Skip to content

Practical recommendations for securely issuing and managing tokens, roles, and service identities in Synqly. These complement the Security Model Overview and help reduce risk in day-to-day usage.


Protect the Organization token

The Organization token (available in Settings → API Keys) carries broad administrative authority. It should only be used for initial setup and controlled administrative operations — not for routine runtime workloads.

Never expose the Organization token at runtime
  • Do not use it in client-side applications
  • Do not commit it to source control
  • Do not embed it in configuration files used by runtime services

Store it in a secure secrets manager and use it only to create roles, service accounts, and scoped credentials.


Use the smallest required permission set

Always start with the most restrictive permission set that satisfies the use case. If additional access is required, expand scope incrementally rather than starting broad and cutting back.

Prefer composing narrow roles

Where multiple capabilities are needed, bind multiple narrow roles to the same member rather than creating a single broad role. This keeps each role auditable and reusable independently.


Match token lifetime to workload duration

Set token_ttl based on how long the workload actually needs access — not longer.

Workload typeRecommended TTL
One-shot migration or script"30m" or less
Nightly batch job"20h" or less
Long-running serviceUse a member identity instead

Short-lived credentials reduce exposure if leaked and limit the window of misuse. If the job runs again tomorrow, request a new token then.


Pin MCP tokens to a specific account in production

When issuing MCP tokens for production, always set account_id explicitly rather than relying on environment-level scoping alone.

account_id takes precedence over environment

Explicit account scoping ensures the agent operates within a single account boundary, regardless of environment. Omitting it allows the token to reach any account in that environment.


Restrict MCP tool visibility

When using MCP tokens with integration-usage scope, set restrict_to_connector_operations to limit which tools the MCP server advertises to the agent.

An agent can only invoke tools that are visible to it. Fewer visible tools means a smaller blast radius if the agent is misdirected or compromised.


Compose roles instead of creating broad roles

If a service requires multiple capabilities, build from narrow pieces:

Do this

Create one role per capability. Bind all required roles to the same service account.

Each role stays narrow, reusable, and independently auditable.

Avoid this

Creating a single role that combines all required permissions into one broad grant.

Broad roles are harder to audit and tend to accumulate excess access over time.


Audit role bindings regularly

A member's effective access is the union of all its role bindings — and those bindings do not expire automatically.

Review role assignments periodically and remove bindings that are no longer required. This ensures access stays aligned with current operational needs.

See Manage Members and Role Bindings for how to update and remove bindings.


Rotate credentials when secrets are lost or exposed

Synqly secrets are shown only once at creation time. If a credential is lost or suspected to be exposed:

  1. Create a new credential
  2. Update all dependent systems to use it
  3. Revoke or delete the old one

Treat rotation as a normal operational procedure, not an emergency response.


Rely on delegation to enforce security boundaries

Delegation enforces strict boundaries

A token can never create credentials with greater privileges than itself.

When issuing tokens, ensure the issuing credential is scoped to the minimum required access. Any token created from it will inherit and respect that boundary, even if the issuing service is later compromised.