Back to site
Syncro

Authentication

The Syncro API uses an API Key sent in the `X-API-Key` header. Every request needs this header — there is no user/password login or OAuth.

Base URLhttps://app.syncro.chat/api/v1AuthX-API-Key: crm_SUA_CHAVE_AQUI

Authentication method

Send your key in the X-API-Key header on every request:

X-API-Key: crm_SUA_CHAVE_AQUI

The key identifies your account (tenant). All data returned and created is restricted to the account that owns the key.

How to generate your token

  1. Open the Syncro panel and go to Settings → API Keys (/configuracoes/api-keys).
  2. Click New API Key, give it a name (e.g. "n8n integration") and confirm.
  3. Copy the key right away. It is shown only once. Syncro stores only a hash of the key — if you lose it, you will have to generate another one.
  4. The key format is crm_ followed by a random sequence (e.g. crm_a1b2c3d4...). After creation, the panel shows only the prefix (crm_...) for identification.

To revoke a key, go back to Settings → API Keys and delete the key — access is cut off immediately.

Header format

X-API-Key: crm_SUA_CHAVE_AQUI
Content-Type: application/json

Example request

curl https://app.syncro.chat/api/v1/account \
  -H "X-API-Key: crm_SUA_CHAVE_AQUI" \
  -H "Content-Type: application/json"

Permissions (scopes)

Each operation requires a permission. A new key is created with full access (all permissions). The scopes per resource are:

Resource Read Write
Leads leads:read leads:write
Pipelines pipelines:read — (read-only)
Custom fields custom_fields:read — (read-only)
Nurture sequences sequences:read sequences:write
Tasks tasks:read tasks:write
WhatsApp whatsapp:read whatsapp:write
Account / Users users:read — (read-only)
Webhooks webhooks:read webhooks:write

When a key lacks the required permission, the API responds 403 with the required_permission field indicating the missing scope (see Errors and limits).

Security and best practices

  • Store the key in an environment variable or secrets vault — never in versioned source code or in the front-end.
  • Always use HTTPS.
  • Generate one key per integration so you can revoke them individually.
  • If you suspect a leak, delete the key and generate another one.