API Keys
API Keys allow you to authenticate your custom applications and third-party integrations with Sydx AI. Use them to programmatically access your CRM data, send messages, or build custom workflows.
How API Keys Work
- You generate an API key from the Sydx AI dashboard
- The key is shown once — copy and store it securely
- Use the key in your application's
Authorizationheader - Sydx AI verifies the key and grants access to the associated organization's data
Generating an API Key
Step 1: Navigate to Settings
- Open the Sydx AI dashboard
- Click Settings in the sidebar
- Go to the API Keys section
Step 2: Create a Key
- Click "Generate New Key"
- Enter a name for the key (e.g., "n8n Production", "Internal CRM Sync")
- Select permissions (default: all)
- Click Generate
Step 3: Copy and Store
The API key is displayed only once at creation time. Copy it immediately and store it in a secure location (e.g., environment variable, secrets manager). You will not be able to view the full key again.
Your API key will look like this:
sydx_your-tenant-id_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6...
The format is: sydx_ + tenantId + _ + random token
Using Your API Key
Include the API key in the Authorization header of your HTTP requests:
curl -X GET https://sydxai.com/api/v1/contacts \
-H "Authorization: Bearer sydx_your-tenant-id_a1b2c3d4e5..." \
-H "Content-Type: application/json"
Node.js Example
const axios = require('axios');
const response = await axios.get('https://sydxai.com/api/v1/contacts', {
headers: {
'Authorization': 'Bearer sydx_your-tenant-id_a1b2c3d4e5...',
'Content-Type': 'application/json'
}
});
console.log(response.data);
Managing API Keys
Viewing Keys
Go to Settings → API Keys to see all active keys. For security, only the last 4 characters of each key are displayed.
| Column | Description |
|---|---|
| Name | The label you gave the key |
| Key Hint | Last 4 characters for identification |
| Permissions | What the key can access |
| Created | When the key was generated |
| Last Used | When the key was last used for authentication |
Revoking a Key
If a key is compromised or no longer needed:
- Go to Settings → API Keys
- Find the key you want to revoke
- Click the Delete button
- Confirm revocation
Revoking a key is immediate and permanent. Any application using this key will lose access instantly. Make sure to update your applications with a new key before revoking the old one.
Limits
- Maximum 10 API keys per organization
- Keys do not expire automatically (revoke manually when needed)
- All keys are scoped to a single organization
Security Best Practices
| Practice | Why |
|---|---|
| Never commit keys to Git | Use environment variables or .env files instead |
| Rotate keys periodically | Generate a new key and revoke the old one every 90 days |
| Use descriptive names | Name keys after their purpose (e.g., "Backend Server", "n8n Webhook") |
| Principle of least privilege | Only grant the permissions each key actually needs |
| Monitor usage | Check the "Last Used" timestamp regularly for unexpected activity |
| Revoke unused keys | Delete any keys that are no longer in active use |
Access Requirements
- Only Owners and Admins can create, view, or revoke API keys
- Staff members do not have access to the API Keys section
Troubleshooting
401 Unauthorized Response
| Cause | Fix |
|---|---|
| Key is missing | Add the Authorization: Bearer <key> header |
| Key is invalid | Verify you're using the correct key — check the hint in Settings |
| Key was revoked | Generate a new key from the dashboard |
| Wrong format | Ensure the format is Bearer <key> (with a space after Bearer) |
403 Forbidden Response
The key is valid but lacks the required permissions. Check the key's permission scope in Settings.