Guides

Authentication

Authentication

All API requests are authenticated using API keys passed in the Authorization header.

Environments

Synapto has two environments — sandbox and production. Your API key works only in the environment it was created in. See Environments for the base URLs, Dashboard URLs, and JS SDK script URLs.

Getting your API key

  1. Log in to the Dashboard
  2. Go to Settings > Developer
  3. Click Create API Key, give it a name, and copy the secret

The secret is only shown once — store it securely. If you lose it, you can rotate the key to generate a new secret.

Finding your account ID

Your account ID is visible in the Dashboard URL:

https://dashboard.synaptopay.com/accounts/acct_RwDJsJd8z0exhtfX2570Q/...
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^

It's also shown in the account selector dropdown at the top of the Dashboard.

API key format

The API key prefix tells you which environment a key belongs to — sk_live_ for production, sk_sandbox_ for sandbox:

sk_live_ToQZ8KP8PipS0l1U3uzNyh
sk_sandbox_Hq2RkVdNmTcW51xPzhB3J

A key only works against its own environment's base URL — a sk_sandbox_ key is not recognized by the production API, and vice versa. One exception: keys for the legacy test environment may use the sk_live_ or sk_dev_ prefix, but still only work against the legacy base URL.

Publishable keys

Publishable keys identify your account in client-side code. Unlike API keys, they are safe to expose publicly — they cannot be used to read data or perform actions on your account.

Each account has one publishable key, auto-generated when the account is created. Find it in the Dashboard under Settings > Developer.

Publishable keys follow the same environment prefixes as API keys — pk_live_ for production, pk_sandbox_ for sandbox (legacy test environment keys may use pk_live_ or pk_dev_):

pk_live_YmSPdVPxqSMuJf1vYPZANt

Use the publishable key when initializing the JS SDK:

const syn = Synapto("pk_live_YOUR_PUBLISHABLE_KEY");

Secret keys vs publishable keys: Secret API keys (sk_...) authenticate server-side requests and must be kept confidential. Publishable keys (pk_...) identify your account in client-side code and are safe to embed in your frontend.

Making authenticated requests

Pass your API key in the Authorization header with the Api-Key prefix:

curl https://api.synaptopay.com/v1/accounts/acct_YOUR_ACCOUNT \
  -H "Authorization: Api-Key sk_live_YOUR_API_KEY"

Error responses

Missing API key

If the Authorization header is not provided:

HTTP/1.1 403 Forbidden
{
  "message": "Please provide your api key to authenticate via the \"Api-Key\" header.",
  "code": 7
}

Invalid API key

If the API key is not recognized or inactive:

HTTP/1.1 403 Forbidden
{
  "message": "Unknown api key \"sk_live_...\" provided in \"Api-Key\" header, please ensure the api key is correct and active.",
  "code": 7
}

Malformed Authorization header

If the header value doesn't follow the Api-Key <key> format:

HTTP/1.1 401 Unauthorized
{
  "message": "Malformed Authorization header, please use values like \"Api-Key sk_live_ToQZ8KP8PipS0l1U3uzNyh\".",
  "code": 16
}

Updated 1 day ago