Week in review
This week ships a hybrid authentication model for the API, giving you clearer guidance on how external integrations and browser-based sessions are handled.New features
-
Hybrid API authentication — The API now formally supports two authentication methods: API keys for programmatic integrations (available on the BUSINESS plan) and session tokens used automatically by the BrikSync web application. This makes it easier to understand which method to use depending on your workflow. Learn more
-
IP allowlisting for API keys — You can now restrict an API key to only accept requests from specific IP addresses or CIDR ranges. Requests from any other IP are rejected, adding an extra layer of security for server-to-server integrations. Learn more
Updates
-
Session-based authentication documentation — The authentication guide now includes a dedicated section explaining how browser-based sessions work, including OAuth callbacks, cron endpoints, and Stripe webhooks. If you’re building an external integration, the docs now make it clear to use API keys instead of session tokens. Learn more
-
Improved API security guidance — The API authentication page now includes best practices for key storage, rotation, and monitoring — including recommendations for secrets managers, environment variables, and regular key audits. Learn more
Last modified on April 16, 2026