Start here

Authentication

Every request to the Bynli App is authenticated with a bearer token. There are two kinds, and you pick the one that matches what you're trying to do.

Types of keys

Key typeGet it atGood for
Developer key
bapi_pk_…		 /dash/developers Reading public data, submitting resources for review. No team required.
Team key
bapi_tk_…		 /dash/integrations/api-tokens Managing your organization's own directory, receiving webhooks for your team, running embed widgets.

Sending the key

Put the key in the Authorization header using the Bearer scheme:

RequestHTTP
GET /dash/api/v1/resources HTTP/1.1
Host: bynli.com
Authorization: Bearer bapi_pk_1a2b3c…

That's it — no signing, no query string, no separate refresh tokens.

What each key can do

Every key has a list of scopes that describe what it can access. Developer keys are limited to public scopes (read public data and submit proposals). Team keys can hold additional scopes that their organization has enabled, such as directory management.

If you call an endpoint your key isn't scoped for, you'll get a 403 back with a short hint telling you which scope is missing — nothing more.

Errors

StatusWhen
401Missing, malformed, or unknown token.
403Token is valid but missing the scope the endpoint requires.
429Too many requests in a short window — slow down and retry.

If a key is exposed

  1. Go back to the page where you created it.
  2. Click Revoke on the affected row.
  3. Create a new key and update the integration that used it.

Revoked keys stop working immediately.

Heads-up. Repeatedly sending an invalid token can temporarily pause further attempts from your network. This protects accounts from brute-force guessing. If it happens to you, wait a bit and try again with a valid key.