Authentication

The SuprSync External API uses API key pairs for authentication. Every request must include both your client ID and client secret in the request headers.

Headers

Header	Description
`x-api-key`	Your client ID (prefixed with `api_`)
`x-api-secret`	Your client secret (prefixed with `sec_`)

Example

curl -X GET "https://api.suprsync.com/external/v1/locations" \
  -H "x-api-key: api_a1b2c3d4e5f6a1b2c3d4e5f6" \
  -H "x-api-secret: sec_abcdef1234567890abcdef1234567890abcdef1234567890"

Obtaining Credentials

API credentials are generated by a SuprSync admin from the application dashboard:

Navigate to Settings > API Keys in the SuprSync admin panel.
Click Create API Key and provide a name for the integration.
Copy both the Client ID and Client Secret immediately.

⚠️ Caution: The client secret is shown only once at creation time. Store it securely. If lost, you must rotate the key to receive a new secret.

Key Management

Rotating Keys

If a secret is compromised or you need to refresh credentials, an admin can rotate the key from the dashboard. This generates a new secret while keeping the same client ID.

Revoking Keys

Admins can revoke an API key at any time. Once revoked, all requests using that key will receive a 401 Unauthorized response.

Security Best Practices

Store credentials in environment variables or a secrets manager. Never hard-code them.
Use server-to-server calls. Do not expose credentials in client-side code.
Rotate keys periodically and immediately if a compromise is suspected.
Each integration should use its own API key for auditability.

Error Responses

Status	Meaning
`401`	Missing or invalid credentials

{
  "error": {
    "code": 401,
    "message": "Missing API credentials"
  }
}

{
  "error": {
    "code": 401,
    "message": "Invalid API credentials"
  }
}