RiskScore API

Authentication and limits

Secret keys, rate limits, monthly quotas, and optional IP allowlists.

Every RiskScore request must authenticate with a valid API key tied to your subscription plan. Syndaq enforces per-minute rate limits and monthly quotas on all authenticated routes.

API keys

When you subscribe to RiskScore, Syndaq provisions a key pair on your service:

KeyPrefixWhere to use it
Public keyrs_pub_Optional on /v1/riskscore/status only
Secret keyrs_sec_Required for /v1/riskscore/lookup and recommended for production

Lookup endpoints require your secret key. The public key can check plan status but cannot perform lookups.

Copy keys from Services in the client area. Open your RiskScore service, then use Manage to reveal or rotate the secret.

Sending credentials

Pass the secret in the Authorization header:

Authorization: Bearer rs_sec_YOUR_SECRET_KEY

Syndaq also accepts the secret in a secret or secret_key field for compatibility, but the Bearer header is the recommended approach.

Rate limits

Each plan defines a maximum number of requests per minute per key. When you approach the limit, responses include:

HeaderMeaning
X-RateLimit-LimitAllowed requests per minute
X-RateLimit-RemainingRequests left in the current window
X-RateLimit-ResetUnix timestamp when the window resets

If you exceed the limit, the API returns HTTP 429 with error code rate_limit_exceeded and a Retry-After header when applicable.

Monthly quota

Plans may include a monthly lookup quota shared across your RiskScore service. Quota counters reset on the first day of each UTC calendar month.

HeaderMeaning
X-Quota-LimitTotal lookups allowed this month
X-Quota-RemainingLookups left this month
X-Quota-PeriodCurrent quota month (YYYY-MM)

When quota is exhausted, the API returns HTTP 429 with error code quota_exceeded.

Call GET /v1/riskscore/status to read limits and remaining quota without performing a lookup.

IP allowlists (optional)

You can restrict which server IPs may use your secret key. This is configured per key in the client area under IP restrictions.

When IP restrictions are disabled (the default), requests are accepted from any caller IP that presents a valid key.

When IP restrictions are enabled, every request must originate from an address on the allowlist. Otherwise the API returns HTTP 403 with error code ip_not_allowed.

Supported formats:

FormatExample
Single IPv4203.0.113.10
IPv4 CIDR198.51.100.0/24
Single IPv62001:db8::1
IPv6 CIDR2001:db8::/32

Add your application server's outbound IP before enabling restrictions in production.

Key status

Keys can be active, suspended, or revoked. Only active keys authenticate successfully. Suspended or revoked keys return HTTP 401 with error code invalid_api_key.

Rotate a compromised secret from the client area. The previous secret stops working immediately after rotation.

Support correlation

Every response may include X-Request-Id and a request_id field in the JSON body. Include this ID when contacting Syndaq support about a specific request.