Authentication

Generate a Connect Token and authenticate API requests. Synapse Layer uses OAuth 2.0 + PKCE for the Forge dashboard and simple token-based auth for the REST API and SDKs.

Connect Tokens

Connect Tokens are the primary authentication method for the REST API, Python SDK, TypeScript SDK, and MCP server. They follow the format sk_connect_*.

Each token is scoped to a user and provides access to that user's memories with full tenant isolation. Tokens are SHA-256 hashed before storage — the plaintext is shown only once at generation time.

Generate a Token

Via Dashboard

Navigate to /dashboard/connect and click Generate Token. Copy the token immediately — it won't be shown again.

Via API

Programmatic token generation is available via the token endpoint:

bash
curl -X POST https://forge.synapselayer.org/api/v1/token/generate \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <session_token>" \
  -d '{ "label": "my-agent-token" }'

Warning

Tokens are hashed with SHA-256 before storage. If you lose a token, you must generate a new one. There is no way to recover a lost token.

Using Tokens

Two methods are supported for passing Connect Tokens:

Method 1: x-connect-token header (preferred)

bash
curl -H "x-connect-token: sk_connect_YOUR_KEY" ...

Method 2: Authorization Bearer

bash
curl -H "Authorization: Bearer sk_connect_YOUR_KEY" ...

Python SDK

python
from synapse_layer import Synapse

# Option 1: Pass token directly
client = Synapse(api_key="sk_connect_YOUR_KEY")

# Option 2: Read from environment variable
# export SYNAPSE_TOKEN="sk_connect_YOUR_KEY"
client = Synapse()  # reads SYNAPSE_TOKEN from env

TypeScript SDK

typescript
import { SynapseClient } from 'synapse-layer';

const client = new SynapseClient({
  apiKey: process.env.SYNAPSE_API_KEY!,
});

OAuth 2.0 + PKCE

The Forge dashboard uses OAuth 2.0 + PKCE (S256) for user authentication. This is handled automatically when users sign in via Google OAuth. External agents connect via Connect Tokens, not OAuth.

Note

The OAuth flow is designed for the Forge web interface. For programmatic access (scripts, agents, CI/CD), use Connect Tokens instead.

Token Scoping

Every Connect Token is scoped to a single user (tenant). Memories stored with one token are isolated from other users' data. Cross-agent memory sharing works within the same tenant — different agents owned by the same user can access each other's memories.

ScopeAccess
User (tenant)All memories belonging to the token owner
AgentNamespace within a tenant — filter by agent_id on recall
Cross-agentAll agents within the same tenant can recall each other's memories