What you’ll receive
On approval, two credentials unique to your app:x-api-key
Identifies your partner application at the API gateway, and serves as your OAuth client ID. Looks like
dk_live_…x-api-secret
Authenticates your application — on every API call and as your OAuth client secret. Treat as a password. Looks like
ds_…There is no separate OAuth client. Your
x-api-key / x-api-secret are your OAuth client ID and secret (used with HTTP Basic auth at the token endpoint). See Authentication.How to apply
Open the Integrations Portal
Go to the Integrations Portal and sign in with your Daysync account (sign up at app.daysync.com if you don’t have one), then start a new application.
Fill out the application
You’ll provide:
- Company name
- Website
- Application name (shown to users on the consent screen)
- Contact email for the developer who will integrate
- Use case — what you’re building and why
- Scopes you need from the Scopes & Permissions list
- Redirect URIs — your OAuth callback URL(s); see Callback URLs
Daysync reviews
Your application goes to a review queue. Once approved, your app is provisioned and your
x-api-key and x-api-secret are shown once — store them immediately in your secret manager. They’re stored only as a bcrypt hash and can’t be recovered, only rotated.Run the quickstart
Follow the Quickstart to make your first authenticated API call within ~15 minutes of approval.
Changing things after approval
Most changes are self-service on your app page in the portal:- Redirect URIs — add or remove callback URLs yourself; changes take effect immediately (see Callback URLs).
- Additional scopes — request more scopes from your app page; the request goes to a Daysync reviewer.
- Rotating your
x-api-secret— rotate from your app page (suspected compromise, employee departure, scheduled hygiene). Rotation supports an overlap window so you can roll the secret without downtime.
Scope expansion doesn’t invalidate existing tokens, but your users may need to re-consent to the new scopes before their tokens carry them.
Notes
Do I get a separate OAuth client ID/secret?
Do I get a separate OAuth client ID/secret?
No. Your
x-api-key / x-api-secret are your OAuth client credentials — there’s no shared client and no separate Cognito registration. See Authentication.Sandbox environment access
Sandbox environment access
Daysync currently operates a single production environment. Use
is_demo: true on tours you create for testing — see Environments.A test Daysync user account
A test Daysync user account
You’ll need a real Daysync user to test the OAuth flow. Sign up at app.daysync.com or use an existing test account on your team.
support@daysync.com.
