Authentication

For Developers

The KynectLocal API authenticates requests using an API key passed as a request header. Every request must include a valid key — requests without one are rejected with a 401 response.

When you’d use this

• Getting your first API key to start building an integration
• Rotating or replacing an existing API key
• Troubleshooting 401 Unauthorized responses

---

Getting an API key

API keys are self-serve. A brand admin on the Authority plan can issue a key from the KynectLocal admin:

1. Log in to the admin at app.kynectlocal.com
2. Go to Integrations → API Keys tab
3. Click Create API Key
4. Give the key a name (e.g., Acme Agency Integration), set an optional expiry, and choose a location scope
5. Copy the key shown at the end of the creation flow — this is the only time it is shown in full

⚠️ Warning

API key access requires the Authority plan. If the API Keys tab is not visible or shows an upgrade prompt, ask the brand admin to check their current plan under Billing.

---

Sending your API key

Include your API key in the X-API-Key header on every request:

GET /v1/locations HTTP/1.1
Host: api.kynectlocal.com
X-API-Key: kl_live_your_api_key_here

There is no Bearer token format, no OAuth flow, and no session cookie. The X-API-Key header is the only supported authentication method in v1.

---

Key format

All API keys follow this format:

kl_live_<32 random characters>

The kl_live_ prefix identifies the key as a live (production) credential. Keys do not expire on a fixed schedule unless the brand admin set an expiry date at creation time. They can be rotated or revoked at any time from the API Keys tab.

🚨 Danger

Treat your API key like a password. Do not commit it to source control, include it in client-side code, or share it in public channels. If a key is compromised, a brand admin can revoke it immediately from Integrations → API Keys. See API Key Security for full guidance.

---

Storing your key safely

Keep your API key in an environment variable, not hardcoded in your application:

.env

KYNECT_API_KEY=kl_live_your_api_key_here

Then reference it in code:

const apiKey = process.env.KYNECT_API_KEY;

---

Rotating a key

If a key may have been exposed, rotate it rather than deleting it:

1. Go to Integrations → API Keys in the admin
2. Click ⋯ next to the key → Rotate
3. Confirm and copy the new key
4. Update your integration before closing the modal — the old key stops working immediately

---

Revoking a key

To permanently retire a key (for example, when ending an agency relationship):

1. Go to Integrations → API Keys
2. Click ⋯ → Revoke
3. Confirm — the key is rejected on the next request, with no grace period

---

What happens without a valid key

Scenario	Response
No X-API-Key header	401 Unauthorized
Invalid or revoked key	401 Unauthorized
Expired key	401 Unauthorized
Key lacks access to the requested brand	403 Forbidden

---

Related

• Rate Limits — request quotas and how to handle 429 responses
• Errors — full error envelope reference
• API Key Security — rotation cadence, incident response, best practices
• Code Samples — working request examples using X-API-Key