Authentication
Authentication
All API requests are authenticated using API keys passed in the Authorization header.
Environments
Synapto has two environments. Your API key works in the environment it was created in.
| Environment | Base URL | Dashboard |
|---|---|---|
| Sandbox | https://api.synapto.construction/v1/ | dashboard.synapto.construction |
| Production | https://api.synaptopay.com/v1/ | dashboard.synaptopay.com |
The JS SDK script URL also differs by environment:
| Environment | Script URL |
|---|---|
| Sandbox | https://js.synapto.construction/synapto.js |
| Production | https://js.synaptopay.com/synapto.js |
Getting your API key
- Log in to the Dashboard
- Go to Settings > Developer
- Click Create API Key, give it a name, and copy the secret
The secret is only shown once — store it securely. If you lose it, you can rotate the key to generate a new secret.
Finding your account ID
Your account ID is visible in the Dashboard URL:
https://dashboard.synaptopay.com/accounts/acct_RwDJsJd8z0exhtfX2570Q/...
^^^^^^^^^^^^^^^^^^^^^^^^^^^It's also shown in the account selector dropdown at the top of the Dashboard.
API key format
All API keys use the sk_live_ prefix, in both sandbox and production:
sk_live_ToQZ8KP8PipS0l1U3uzNyhThe
sk_live_prefix is the same in both environments. Which environment you're using is determined by the base URL, not the key prefix.
Publishable keys
Publishable keys identify your account in client-side code. Unlike API keys, they are safe to expose publicly — they cannot be used to read data or perform actions on your account.
Each account has one publishable key, auto-generated when the account is created. Find it in the Dashboard under Settings > Developer.
All publishable keys use the pk_live_ prefix:
pk_live_YmSPdVPxqSMuJf1vYPZANtUse the publishable key when initializing the JS SDK:
const syn = Synapto("pk_live_YOUR_PUBLISHABLE_KEY");Secret keys vs publishable keys: Secret API keys (
sk_live_) authenticate server-side requests and must be kept confidential. Publishable keys (pk_live_) identify your account in client-side code and are safe to embed in your frontend.
Making authenticated requests
Pass your API key in the Authorization header with the Api-Key prefix:
curl https://api.synaptopay.com/v1/accounts/acct_YOUR_ACCOUNT \
-H "Authorization: Api-Key sk_live_YOUR_API_KEY"Error responses
Missing API key
If the Authorization header is not provided:
HTTP/1.1 403 Forbidden{
"message": "Please provide your api key to authenticate via the \"Api-Key\" header.",
"code": 7
}Invalid API key
If the API key is not recognized or inactive:
HTTP/1.1 403 Forbidden{
"message": "Unknown api key \"sk_live_...\" provided in \"Api-Key\" header, please ensure the api key is correct and active.",
"code": 7
}Malformed Authorization header
If the header value doesn't follow the Api-Key <key> format:
HTTP/1.1 401 Unauthorized{
"message": "Malformed Authorization header, please use values like \"Api-Key sk_live_ToQZ8KP8PipS0l1U3uzNyh\".",
"code": 16
}Updated 2 months ago