Skip to main content

API Authentication

The BrikSync PropOS API supports a hybrid authentication model:
  • API keys — for programmatic integrations, external tools, and server-to-server workflows. Available on the BUSINESS plan.
  • Session tokens — Supabase JWT tokens used automatically by the BrikSync web application. You do not need to manage these directly.
All protected API endpoints accept a Bearer token in the Authorization header. For external integrations, use an API key.
API key access is available on the BUSINESS plan. If you are on the FREE or PRO plan, upgrade from Settings → Billing before generating API keys.
API access was previously available on the PRO plan. As of July 2026, new API key access requires the BUSINESS plan. Existing PRO plan integrations will continue during the transition period.

Generating an API Key

  1. Log in to briksync.com as an Admin or Super Admin.
  2. Go to Settings → API Access.
  3. Click Generate New API Key.
  4. Give the key a descriptive name — e.g. “CRM Integration” or “Accounting Sync”.
  5. Click Create Key.
  6. Copy the API key immediately and store it securely.
The full API key is only shown once at the time of creation. If you lose it, you will need to revoke it and generate a new one. Store your API key in a secrets manager or environment variable — never in source code or version control.

Making Authenticated Requests

Include your API key in the Authorization header of every request using the Bearer token scheme.

Request Header Format

Authorization: Bearer YOUR_API_KEY

Example Request

curl https://briksync.com/api/properties \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"
Replace YOUR_API_KEY with your actual API key.

Authentication Errors

If your API key is missing or invalid, the API returns an error in the standard envelope format: 
{
  "data": null,
  "error": "Unauthorized"
}
If your API key is valid but your account does not have permission to perform the requested action: 
{
  "data": null,
  "error": "Forbidden: requires admin role or higher"
}

Managing API Keys

From Settings → API Access you can:
  • View all API keys — see the name, creation date, and last used date for each key.
  • Rename a key — update the label for clarity.
  • Revoke a key — immediately invalidate a key. Any integration using a revoked key will stop working.

Revoking a Compromised Key

If you suspect an API key has been exposed or misused:
  1. Go to Settings → API Access.
  2. Click Revoke next to the compromised key.
  3. Generate a new key and update your integration.
Revocation is immediate. The compromised key will no longer work for any request.

Best Practices for API Key Security

  • Never hardcode API keys in your application source code.
  • Store keys in environment variables or a secrets management service (e.g. AWS Secrets Manager, HashiCorp Vault, Doppler).
  • Use separate keys for different integrations or environments — this makes it easier to rotate a key without affecting all integrations.
  • Rotate keys regularly — generate a new key and revoke the old one periodically as a security practice.
  • Monitor key usage — review the last used date in Settings → API Access to identify keys that are no longer in use and can be safely revoked.

IP Allowlisting

For additional security, you can restrict an API key to only accept requests from specific IP addresses.
  1. Go to Settings → API Access.
  2. Click the key you want to restrict.
  3. Click Add IP Restriction.
  4. Enter the allowed IP address or CIDR range (e.g. 203.0.113.0/24).
  5. Click Save.
Requests from any other IP will be rejected with a 401 error, even with a valid key.
If your integration runs from a fixed IP address (e.g. a server or cloud function with a static IP), enabling IP allowlisting significantly reduces the risk of key misuse if it is ever exposed.

Session-based authentication

The BrikSync web application authenticates users via Supabase sessions. When you log in through the browser, a JWT token is issued and managed automatically — you do not need to handle it manually. Session-based auth is used by:
  • The BrikSync dashboard and all browser-based workflows
  • OAuth and email verification callbacks (/api/auth/callback)
  • Cron endpoints (authenticated via CRON_SECRET, not user sessions)
  • Stripe webhooks (authenticated via Stripe signature verification, not user sessions)
If you are building an external integration, use an API key instead of session tokens. Session tokens are short-lived and intended for browser use only.

Next Steps

Now that you have authenticated, explore the available resources in the API Overview.
Built by Errsol Technologies LLP · Karan · BrikSync PropOS
Last modified on April 14, 2026