When authenticating as a profile, the following methods may be available (depending on the endpoint you're trying to access): - [Generating a JSON Web Token (JWT)](#jwt-authentication). For this you need a [profile API key](/docs/settings/tool/api). - [Using the tracker key from the tracking script](#tracker-key-authentication). - ~~Inserting an API key into the request headers.~~ - this is a legacy method which should not be used in new integrations. ## JWT authentication These methods of authentication generate a JWT, which is then added to the headers of API requests.

- Keep the API keys secret. A leaked key must be deactivated **immediately**! - When [creating the API key](/docs/settings/tool/api#adding-api-keys), you can use [allowlisting](/docs/settings/tool/api#allowlist) or [denylisting](/docs/settings/tool/api#denylist) to only allow the events you intend to use.

### Authenticating as a recognized customer You can use the following endpoints to authenticate as a customer: - [Registers an account (unless the account already exists) when logging in using Facebook, Google, Sign in with Apple, or OAuth](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/authenticateUsingPOST_v3) - [Does not register an account](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/authenticateConditionalUsingPOSTv3) Both endpoints accept the same payload. If you use Synerise RaaS authentication, none of the endpoints above can be used to register an account. See [Customer registration](/developers/api/clients/registration). #### Example: Synerise RaaS authentication The example includes only the fields that are required.

curl --request POST 
  --url https://{SYNERISE_API_BASE_PATH}/sauth/v3/auth/login/client 
  --header 'content-type: application/json' 
  --data '{
      "apiKey": "1c586ac4-cb47-4c45-a7cf-e0fb74e8e5f4",
      "identityProvider": "SYNERISE",
      "password": "Pass1!",
      "uuid": "5f89a52f-e526-4c7d-a50c-3f5c744d3162",
  }'

The response is a JSON Web Token (JWT) that must be included in the `Authorization` header of further requests. By default, the token is valid for 60 minutes. #### Example: Facebook authentication, no registration if account does not exist The example includes only the fields that are required.

curl --request POST 
  --url https://{SYNERISE_API_BASE_PATH}/sauth/v3/auth/login/client/conditional 
  --header 'content-type: application/json' 
  --data '{
      "apiKey": "1c586ac4-cb47-4c45-a7cf-e0fb74e8e5f4",
      "identityProvider": "FACEBOOK",
      "identityProviderToken": "EAAfsMmaWLW0BAJZC3BWUZBi0izUcN9YntYLOZCtTkoPDrkcugIubbwrcXPPUPGKR6q4rdJdaK1sgNg4ARxVBQfUab8hafhPc2sXafL4wHVpS5mnEqrFTKbSHqj3ZBjX6HzMXXZA6qYnfNlzOQvjCEabjqgUdNQE6SrtPNQ7s7gZAOzFP3Ad1QB5vqxb276JM9yhBjVRp5SCdwZDZD"
  }'

The response is a JSON Web Token (JWT) that must be included in the `Authorization` header of further requests. By default, the token is valid for 60 minutes. ### Authenticating as an anonymous customer You can find the method under the ["Authenticate Anonymously" section in the API reference](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/LogInAnonymouslyV3). You can generate a JWT for a customer who does not have an account.

curl --request POST 
  --url https://{SYNERISE_API_BASE_PATH}/sauth/v3/auth/login/client/anonymous 
  --header 'content-type: application/json' 
  --data '{
    "apiKey":"1c586ac4-cb47-4c45-a7cf-e0fb74e8e5f4",
    "deviceId":"b8af0626-d5cf-44d6-b12a-ec72f946db6f",
    "uuid":"07243772-008a-42e1-ba37-c3807cebde8f"
  }'

The response is a JSON Web Token (JWT) that must be included in the `Authorization` header of further requests. By default, the token is valid for 60 minutes. ### Refreshing JWT You can find the method under the ["Refresh a Profile token" section in the API reference](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/RefreshAClientTokenV3). When the token is about to expire, you can obtain a new one without logging in again. This is not possible if the token has already expired.

curl --request POST 
  --url https://{SYNERISE_API_BASE_PATH}/sauth/v3/auth/refresh/client 
  --header 'Authorization: Bearer _YOUR_JWT_TOKEN_' 
  --header 'content-type: application/json' 
  --data '{
    "apiKey":"1c586ac4-cb47-4c45-a7cf-e0fb74e8e5f4"
    }'

The response is a new token. ## Tracker key authentication This method is available for some endpoints that relate to the AI engine, such as search and recommendation endpoints. The tracker key is the same as in the [tracking code](/developers/web/installation-and-configuration#creating-a-tracking-code) of your website and is included in the `token` query parameter of a request. If needed, you can generate a new tracking code to have a separate authentication key for API requests made by your website. Example:

curl --location 'https://api.synerise.com/recommendations/v2/recommend/campaigns/DkhvrZoTKthD?token=98A5FC55-0000-0000-0000-98339BDECAE6&clientUUID=cf9e9b57-7776-51bc-b7bc-75cc75abdf59'
                                                                                              <-------------- tracker key ------------->

where: - `DkhvrZoTKthD` is an example campaign ID. - `98A5FC55-0000-0000-0000-98339BDECAE6` is an example tracker key. - `cf9e9b57-7776-51bc-b7bc-75cc75abdf59` is an example profile UUID. Example endpoint: [GET personalized recommendations](https://developers.synerise.com/AIRecommendations/AIRecommendations.html#tag/Recommendations/operation/RecommendForUserV2)