Authentication

The BankSync API and MCP server support two authentication methods. Choose the one that fits your use case.

API Key Authentication

The recommended method for server-side integrations, scripts, and MCP clients. Pass your API key in the X-API-Key header with every request.

Request Header

X-API-Key: bsk_your_key_here

Creating an API Key

To create an API key, open the BankSync app, click your workspace menu, and select Developers. From there you can name your key, choose which permission scopes it should have, and create it.

Developer settings page showing empty API keys list — The Developer Settings dialog before any keys are created

Create API key dialog with name and scopes filled in — Fill in a name and select the permission scopes you need

API key revealed after creation — Copy your API key — you will not be able to see it again

Key Format

All BankSync API keys begin with the bsk_ prefix followed by 44 random characters. For example:

Example API Key

bsk_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9T0u1V2

Code Example

curl -X GET "https://api.banksync.io/v1/banks" \
  -H "X-API-Key: bsk_your_api_key_here" \
  -H "Content-Type: application/json"

Security Best Practices

Store API keys in environment variables, never in source code
Never commit API keys to version control
Rotate keys regularly and revoke any that may be compromised
Use the minimum scopes required for your use case

Bearer Token Authentication

For web app integrations where the user is already signed in to BankSync, you can use a session token as a bearer token. This method is primarily used by the BankSync web application itself.

Request Headers

Authorization: Bearer <session_token>
X-Workspace-ID: <workspace_id>

When using bearer token authentication, you must also include the X-Workspace-ID header to specify which workspace you are operating on.

When to Use

Bearer token auth is best for browser-based apps where the user is already signed in to BankSync. For server-side scripts, CLI tools, and MCP clients, use API key authentication instead.

Scopes & Permissions

API keys are scoped to specific permissions. When creating a key, select only the scopes you need.

Resource	Read Scope	Write Scope	Read Access	Write Access
Banks & Accounts	`banks:read`	`banks:write`	List/get banks, accounts	Connect/delete banks
Feeds	`feeds:read`	`feeds:write`	List/get feeds	Create/update/delete feeds
Jobs & Syncs	`jobs:read`	`jobs:write`	List/get jobs	Trigger syncs, cancel jobs
Workspaces	`workspaces:read`	`workspaces:write`	List workspaces, integrations	Delete integrations

Note: Write operations require both read AND write scopes. For example, creating a feed requires both feeds:read and feeds:write.

Note: API key management (creating and revoking keys) requires an authenticated session. API keys cannot self-manage — you must use the BankSync web app to create or revoke keys.