Authentication
The Syntext API uses API keys for authentication. Each key is scoped to an organization and can have specific permissions.
API Keys
Creating an API Key
- Go to Syntext Dashboard
- Navigate to Settings → API Keys
- Click Create New Key
- Select permissions and expiration
- Copy the key (shown only once)
Key Format
API keys follow this format:
stx_abc12345_...xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
stx_abc12345_...— Production keysk_test_— Test/sandbox key
Using API Keys
Include your API key in the Authorization header:
curl https://api.syntext.dev/v1/projects \
-H "Authorization: Bearer stx_abc12345_your_api_key"
Never expose API keys in client-side code, public repositories, or logs.
Key Permissions
API keys can be scoped to specific operations:
| Permission | Description |
|---|---|
projects:read |
List and view projects |
projects:write |
Create and update projects |
builds:read |
View build status |
builds:write |
Trigger builds |
search:read |
Query search index |
admin |
Full access |
Example: Read-Only Key
A CI system that only needs to trigger builds:
{
"name": "CI Deploy Key",
"permissions": ["builds:write"]
}
Key Rotation
Rotate keys periodically for security:
- Create a new key with the same permissions
- Update your applications to use the new key
- Verify everything works
- Delete the old key
Environment Variables
Store API keys in environment variables:
export SYNTEXT_API_KEY=stx_abc12345_...
Then reference in code:
import { Syntext } from '@syntext/sdk';
const client = new Syntext({
apiKey: process.env.SYNTEXT_API_KEY
});
API Key Endpoints
List API Keys
curl https://api.syntext.dev/v1/api-keys \
-H "Authorization: Bearer stx_abc12345_..."
{
"data": [
{
"id": "key_abc123",
"name": "Production",
"prefix": "stx_abc12345_...",
"permissions": ["admin"],
"created_at": "2024-01-15T12:00:00Z",
"last_used_at": "2024-01-20T08:30:00Z"
}
]
}
Create API Key
curl -X POST https://api.syntext.dev/v1/api-keys \
-H "Authorization: Bearer stx_abc12345_..." \
-H "Content-Type: application/json" \
-d '{
"name": "CI Deploy",
"permissions": ["builds:write"]
}'
{
"data": {
"id": "key_def456",
"name": "CI Deploy",
"key": "stx_abc12345_...",
"permissions": ["builds:write"],
"created_at": "2024-01-21T10:00:00Z"
}
}
The full API key is only returned once, at creation time. Store it securely.
Delete API Key
curl -X DELETE https://api.syntext.dev/v1/api-keys/key_def456 \
-H "Authorization: Bearer stx_abc12345_..."
Security Best Practices
- Use environment variables — Never hardcode keys
- Minimum permissions — Grant only necessary access
- Rotate regularly — Create new keys periodically
- Monitor usage — Check
last_used_atfor anomalies - Separate environments — Use different keys for dev/staging/prod