Authentication
Every request to the Synoppy API is authenticated with a bearer token. Pass your API key in the Authorization header on every call.
Read, Map, Enrich, and Images can be called without a key for quick testing, subject to an IP rate limit. Extract, Classify, and Crawl always require a key (they run AI models or read many pages per call) — an anonymous call returns 401 with code AUTH_REQUIRED.
Authorization: Bearer syn_live_xxxxxxxxxxxxxxxxxxxxxxxxCreating keys
Generate and revoke keys from the dashboard. The full secret is displayed only once, at creation time. If you lose it, revoke the key and create a new one.
How keys are stored
We never store your raw key. At creation we keep a short, non-secret prefix (so you can identify a key in the dashboard) and a SHA-256 hash of the full secret. Incoming requests are authenticated by hashing the presented token and comparing it to the stored hash in constant time. Because only the hash is persisted, a database compromise does not expose usable keys.
Good practices
- Keep keys server-side. Never embed them in browser or mobile clients.
- Use separate keys per environment and per service so you can revoke narrowly.
- Rotate on a schedule, and immediately if a key may have leaked.
Unauthorized requests
A missing or invalid key returns 401 Unauthorized. See Errors for the full list.