${req.body.toString()}`)
		.digest("hex")}`;
	return timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

Also handle `DELETE` at the same path to revoke the key when a plan ends. The
full contract, including signature verification details and retry semantics,
is in [API key exchange](/docs/api-key-exchange).

## 4. Report usage

Add a usage header to responses on your paid endpoints so ZeroClick can meter
consumption:

```http
HTTP/1.1 200 OK
Content-Type: application/json
X-ZeroClick-Usage: api-requests=1
```

Prefer batched, asynchronous reporting for long-running work. Both options
are covered in [Metering & usage](/docs/metering-and-usage).

## 5. Test it end-to-end

Your service gets a proxy at `https://{service-slug}.pay.zeroclick.io`. Check
that plans are discoverable:

```bash
curl https://{service-slug}.pay.zeroclick.io/plans
```

Purchase a test plan, make a proxied call to one of your endpoints, and watch
the usage appear in the dashboard. When everything looks right, run through
the [going live checklist](/docs/going-live).