SYNK

Authentication

There are no API keys. Every request needs a User-Agent header containing a contact email. That is the entirety of the auth model.

Header format

cURL
User-Agent: [email protected]

The value just has to contain an email-shaped string. You can include a product name alongside it, the parser will pick the address out:

cURL
User-Agent: MyApp/1.0 ([email protected])

What gets rejected

  • A missing User-Agent header. Returns 401.
  • A User-Agent with no email-shaped substring. Returns 401.
  • Common bot strings like python-requests/2.x with no email attached. Returns 401.
Browsers cannot set User-Agent

The fetch API in browsers ignores User-Agent for security reasons, so the API will reject requests made directly from a browser. Proxy them through your own backend.

CORS

CORS is open on every route, so server-to-server requests from any origin work. Browser requests still fail because of the User-Agent restriction above.

Doc routes

A small set of documentation routes (/, /info/*, /openapi.json, /cover and similar) are exempt from the User-Agent check so that this site and machine-readable specs can be fetched without one.