Skip to main content
API keys authenticate server-side payment API requests. They are scoped to your organization and environment. All key management endpoints require a user JWT (Authorization: Bearer <access_token>), not an API key.
An API key is shown in full only once, at creation time. Store it securely — it cannot be retrieved again.
Only one active API key is allowed per organization at a time. Revoke the existing key before creating a new one.

Create an API key

POST /api/v1/auth/api-keys
Requires user JWT authentication. Rate limit: 1 creation per minute per user.
key_name
string
required
A human-readable name for the key (1–255 characters).
expires_in_days
integer
Number of days until the key expires. Omit for a non-expiring key.
idempotency_key
string
Optional idempotency key to prevent duplicate creation on retried requests. Cached for 24 hours.
env
string
Environment for the key: live or test. The actual environment is inferred from your organization’s current status — if payments are not yet enabled, the key will be issued for test regardless of the value provided.
Response
api_key_id
string
required
Unique identifier for the API key.
key
string
required
The plaintext API key. Shown only once. Copy and store it immediately.
key_name
string
required
The name you assigned to the key.
created_at
string
required
ISO 8601 creation timestamp.
expires_at
string
ISO 8601 expiration timestamp, or null if the key does not expire.
{
  "api_key_id": "key_abc123",
  "key": "sk_live_a1b2c3d4e5f6g7h8i9j0",
  "key_name": "Production key",
  "created_at": "2024-01-15T10:00:00Z",
  "expires_at": "2025-01-15T10:00:00Z"
}

List API keys

GET /api/v1/auth/api-keys
Requires user JWT authentication. Returns all keys for your organization in the current environment. Plaintext key values are never included in list responses. Response
keys
object[]
required
Array of API key objects.
{
  "keys": [
    {
      "api_key_id": "key_abc123",
      "key_name": "Production key",
      "is_active": true,
      "created_at": "2024-01-15T10:00:00Z",
      "last_used_at": "2024-01-20T08:30:00Z",
      "expires_at": "2025-01-15T10:00:00Z"
    }
  ]
}

Revoke an API key

POST /api/v1/auth/api-keys/{api_key_id}/revoke
Requires user JWT authentication. Revoked keys are immediately invalidated and cannot be used for authentication. Path parameters
api_key_id
string
required
The ID of the API key to revoke.
Response
status
string
required
Always "revoked".
api_key_id
string
required
The ID of the revoked key.
{
  "status": "revoked",
  "api_key_id": "key_abc123"
}

Error codes

StatusDescription
400Organization already has an active key. Revoke it before creating a new one.
403Connected accounts cannot manage API keys.
404API key not found.
429Rate limit exceeded. Wait 1 minute before creating another key.

Example

Create a key 
curl --request POST \
  --url https://api.syncgrampay.com/api/v1/auth/api-keys \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' \
  --header 'Content-Type: application/json' \
  --data '{
    "key_name": "Production key",
    "expires_in_days": 365,
    "env": "live"
  }'
List keys 
curl --request GET \
  --url https://api.syncgrampay.com/api/v1/auth/api-keys \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
Revoke a key 
curl --request POST \
  --url https://api.syncgrampay.com/api/v1/auth/api-keys/key_abc123/revoke \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'