Synapse Garden

Authentication

API keys, OIDC tokens, rotation, and per-environment key strategy.

FIG.
FIG. 00 · AUTHENTICATIONBEARER · sha256

API keys

Every API key is scoped to one project. Keys are stored as a SHA-256 hash; we show the cleartext exactly once at creation. Lose it, rotate it. Pass the key as apiKey to the AI SDK's streamText and it rides the standard Authorization: Bearer header on every request.

FIG. 01KEY LIFECYCLE
SCHEMATIC
A key is generated, hashed with SHA-256, and stored once — the cleartext is shown to you a single time. On every request the bearer token is hashed and matched against the stored digest, with revocations propagating to the proxy edge in ~5 seconds via the negative cache.
Key prefixEnvironment
mg_live_*Production / live
mg_test_*Sandbox (no upstream calls; rolls free)

Create a key

In the dashboard: Keys → New API key → pick a project → name it → copy.

Rotate a key

Click Rotate on any key. We issue a new key, you update your env, then revoke the old one. Both keys are valid for ~5 seconds during the swap window.

Revoke a key

Click Revoke. The key stops working within ~5 seconds (cache-aware). Revoked keys never come back — issue a new one.

Passing the key

Standard Authorization: Bearer <key> header — identical to OpenAI / Anthropic SDKs. Point any compatible client at the right base URL:

const client = new OpenAI({
  apiKey: process.env.MG_KEY,
  baseURL: "https://synapse.garden/api/v1",
})
const client = new Anthropic({
  apiKey: process.env.MG_KEY,
  baseURL: "https://synapse.garden/api",
})
import { generateText } from "ai"

await generateText({
  model: "openai/gpt-5.4",
  baseURL: "https://synapse.garden/api/v1",
  apiKey: process.env.MG_KEY,
  prompt: "...",
})

Per-environment keys

Best practice: one key per (project, environment). A typical setup looks like this:

acme-prod-server      mg_live_a1b2…   (production VM)
acme-prod-edge        mg_live_c3d4…   (edge functions)
acme-staging          mg_live_e5f6…   (staging cluster)
acme-local-developer  mg_live_g7h8…   (per-developer; rotates monthly)
Never commit keys

If you accidentally push a key to a public repo, rotate it immediately and check the audit log (Dashboard → Audit) for unexpected use. We monitor public sources and auto-revoke leaked keys, but rotating yourself is faster.

OIDC (build / CI / local dev)

For Vercel deployments and CI, you can authenticate via the OIDC token instead of a long-lived API key:

const client = new OpenAI({
  apiKey: process.env.VERCEL_OIDC_TOKEN, // 12-hour TTL, auto-rotated
  baseURL: "https://synapse.garden/api/v1",
})

OIDC tokens are auto-injected on Vercel deployments and refreshed every 12 hours. Use them when you don't want long-lived secrets in your env.

Audit trail

Every key action — created, rotated, revoked, used — lands in the audit log:

FieldExample
Actionapi_key.created
Actorayush@synapse.garden
Targetmg_live_a1b2c3d4 (prefix only)
Timestamp2026-05-10T15:42:00Z
IP203.0.113.42
User-agentcurl/8.4.0

Visible at Dashboard → Audit log. Retention: 90 days (Pro+) or unlimited (Scale).

Security defaults

Hashed at rest

SHA-256, never reversible. Cleartext shown once, never stored.

Cache-aware revocation

Revoked keys propagate to the proxy edge in ~5 seconds via negative cache.

Per-IP signup throttle

Brute-force resistant. We throttle aggressively on /signup and /v1/* without a valid key.

Public-source monitoring

We scan public repos and gists for leaked keys and auto-revoke them within minutes.

Caching

Implicit and explicit prompt caching. Free latency wins, dramatically cheaper repeat prompts.

Provider routing

Try a preferred provider first. Set fallback chains. Sort by cost, latency, or throughput. All per-request.

On this page

API keysCreate a keyRotate a keyRevoke a keyPassing the keyPer-environment keysOIDC (build / CI / local dev)Audit trailSecurity defaults