DreamSync

Authentication

Every call to the DreamSync API must carry a valid guild-scoped API key in the Authorization header.

Key format

Live keys use the format ds_live_ followed by a 32-byte random string. Staging uses ds_test_. Keys are case-sensitive. DreamSync stores only an SHA-256 hash of the key and a short prefix for display.

Header

Authorization: Bearer ds_live_…

Scopes

Scopes are declared per key. The dashboard filters offered scopes by your server's current plan. A request that requires a scope the key doesn't have is rejected with 403 forbidden.

  • link:read: read Discord↔Roblox links for guild members (Free)
  • link:read:global: cross-guild link lookup (Developer)
  • update:write: run the shared update engine (Free)
  • bans:read / bans:write: Roblox ban lifecycle (Pro)
  • roles:check: role membership checks (Developer)

Revocation

Revoke a key from the dashboard at any time. A revoked key begins returning 401 revoked within seconds. A key can also revoke itself with DELETE /api/v1/api-key.

Guild scope

Keys are scoped to a single Discord server. Attempting to call endpoints for a different guild returns 403 forbidden. To operate across multiple servers, generate one key per server.

Retention

DreamSync is not a link mirror. Data returned by the API must not be retained for more than 30 days unless the underlying user has re-verified within that window. Keys that exhibit scraping patterns are subject to manual review and revocation.