Authentication & API keys
How to obtain, rotate, and send API keys with each call.
All /api/v1 endpoints require a workspace-scoped API key sent as a Bearer
header. Keys are managed in Settings → Developers → API keys in the
SyncPostly dashboard.
Header format
Authorization: Bearer YOUR_SECRET_TOKEN- Do not send cookies; the API is fully stateless.
- Keys are tied to the workspace owner. Rotate immediately if you suspect leakage.
- Re-use the same header for upload URLs and the final
PUT /media/upload/{id}request.
Creating and rotating keys
- Go to Settings → Developers → API keys.
- Click Create key; copy it once (it will not be shown again).
- Delete & re-issue when staff leave or if a key is exposed.
- Update your CI/CD secrets and background jobs when rotating.
Rate limits
- Reads: optimized for pagination; burst-friendly but still subject to per-workspace safeguards.
- Writes: plan-dependent. On 429 we return a
Retry-Afterheader; back off before retrying.
Environment tips
- Store keys in server-side env vars (e.g.
SYNCPOSTLY_API_KEY) and inject via your HTTP client. - Never embed keys in client-side bundles or mobile apps.