LogoSyncPostly Docs
Homepage

Authentication & API keys

How to obtain, rotate, and send API keys with each call.

All /api/v1 endpoints require a workspace-scoped API key sent as a Bearer header. Keys are managed in Settings → Developers → API keys in the SyncPostly dashboard.

Header format

Authorization: Bearer YOUR_SECRET_TOKEN
  • Do not send cookies; the API is fully stateless.
  • Keys are tied to the workspace owner. Rotate immediately if you suspect leakage.
  • Re-use the same header for upload URLs and the final PUT /media/upload/{id} request.

Creating and rotating keys

  1. Go to Settings → Developers → API keys.
  2. Click Create key; copy it once (it will not be shown again).
  3. Delete & re-issue when staff leave or if a key is exposed.
  4. Update your CI/CD secrets and background jobs when rotating.

Rate limits

  • Reads: optimized for pagination; burst-friendly but still subject to per-workspace safeguards.
  • Writes: plan-dependent. On 429 we return a Retry-After header; back off before retrying.

Environment tips

  • Store keys in server-side env vars (e.g. SYNCPOSTLY_API_KEY) and inject via your HTTP client.
  • Never embed keys in client-side bundles or mobile apps.

Table of Contents

Header formatCreating and rotating keysRate limitsEnvironment tips