Get started

Authentication

Bearer keys, shown once, hashed at rest. One key reaches every endpoint.

The header

Every call authenticates with a bearer key (ksk_live_…) in the Authorization header. Keys never go in a URL — URLs get logged.

Authorization: Bearer $KYNTH_API_KEY

The convention in every snippet is an environment variable named KYNTH_API_KEY — the SDKs read it automatically.

Reveal-once

We store a SHA-256 hash of your key, never the key itself. You see the secret exactly once, at mint time — lose it and you create a new key, you don't recover the old one. That's also why these docs can't inject a saved key into snippets: nothing anywhere can show you a stored secret. The quickstart mints one on the page instead and substitutes it live.

Rotation & revocation

Keys are named so you know what each one is wired into. Rotate by minting a new key, deploying it, then revoking the old one on the Keys page — revocation is immediate. The console attributes every billed call to the key that made it, so you can see a dying key go quiet before you revoke it.

Scope

One account, one wallet, every endpoint — keys don't carry per-endpoint scopes. Rate limits apply per key per endpoint; a 429 carries Retry-After.