Authentication
The Syncro API uses an API Key sent in the `X-API-Key` header. Every request needs this header — there is no user/password login or OAuth.
Base URL
https://app.syncro.chat/api/v1AuthX-API-Key: crm_SUA_CHAVE_AQUIAuthentication method
Send your key in the X-API-Key header on every request:
X-API-Key: crm_SUA_CHAVE_AQUI
The key identifies your account (tenant). All data returned and created is restricted to the account that owns the key.
How to generate your token
- Open the Syncro panel and go to Settings → API Keys (
/configuracoes/api-keys). - Click New API Key, give it a name (e.g. "n8n integration") and confirm.
- Copy the key right away. It is shown only once. Syncro stores only a hash of the key — if you lose it, you will have to generate another one.
- The key format is
crm_followed by a random sequence (e.g.crm_a1b2c3d4...). After creation, the panel shows only the prefix (crm_...) for identification.
To revoke a key, go back to Settings → API Keys and delete the key — access is cut off immediately.
Header format
X-API-Key: crm_SUA_CHAVE_AQUI
Content-Type: application/json
Example request
curl https://app.syncro.chat/api/v1/account \
-H "X-API-Key: crm_SUA_CHAVE_AQUI" \
-H "Content-Type: application/json"
Permissions (scopes)
Each operation requires a permission. A new key is created with full access (all permissions). The scopes per resource are:
| Resource | Read | Write |
|---|---|---|
| Leads | leads:read |
leads:write |
| Pipelines | pipelines:read |
— (read-only) |
| Custom fields | custom_fields:read |
— (read-only) |
| Nurture sequences | sequences:read |
sequences:write |
| Tasks | tasks:read |
tasks:write |
whatsapp:read |
whatsapp:write |
|
| Account / Users | users:read |
— (read-only) |
| Webhooks | webhooks:read |
webhooks:write |
When a key lacks the required permission, the API responds 403 with the required_permission field indicating the missing scope (see Errors and limits).
Security and best practices
- Store the key in an environment variable or secrets vault — never in versioned source code or in the front-end.
- Always use HTTPS.
- Generate one key per integration so you can revoke them individually.
- If you suspect a leak, delete the key and generate another one.