Authentication

Getting a key

API keys are issued automatically. Request one from the main site using the Request API Key button. A secure one-time reveal link is sent to your email right away and typically arrives within a few minutes.

Using your key

Pass your key in the X-SYNTHLINK-KEY request header. Every endpoint requires this header — requests without it return 401 Unauthorized.

X-SYNTHLINK-KEY: sk_live_your_key_here

Examples

curl -G https://synth-link.com/api/v1/documents \
  -H "X-SYNTHLINK-KEY: sk_live_your_key_here" \
  -d limit=10

const res = await fetch(
  "https://synth-link.com/api/v1/documents?limit=10",
  {
    headers: {
      "X-SYNTHLINK-KEY": process.env.SYNTHLINK_KEY,
    },
  }
);

import httpx, os

resp = httpx.get(
    "https://synth-link.com/api/v1/documents",
    headers={"X-SYNTHLINK-KEY": os.environ["SYNTHLINK_KEY"]},
    params={"limit": 10},
)

Security best practices

Your API key grants full read access to all endpoints. Treat it like a password.

• Store in environment variables

  Never hardcode the key in source files. Use .env.local in Next.js, os.environ in Python, or your deployment platform's secret management.

• Never expose to the client

  API requests should always be made server-side. If you expose the key in client-side JavaScript, anyone can read it from the browser.

• Do not commit to version control

  Add .env* to your .gitignore. If you accidentally commit a key, rotate it immediately.

Key expiry and renewal

API keys expire 90 days after they are issued. You will receive an email reminder before expiry. Requests made with an expired key return 401 Unauthorized.

To renew, request a new key from the main site using the Request API Key button. Update your environment variables before the old key expires to avoid any downtime.

Error responses

Authentication errors return a JSON body with an error field describing the problem.

{
  "error": "Unauthorized"
}