Get started
Authentication
Bearer keys, shown once, hashed at rest. One key reaches every endpoint.
The header
Every call authenticates with a bearer key (ksk_live_…) in the Authorization header. Keys never go in a URL — URLs get logged.
Authorization: Bearer $KYNTH_API_KEYThe convention in every snippet is an environment variable named KYNTH_API_KEY — the SDKs read it automatically.
Reveal-once
We store a SHA-256 hash of your key, never the key itself. You see the secret exactly once, at mint time — lose it and you create a new key, you don't recover the old one. That's also why these docs can't inject a saved key into snippets: nothing anywhere can show you a stored secret. The quickstart mints one on the page instead and substitutes it live.
Rotation & revocation
Keys are named so you know what each one is wired into. Rotate by minting a new key, deploying it, then revoking the old one on the Keys page — revocation is immediate. The console attributes every billed call to the key that made it, so you can see a dying key go quiet before you revoke it.
Scope
One account, one wallet, every endpoint — keys don't carry per-endpoint scopes. Rate limits apply per key per endpoint; a 429 carries Retry-After.