Authentication
API key authentication
Bearer authentication
Recommended practices

Authentication

FinSync currently documents two authentication modes in the OpenAPI spec.

API key authentication

Most company-scoped endpoints expect an x-api-key header.

curl --request GET \
  --url "https://finsync.ar/api/clients" \
  --header "x-api-key: YOUR_API_KEY"

Use API keys for routes such as:

Client management
Account and balance operations
Operation creation and review
Company transaction and operation type lookups

Bearer authentication

Some superadmin routes expect a bearer token, typically a Supabase access token with the required allowlist checks.

curl --request GET \
  --url "https://finsync.ar/api/superadmin/companies" \
  --header "Authorization: Bearer YOUR_ACCESS_TOKEN"

Recommended practices

Generate separate API keys per integration or environment.
Never expose secrets in browser-only code or public repositories.
Rotate keys if you suspect they were shared or logged.
Check each endpoint’s security requirements in the generated API reference because some routes override the global auth scheme.

Quickstart Conventions and errors

⌘I