Authentication
The Syncello REST API uses JWT (JSON Web Tokens) for authentication. Each user has a unique secret key used to sign tokens.
Getting Your API Key
- Log in to your Syncello dashboard
- Navigate to Settings, then Account
- Find the "API Access" section
- Copy your JWT token
Using the Token
Include your JWT in the Authorization header of every request:
curl -X POST https://api.syncello.io/v1/tools/tape/listApps \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
-H "Content-Type: application/json" \
-d '{"workspace_id": 12345}'Token Structure
Syncello JWTs contain minimal claims:
JWT Payload
{
"sub": "user-uuid-here",
"iat": 1735500000,
"iss": "syncello"
}sub- Your user IDiat- Token issue timestampiss- Issuer (always "syncello")
Note: Tokens do not expire. To invalidate all tokens, regenerate your API key in the dashboard.
Regenerating Your Key
If your API key is compromised, regenerate it immediately from the dashboard. This invalidates all previously issued tokens.
Security Warning: Keep your API key secret. It grants full access to your connected
platforms (Tape, Podio, ShareFile).
Error Responses
Authentication errors return appropriate HTTP status codes:
401 Unauthorized
Returned when the Authorization header is missing or malformed:
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Missing or invalid Authorization header"
}
}403 Forbidden
Returned when the token is valid but lacks permissions:
{
"success": false,
"error": {
"code": "FORBIDDEN",
"message": "Token does not have access to this resource"
}
}Best Practices
- Never expose your API key in client-side code, public repositories, or logs
- Use environment variables to store your API key in server-side applications
- Rotate your key periodically as a security best practice
- Monitor your API usage in the dashboard for unexpected activity
Next Steps
Learn how to execute tools with your authenticated requests.